Risk, Threat

Modeling, and
Attack Graphs
Can any organization be
Hacked?

Are there any than

CANNOT?

2
Why think about
security?

• Equifax breach – 2017

• 22 mill. government employees lost sensitive info in the OPM hack, 2015
• Apple iCloud, celebrity data leaked, brute force attack, 2014
• U.S. Postal Service, employee data stolen, 2014
• Snapchat, Target, European Central Bank, eBay, Home Depot, Spotify, Good Will, etc…,
2014
• Wikileaks and HBGary from Anonymous hackers, 2011
• Wireshark antivirus scam, 2010
• 11 hackers stole 40 million of credit/debit card numbers from TJX and other retailers by "wardriving"
and hacking into the wireless networks in 2007
• phpBB.com was hacked via a vulnerability in an outdated PHPList installation, Feb. 2009
• Notice of Security Breach
• http://doj.nh.gov/consumer/breaches.html
Four years of
data…
• https://www.identityforce.com/blog/2017-data-breaches

• https://www.identityforce.com/blog/2018-data-breaches

• https://www.identityforce.com/blog/2019-data-breaches

• https://www.identityforce.com/blog/2020-data-breaches
Threat
Actors

• There are different sorts of attackers

• In the industry we attempt to classify these by using the broad term TTP
• They can be further broken down by the following

Threat
Taxonom
y

access intent resources Motivation Limits Objectives Impact Visibility skills

5
What drives threat
actors
• Motivations …
• Financial gain
• Political/ideological
• Social/organizational gain
• Personal satisfaction
• Intent
• Malicious
• Non-Malicious
What drives threat actors –
Lessons from Intelligence &
Counter Intelligence
• Motivations …
• MICE
• Money, Ideology, Coercion, Ego
• RASCLS
• Reciprocity, Authority, Scarcity, Commitment/Consistency, Liking,
Social Proof
External Threat
Actors
• Organized crime
• Sensitive data for identity theft or other fraud
• Terrorists
• Shut down critical systems, destroy systems or cause potentially
life-threatening problem
• Governments
• Have active interest in the activities of organizations
• The competition
• Hacktivists
• If your organization does something politically sensitive
• Hired guns
• Hired by other clients to stealing information or gaining access
Internal Threat
Actors
• Disgruntled employees
• Clueless employees
• Customers
• Attacking suppliers in an attempt to gain sensitive
information about other customers or alter prices
• Suppliers
• Attack customers
• Vendors
• Business partners
• Contractors and consultants
How sophisticated is an
attacker?

• Attacker sophistication is best thought of relative to the sophistical of

defenders
• There are multiple tiers of defenders
• Basic
• Intermediate
• Advanced
• Most defensive products out in the market are geared towards more
basic defenders
• What is the risk versus the reward of attacking my company
• Does this change how I attack
• Most threat actors spend a lot of time thinking about RoI

10
Attack
Vectors

• When opportunity meets the motivation, attack happens

• Vector of attack
• Social Engineering
• Denial of service
• Injection attacks
• Session Theft
• Phreaking
• Misconfiguration
• Physical
• Abuse of functionality
STRIDE Threat
Model
• Probably the most commonly used “threat model” model
• Established by Microsoft in the early 2000s
• Focuses on identifying malicious actions, called “threats”, for each
threat actor so that defenders can plan
• Threats do not necessarily represent goals in and of themselves
• Managers Opinion A little outdated, because some more common
threats aren’t clearly described
• Ransomware, for example, would best be described as a denial of service
• Focus on largely technical threats
STRIDE Threat
Model
• Includes six categories of threats
• Spoofing identity
• Tampering with data
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
• These can obviously often need to be sequenced
How are attacks
detected?
• Check controls
• Log file
• Tripwire
• Patch level
• Check log files
• Patch level to find out what may happened?
• Tripwire for critical files e.g. (FIM)?
• Unsecured modems / Access Point?
• Sniff?
• buffer overflow?
• How about kernel-level rootkits?
Categorization of Security
Controls (Old)
Control Type Administrative Technical Physical
Directive No BYOD
Deterrent Penalty statement
Preventive Antivirus / Firewall Door locks
Compensating Load balancer
Detective Antivirus / IPS / IDS
Corrective Antivirus
Recovery Regular DR Off-site backups
tabletop exercises

Note: This chart is only partially filled in with examples

Categorization of Security
Controls (New)
Security Controls
and Risk
• The point of a security control is to reduce or eliminate risk
• Risk is the language of executives
• Risk: The potential damage a negative event on an asset could have.
R(E, A) = P(E) * Cost(A)
E = Negative event
A = Asset
Unit of
measurement: $
• Risk Management
Team:
 Goal – Develop policies that will reduce risk, eliminate risk, transfer
risk, or accept risk
Calculating Risk: An
Example
• Server S is six years old. Replacing S would cost $15,000. The risk
management team has evaluated the lifetime of the hardware
components in S and estimates there is a 40% chance S will fail.
There is a control that costs $7,000 which eliminates the risk.
Should we use it?
Cost(S) = $15,000
E = Hardware failure
P(E) = 40%
Risk(E, S) = P(E) *
Cost(S) = .4 *
$15,000 = $6,000

Conclusion: No. The

control is too
Risk
Matrix
Risk Management
Strategies
• Mitigation: Use some control to reduce the probability of the negative event
happening. (ex: Install antivirus on computers)
• The risk amount specifies the limit of spending to mitigate risk to the
asset.

• Avoidance: Discontinue use of the risky asset. (ex: Stop using a vulnerable server that
cannot be updated).

• Transference: Use a less risky asset instead of the current asset. ex: “Cyber”-insurance

• Acceptance: Continue on as is, knowing that use of an asset is risky.

• It’s important to make sure this is a formal, documented process.
• CYA
Important Concepts in
Evaluating Risk
• Security perimeter
• Refers to the ”imaginary” boundary around a system, usually the point in an
interaction which users must authenticate
• Attack surface
• Refers to all the potential points of attack against an information system
• Think about the attack surface as holes in the security perimeter
• Comprehensive
• Not limited to application-level of OSI
• Includes parts of the OS that are exposed
• Includes network stacks
• Includes physical attacks
• Includes anything on which the system relies to securely operate
• Remember that security includes:
• Confidentiality
• Integrity
• AVAILABILITY
Security Perimeter of a
FTP Server •What are all the points of attack against this FTP server? (not
Phys. Access comprehensive list)
SSH •Physical attack on the server
•Physical attack on the building

•Attacks on the network equipment

FTP Server FTP
•App level attacks on services

•Attacks on TCP/IP stack

•Attacks on cloud resources
•How would this change if FTP supported anonymous login?
•File system is now beyond the perimeter
Attack Graphs

• A model showing the sequence of attacks/steps needed to be

performed against multiple attack surfaces for an adversary to be
successful
• Attackers try to pick shortest path

• Images taken from Network Security Assessment text mentioned in week 1

Threat Modeling
Process
• Ideally, this should occur during planning/design phase of SDLC.
1. Determine the scope of the model(s)
• What systems/persons/processes are included in your model(s)?
2. Identify potential threat actors and possible attacks
• Most commonly, classes of threat actors not specific threat actors
3. Identify and analyze existing countermeasures
4. Identify exploitable vulnerabilities that may be present
5. Identify prioritized risks
6. Identify additional countermeasures that can be deployed to reduce
risk
Simple Threat Model
Asset Threat Actors STRIDE Threats Controls Attacks Exploits
Web Application Hacktivists, S/T/I/D Load balancer, SQLi, RFI, LFI, Wordpress
Criminals WAF XSS v1.2.3.4 admin
page SQLi

Web Server Hacktivists, T/I/D/E Network Network Apache 1.2.3

criminals firewall, local exploits, Shellshock
firewall, load unauthorized exploit
balancer, WAF, logins
AV

Email Server Hacktivists, I/D Spam filtering Unauth VRFY,

criminals, nation controls, AV TCP flood
states filtering, AV

DNS Server Criminals, nation T/D Network DNS Poisoning,

states firewall, host upstream DoS
firewall

Edge Router Nation states D Net FW, host FW Route poisoning

Visual Threat Model

Image taken from Ars Technica

Another Visual Threat
Model

Courtesy of Bruce Schneier https://

www.schneier.com/academic/archives/1999/12/attack_trees.html
Another Visual Threat
Model (1)

Image from Schneier.com

Another Visual Threat
Model (2)

Image from Schneier.com

Another Visual Threat
Model (3)

Image from Schneier.com

Another Visual Threat
Model (4)

Image from Schneier.com

Another Visual Threat
Model (5)

Image from Schneier.com

Another Visual Threat
Model (6)

Image from Schneier.com