Lessons from Star Wars Adam Shostack @adamshostack Agenda What - - PowerPoint PPT Presentation

lessons from
SMART_READER_LITE
LIVE PREVIEW

Lessons from Star Wars Adam Shostack @adamshostack Agenda What - - PowerPoint PPT Presentation

Dec 10, 2022 195 likes •608 views

Threat Modeling: Lessons from Star Wars Adam Shostack @adamshostack Agenda What is threat modeling? A simple approach to threat modeling Top 10 lessons Learning more What is threat modeling? A SIMPLE APPROACH TO THREAT

slide-1
SLIDE 1

Threat Modeling: Lessons from Star Wars Adam Shostack @adamshostack

slide-2
SLIDE 2

Agenda

  • What is threat modeling?
  • A simple approach to threat modeling
  • Top 10 lessons
  • Learning more
slide-3
SLIDE 3

What is threat modeling?

slide-4
SLIDE 4

A SIMPLE APPROACH TO THREAT MODELING

slide-5
SLIDE 5

4 Questions

  • 1. What are you building?
  • 2. What can go wrong?
  • 3. What are you going to do about it?
  • 4. Did you do an acceptable job at 1-3?
slide-6
SLIDE 6

What are you building? Data Flow Diagrams are a great representation

slide-7
SLIDE 7

What Can Go Wrong? Remember STRIDE

slide-8
SLIDE 8

Spoofing

By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532

slide-9
SLIDE 9

Tampering

http://pinlac.com/LegoDSTractorBeam.html

slide-10
SLIDE 10

Repudiation Repudiation

By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/

slide-11
SLIDE 11

Information Disclosure

slide-12
SLIDE 12

Photo by Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/

Information Disclosure (and impact)

slide-13
SLIDE 13

Denial of Service

Model by Nathan Sawaya

http://brickartist.com/gallery/han-solo-in-carbonite/

slide-14
SLIDE 14

Elevation of Privilege

http://www.flickr.com/photos/prodiffusion/

slide-15
SLIDE 15

4 Questions

  • 1. What are you building?
  • 2. What can go wrong?

3.

  • 3. What

t are e you going ng to to do about ut it? 4.

  • 4. Did you do an accep

ceptable table job at t 1-3? 3?

slide-16
SLIDE 16

TOP TEN LESSONS

slide-17
SLIDE 17
slide-18
SLIDE 18

Trap #1: “Think Like An Attacker”

  • “Think like a professional chef”?
  • Most people need structure
slide-19
SLIDE 19

Trap #2: “You’re Never Done Threat Modeling”

Model Identify Threats Mitigate Validate

Model

Identify Threats Mitigate

Validate

slide-20
SLIDE 20

Trap #3: “The Way To Threat Model Is…”

  • T
  • o much focus on specifics of how

– Use this framework (STRIDE) – With this diagram type

  • Focus on what delivers value by helping people find good threats
  • Focus on what delivers value by helping lots of people

Borrowing a line from the Perl folks… There’s more than one way to threat model

slide-21
SLIDE 21

Model

Identify Threats Mitigate

Validate Model Identify Threats Address Threats Validate

Privacy

Trap #3: Monolithic Processes

slide-22
SLIDE 22

Security mavens Experts in other areas

Trap #3: “The Way To Threat Model Is…”

slide-23
SLIDE 23

Trap #4: Threat Modeling as One Skill

  • T

echnique: DFDs, STRIDE, Attack trees

  • Repertoire:

– SSLSpoof, Firesheep – Mitnick, Cuckoo's Egg – Conficker, Stuxnet and Crilock

  • Frameworks and organization

– Elicitation and memory for experts

There’s Technique and Repertoire

slide-24
SLIDE 24

Trap #5: Threat Modeling is Born, Not Taught

  • Playing a violin…You need to develop and maintain muscles
  • Beginners need easy and forgiving tunes
  • Not everyone wants or needs to be a virtuoso

Threat Modeling Is Like Playing A Violin

slide-25
SLIDE 25

We’ve got to give them more time!

slide-26
SLIDE 26

Trap #6: The Wrong Focus

  • Start from your assets
  • Start by thinking about your attackers
  • Thinking that threat modeling should focus on finding threats
  • Remember trap #3: “The Way to threat model is”
  • Starting from assets or attackers work for some people
slide-27
SLIDE 27

Trap #7: Threat Modeling is for Specialists

  • Version control:

– Every developer, most sysadmins know some – Some orgs have full time people managing trees

  • This is a stretch goal for threat modeling
slide-28
SLIDE 28

Trap #8: Threat Modeling Without Context

  • Some threats are “easy” for a developer to fix (for example,

add logging)

  • Some threats are “easy” for operations to fix (look at the logs)
  • Good threat modeling can build connections

– Security Operations Guide – Non-requirements

slide-29
SLIDE 29

Requirements Threats Mitigations Requirements drive threats Threats expose requirements Un-mitigatable threats drive requirements Threats need mitigation

Mitigations can be bypassed

1 2 3 4 5 6

Trap #9: Laser-Like Focus on Threats

Interplay of attacks, mitigations and requirements

slide-30
SLIDE 30

Trap #10: Threat Modeling at the Wrong Time

“Sir, we’ve analyzed their attack pattern, and there is a danger”

slide-31
SLIDE 31

Summary

  • Anyone can threat model, and everyone should
  • The skills, techniques and repertoire can all be learned
  • There are many traps
  • Threat modeling is one of the most effective ways to drive

security through your product, service or system

slide-32
SLIDE 32

Call to Action

  • Remember the 4 Questions
  • Be proactive:

– Find security bugs early – Fix them before they’re exploited

  • Drive threat modeling through your organization
  • Drive threat modeling throughout the profession
slide-33
SLIDE 33

— Ge George ge Box

“ All models are wrong, some models are useful”

slide-34
SLIDE 34

Questions?

  • Please use the microphones
  • Or tweet @adamshostack
  • Or read the new book 

– Threatmodelingbook.com

slide-35
SLIDE 35

Resources: Additional Books

  • The Checklist Manifesto by Atul Gawande
  • Thinking Fast & Slow by Daniel Kahneman
  • The Cukoo’s Egg by Cliff Stoll
  • Ghost in the Wires by Kevin Mitnick
  • Understanding Privacy by Dan Solove
  • Privacy in Context by Helen Nissenbaum
slide-36
SLIDE 36

Threat Modeling: Designing For Security

Part t I: Gettin ting g Started ted

  • 1. Dive in and threat model
  • 2. Strategies for threat modeling

Part t II: Findi ding ng Threat eats

  • 3. STRIDE
  • 4. Attack Trees
  • 5. Attack Libraries
  • 6. Privacy T
  • ols

Part t III: I: Manag naging ng and Addressin essing g Threat ats

7: Processing and managing threats

  • 8. Defensive Building Blocks
  • 9. Tradeoffs when addressing threats
  • 10. Validating threats are addressed
  • 11. Threat modeling tools

Part t IV: Threat t modeli ling ng in techno hnolog logie ies s and d tricky ky areas eas

  • 12. Requirements cookbook
  • 13. Web and cloud threats
  • 14. Accounts and Identity
  • 15. Human Factors and Usability
  • 16. Threats to cryptosystems

Part t IV: T aking ing it to the next level

  • 17. Bringing threat modeling to your organization
  • 18. experimental approaches

19 Architecting for success Appendice dices

– Helpful tools, Threat trees, Attacker Lists, Elevation of Privilege (the cards), Case studies

slide-37
SLIDE 37

Thank you!

  • Star Wars: Episodes IV-VI
  • Great Creative Commons Lego brick art:

– Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532 – http://pinlac.com/LegoDSTractorBeam.html – Seb H http://www.flickr.com/photos/88048956@N04/8531040850/ – Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/ – Kaitan Tylerguy http://www.flickr.com/photos/kaitan/3326772088/ – Nathan Sawaya, http://brickartist.com/gallery/han-solo-in-carbonite/ – http://www.flickr.com/photos/prodiffusion/

slide-38
SLIDE 38

BACKUP

slide-39
SLIDE 39
slide-40
SLIDE 40

Process Data Store S T R I I D D E

            

ELEMENT

?

Data Flow External Entity

Different Threats Affect Each Element Type

slide-41
SLIDE 41

This isn’t the reputation you’re looking for…