Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks
Uploaded by alphaville111

Zero-Trust-ThreatModeling

advertisement 
Zero Trust Threat Modeling
Chris Romeo, CEO, Devici
chris@devici.com
Chris Romeo
Chris is a leading voice and thinker in application security,
threat modeling, and security champions
• CEO, Devici
• General Partner,
Kerr Ventures
• CISSP, CSSLP
• 26 years in security
• Award-winning Podcast Host
• Previously Co-Founder of
Security Journey and Cisco
Chief Security Advocate
ZERO TRUST THREAT MODELING
Agenda
• An AppSec primer on Zero Trust
• A threat modeling crash course
• The impact of zero trust on threat modeling and what changes with threat modeling in a
zero-trust world
• A reference threat model for Zero Trust
ZERO TRUST THREAT MODELING
Zero Trust Primer for AppSec – Seven Tenets
1.
All data sources and computing services are considered resources.
2.
All communication is secured regardless of network location.
3.
Access to individual enterprise resources is granted on a per-session basis.
4.
Access to resources is determined by dynamic policy.
5.
The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6.
All resource authentication and authorization are dynamic and strictly enforced before access.
7.
The enterprise collects as much information as possible about the current state of assets, network infrastructure,
and communications and uses it to improve its security posture.
Source: NIST SP 800-207
5
ZERO TRUST THREAT MODELING
Threat modeling
Zero Trust Threat modeling analyzes {Zero Trust} system representations to highlight
concerns about security and privacy characteristics.
Source: https://www.threatmodelingmanifesto.org/
6
ZERO TRUST THREAT MODELING
Benefits of threat modeling Zero Trust
1
2
3
Ensures that security is
built into everything
during development.
Security and privacy
problems are found
and fixed early in the
ZT system lifecycle.
TM simplifies a
complex system to
enable analysis.
7
ZERO TRUST THREAT MODELING
Security feedback loop
Identify Threats
Change the Design
Evaluate Mitigations
8
ZERO TRUST THREAT MODELING
Threat modeling elements
External Entity
Process
Data Store
9
ZERO TRUST THREAT MODELING
Secure by design
Technology products are built
in a way that reasonably
protects against malicious
cyber actors successfully
gaining access to devices,
data, and
connected infrastructure.
The art and science of
prioritizing security and
privacy to reasonably protect
the stuff you build against
security threats.
Source: https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf
10
ZERO TRUST THREAT MODELING
Secure by design principles refined for ZT
Zero Trust builders and defenders must share in ensuring security outcomes with Customers.
Zero Trust builders should stand out by delivering and taking pride in safe, secure products.
Top executives drive the actual changes in the organization.
11
ZERO TRUST THREAT MODELING
Secure by default applies for ZT
Eliminate default
passwords.
Mandate MFA for
privileged users.
Single Sign-On with
SAML or OIDC.
Authorization
profiles.
Reduce hardening
guide size.
Secure Logging.
Forward-looking
security over
backwards
compatibility.
Consider UX
and security.
ZERO TRUST THREAT MODELING
ZT Pillars and a treasure trove of threats
Pandora’s Box
THREATS
ZERO TRUST THREAT MODELING
What’s different about ZT TM
Death to the trust boundary
Focus on the AuthC and
AuthZ policy engines
More exposure of data sources
The role of Infra
Data flows are better protected
Network as wild, wild west
Bumps in the road
ZERO TRUST THREAT MODELING
Threat modeling process
Scope
Draw
WHAT ARE WE BUILDING?
Analyze
WHAT CAN GO
WRONG?
Mitigate
WHAT ARE WE GOING
TO DO ABOUT THAT?
Retrospective
DID WE DO A
GOOD ENOUGH JOB?
Scope
ZERO TRUST THREAT MODELING
Three components of scoping
Sizing
Security
relevance
Interfaces /
attack surface
analysis
ZERO TRUST THREAT MODELING
The dangers of size
Size
Target
# of hours to properly
decompose and model
2-8
Dangers
S
Single AuthC or AuthZ flow
None
M
Multiple flows
12-40
Complexity+
L
Subsystem
100+
Complexity++
XL
Entire system
Complexity+++
Draw
ZERO TRUST THREAT MODELING
There is no reference
architecture in the real world.
New threats come in all shapes and sizes.
ZERO TRUST THREAT MODELING
The core of the ZT architecture
Data Plane
Subject
Policy
Enforcement
Point
Object
Analyze
ZERO TRUST THREAT MODELING
STRIDE Methodology
Category
Definition
Spoofing
Pretending to be someone you are not
Tampering
Modifying data
Repudiation
“I didn’t do it, nobody saw me do it, can’t prove anything”
Information Disclosure
Leakage of information that should be private
Denial of Service
Stopping something from working or responding
Elevation of Privilege
Upgrading from user to administrator level access
ZERO TRUST THREAT MODELING
Spoofing and Tampering?
Data Plane
Subject
Attacker
Policy
Enforcement
Point
Object
pv
ZT Tenet #2: All communication is secured
regardless of network location.
ZERO TRUST THREAT MODELING
Repudiation?
SIEM
Data Plane
Subject
Attacker
Policy
Enforcement
Point
Logging is a core component
in the ZTMM at all levels.
Object
pv
ZERO TRUST THREAT MODELING
Information Disclosure?
Data Plane
Subject
Policy
Enforcement
Point
Possible threat for each component
in the architecture.
Attacker
Object
pv
ZERO TRUST THREAT MODELING
Denial of Service?
Data Plane
Subject
Attacker
Policy
Enforcement
Point
Object
pv
A magnified threat given the open access
profile of ZT, no inside or outside.
ZERO TRUST THREAT MODELING
Elevation of Privilege?
Data Plane
User
Attacker
Policy
Enforcement
Point
Object
pv
User with higher
privilege
The core threat that ZT exists to prevent!
ZERO TRUST THREAT MODELING
Summarizing STRIDE
Category
Response
Spoofing
TLS is everywhere and ZT Tenet #2.
Tampering
See above.
Repudiation
Logging is a core component in the ZTMM at all levels.
Information Disclosure
Possible at every interface.
Denial of Service
Magnified threat
Elevation of Privilege
ZT exists to prevent!
Mitigate
ZERO TRUST THREAT MODELING
STRIDE Canned Mitigations
STRIDE
Compensating Control
Conclusion
Spoofing
Strong authentication (MFA),
Strong frameworks and libraries
TLS is everywhere, and ZT Tenet #2.
Tampering
Encryption and hashing
TLS is everywhere, and ZT Tenet #2.
Repudiation
Logging and strong authentication
Logging is a core component in the
ZTMM at all levels.
Information
Disclosure
Encryption and Secure Application Design
Always a concern.
Denial of Service
Site / product scalability
Magnified threat
Elevation of
Privilege
Zero Trust Architecture!!!!!
ZT exists to prevent!
Retrospective
ZERO TRUST THREAT MODELING
Did we do a good enough job?
Measurement
Team-defined score (0-10)
ZT TM Threat Model
ZERO TRUST THREAT MODELING
Why do we ZT threat model?
• Not every architecture is as infallible as the reference architecture, nor
is every design as clean.
• People make mistakes when designing things…
even SECURITY people.
• Anything is possible – any threat is possible.
Challenge you to test the design of your ZT using threat modeling.
ZERO TRUST THREAT MODELING
ZT Architecture
Data access
policies
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
App
Server
Database
ZERO TRUST THREAT MODELING
ZT CAPITALS Methodology
Category
Definition
Compromise & Exploit
Gaining unauthorized control over an element in Zero Trust (ZT) or exploiting its
vulnerabilities.
Authentication &
Session Management
Compromising any part of the identification and authentication mechanism or its
workflow.
Poisoning
Introducing deceptive or misleading data.
Information Disclosure
Exposing confidential or private information.
Tampering
Altering data or interfering with an automated procedure.
Authorization
Bypassing or undermining any aspect of the access control system or its
procedures.
Lack of Logging
Intentionally or unintentionally neglecting the creation of accurate audit logs.
Segmentation, visibility
breakdown, and DoS
Disrupting the control/data plane, impairing network visibility, or causing a
Denial of Service.
ZERO TRUST THREAT MODELING
Applying CAPITALS
Utilize a collaborative, diverse team of threat modeling people to work with you.
Consider each threat category against
each component and flow of the ZT architecture.
If you can dream it up, an attacker somewhere can make the threat a reality.
Capture your threat brainstorming exercise,
documenting everything that is suggested.
Focus on mitigations – the model is only as good as it’s mitigations.
Perform a prioritization exercise against the threats; fix critical and high ones. Backlog
anything that doesn’t fit into the current fix cycle.
ZERO TRUST THREAT MODELING
Compromise
& Exploit
Data access
policies
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
App
Server
Database
Threat #1: An attacker subverts the ZT decision process by compromising the PE
and/or PA. (800-207)
ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Compromise
& Exploit
Data access
policies
SIEM
Mitigations:
Control Plane
CDM
1. Proper, timely patch management;
2. Testing of environment forPolicy
known security issues.
Policy
Engine
Administrator
3.Threat
Limit
user access with Just-In-Time
and Just-Enough-Access
(JIT/JEA).
Intel
4. Harden the PEP for battle.
User 1
Non-Person Entity
Data Plane
Secure Enclave #1
Policy
Enforcement
Point
Attacker
App
Server
Database
Threat #1: An attacker subverts the ZT decision process by compromising the PE
and/or PA. (800-207)
ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Compromise
& Exploit
CDM
Data access
policies
SIEM
ZERO DAY? Inherent risk. And a downside of zero trust, wild west, wide open
Control Plane
networking.
But how do we mitigate? Firewalls? But have we lost ZT?
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
App
Server
Database
Threat #1: An attacker subverts the ZT decision process by compromising the PE
and/or PA. (800-207)
ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Compromise
& Exploit
Data access
policies
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
App
Server
Database
Threat #2: An attacker exploits an OWASP Top Ten vuln in an administrative web
interface.
ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Compromise
& Exploit
Data access
policies
SIEM
Mitigations:
Control Plane
CDM
1. Constrain ALL administrative interfaces to the Control Plane;
2. Keep the Control Plane isolated;
Policy
Policy
Engine
3.Threat
Awareness
amongst system
and application Administrator
builders;
Intel
4. Testing of environment specifically for OWASP Top Ten.
User 1
Non-Person Entity
Attacker
Data Plane
Secure Enclave #1
Policy
Enforcement
Point
App
Server
Database
Threat #2: An attacker exploits an OWASP Top Ten vuln in an administrative web
interface. ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Authentication
& Session Mgmt
Data access
policies
SIEM
Control Plane
CDM #3: An attacker discovers/compromises the session management strategy
Threat
and gains access to an object by impersonating another user or a service.
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
App
Server
Database
ZERO TRUST THREAT MODELING
Authentication
& Session Mgmt
Data access
policies
SIEM
Control Plane
CDM #3: An attacker discovers/compromises the session management strategy
Threat
and gains access to an object by impersonating another user or a service.
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave Mitigations:
#1
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
1. TLS encryption of data flows;
2. Strong
App authentication token strategy
Database
Server
with
strong session identifier for users;
3. Protect the generation and distribution
of service tokens.
ZERO TRUST THREAT MODELING
Authentication
& Session Mgmt
Data access
policies
SIEM
Threat #4: An attacker steals or guesses a password using a
Control Plane
CDM
brute-force
attack, phishing, or credential stuffing and provides the password to
a ZT AuthC that supports username/password as a fallback authentication
Policy
Policy
mechanism.
Engine
Administrator
Threat Intel
User 1
Non-Person Entity
Data Plane
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
App
Server
Database
ZERO TRUST THREAT MODELING
Authentication
& Session Mgmt
Data access
policies
SIEM
Threat #4: An attacker steals or guesses a password using a
Control Plane
CDM
brute-force
attack, phishing, or credential stuffing and provides the password to
a ZT AuthC that supports username/password as a fallback authentication
Policy
Policy
mechanism.
Engine
Administrator
Threat Intel
User 1
Non-Person Entity
Data Plane
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
Mitigations:
1. Implement
MFA;
App
Database
Server any usage of
2. Disable
username/password AuthC.
ZERO TRUST THREAT MODELING
Poisoning
CDM
Data access
policies
Control Plane
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Attacker
SIEM
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
App
Server
Database
Threat #5: An attacker poisons the CDM data set or injects false data into the
data set {toIDtrick
the AuthZ process into
opening access}. (800-207+)
Enterprise PKI
Mgmt
ZERO TRUST THREAT MODELING
Poisoning
CDM
Data access
policies
Control Plane
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Attacker
Mitigations:
1. Design the CDM solution within a
separate Control/Data
Plane.
SIEM
2. Cryptographically validate any CDM
updates.
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
App
Server
Database
Threat #5: An attacker poisons the CDM data set or injects false data into the
data set {toIDtrick
the AuthZ process into
opening access}. (800-207+)
Enterprise PKI
Mgmt
ZERO TRUST THREAT MODELING
Poisoning
CDM
Data access
policies
Control Plane
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Attacker
SIEM
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
App
Server
Database
Threat #6: An attacker poisons or injects false data into the threat intelligence
feeds to prevent
legitimate users from
gaining access. (DoS)
Enterprise PKI
ID Mgmt
ZERO TRUST THREAT MODELING
Poisoning
CDM
Data access
policies
Control Plane
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Attacker
Mitigations:
1. Strong third-party risk program.
SIEM
2. Threat model / assess your provider’s
architecture.
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
App
Server
Database
Threat #6: An attacker poisons or injects false data into the threat intelligence
feeds to prevent
legitimate users from
gaining access. (DoS)
Enterprise PKI
ID Mgmt
ZERO TRUST THREAT MODELING
Information
Disclosure
Data access
policies
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Attacker
Data Plane
Threat #7: An attacker uses the
points in the architecture.
ID Mgmt
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
CDM
data as
Point
App
intelligence
to find
Server
Enterprise PKI
Database
the weakest
ZERO TRUST THREAT MODELING
Information
Disclosure
Data access
policies
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Attacker
Data Plane
Threat #7: An attacker uses the
points in the architecture.
ID Mgmt
SIEM
Mitigations:
1. Design the CDM solution within a separate
Control/Data Plane.
2. Patch management and monitoring for CDM.
3. Limit data
exposed in the CDM systems.
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
CDM
data as
Point
App
intelligence
to find
Server
Enterprise PKI
Database
the weakest
ZERO TRUST THREAT MODELING
Information
Disclosure
Data access
policies
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
App
Server
Database
Threat #8: An attacker accesses the data access policies to understand the input
to the policy engine.
ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Information
Disclosure
Data access
policies
SIEM
Mitigation:
Protect data access policies
in whatever format they
exist within.
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Attacker
Data Plane
Threat #8: An attacker uses the
points in the architecture.
ID Mgmt
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
CDM
data as
Point
App
intelligence
to find
Server
Enterprise PKI
Database
the weakest
ZERO TRUST THREAT MODELING
Tampering
Data access
policies
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Threat #9: An attacker
receives or tampers with
data on the wire.
Enterprise PKI
App
Server
Database
ZERO TRUST THREAT MODELING
Data access
policies
Tampering
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Threat #9: An attacker
receives or tampers with
data on the wire.
Enterprise PKI
App
Server
Database
Mitigation:
Never ASSUME that TLS has been utilized
in every corner.
ZERO TRUST THREAT MODELING
Tampering
Data access
policies
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
App
Server
Database
Threat #10: An attacker can induce or coerce a non-person entity to perform a
task the attacker is not privileged to perform. (800-207)
ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Tampering
Mitigation:
SIEM
Extreme least privilege for NPE’s.
Data access
policies
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
App
Server
Database
Threat #10: An attacker can induce or coerce a non-person entity to perform a
task the attacker is not privileged to perform. (800-207)
ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Authorization
Data access
policies
External Policy
Attributes
SIEM
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Data Plane
User N
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
App
Server
Database
Threat #11: An attacker exploits a time of check vs. time of use vuln in the policy
engine.
ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Authorization
CDM
Data access
policies
Control Plane
Policy
Engine
Threat Intel
User 1
User N
Attacker
External Policy
Attributes
Data Plane
Policy
Administrator
SIEM
Mitigation:
Limit subject access with JustIn-Time and Just-Enough-Access
(JIT/JEA).
Secure Enclave #1
Policy
Enforcement
Point
App
Server
Database
Threat #11: An attacker exploits a time of check vs. time of use vuln in the policy
engine. ID Mgmt
Enterprise PKI
ZERO TRUST THREAT MODELING
Authorization
CDM
Data access
policies
Non-Person Entity
Attacker
SIEM
Control Plane
Policy
Engine
Threat Intel
User 1
External Policy
Attributes
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
App
Server
Database
Threat #12: Data incompatibilities cause a PE/PA to allow attackers access to
data they should
(800-207)
PKI
ID Mgmt not have access to. Enterprise
ZERO TRUST THREAT MODELING
Authorization
CDM
Data access
policies
Control Plane
Non-Person Entity
Attacker
Data Plane
SIEM
Mitigation:
1. Know what attributes and what
Policy
sources are used for policy decisions.
Administrator
2. Define the order of operations for
different sources.
Policy
Engine
Threat Intel
User 1
External Policy
Attributes
Secure Enclave #1
Policy
Enforcement
Point
App
Server
Database
Threat #12: Data incompatibilities cause a PE/PA to allow attackers access to
data they should
(800-207)
PKI
ID Mgmt not have access to. Enterprise
ZERO TRUST THREAT MODELING
Lack of Logging
Data access
policies
SIEM
Threat #13: An attacker can attack the App Server, and
Control Plane
because
CDM it does not log at the correct level, the Response
team is unaware of the attack.
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
App
Server
Database
ZERO TRUST THREAT MODELING
Lack of Logging
Data access
policies
SIEM
Threat #13: An attacker can attack the App Server, and
Control Plane
because
CDM it does not log at the correct level, the Response
team is unaware of the attack.
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Mitigations:
Policy
Attacker
1. Comprehensive logging from allEnforcement
Point
elements.
2. Logging audit to ensure policy
compliance.
ID Mgmt
Enterprise PKI
App
Server
Database
ZERO TRUST THREAT MODELING
Segmentation, visibility
breakdown, and DoS
Data access
policies
Control Plane
CDM
SIEM
Threat #14: An attacker accesses control plane resources
(PA) from the data plane.
Policy
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
App
Server
Database
ZERO TRUST THREAT MODELING
Segmentation, visibility
breakdown, and DoS
Data access
Threat
policies
#14:
SIEM
An attacker accesses control plane
resources
(PA) from the data plane.
Control Plane
CDM
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1Mitigations:
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
1. Threat model the control plane as a
separate
entity. Database
App
2.Server
Aggressively test the control plane
interfaces.
3. Attack surface analysis and
monitoring of the control plane.
ZERO TRUST THREAT MODELING
Segmentation, visibility
breakdown, and DoS
Data access
policies
Threat #15:
An
SIEM
attacker compromises the network
layer
devices and reconfigures the ZT environment.
Control Plane
CDM
Routers
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1
Policy
Enforcement
Point
Attacker
ID Mgmt
Switches
Enterprise PKI
App
Server
Database
ZERO TRUST THREAT MODELING
Segmentation, visibility
breakdown, and DoS
Data access
policies
Threat #15:
An attacker
SIEM
compromises the network
layer devices and reconfigures the ZT environment.
Control Plane
CDM
Routers
Policy
Engine
Threat Intel
User 1
Non-Person Entity
Data Plane
Policy
Administrator
Secure Enclave #1Mitigations:
Policy
Enforcement
Point
Attacker
ID Mgmt
Enterprise PKI
Switches
1. Threat model the network as a
separate
entity. Database
App
2.Server
Patching and hardening processes for
network devices.
3. Network device full visibility in the
SOC via SIEM.
ZERO TRUST THREAT MODELING
Lessons learned from TM ZT
The universe of applicable threats crosses identity, devices, networks,
applications/workloads, data, subjects, and objects.
ZT TM requires a holistic view of the system, as threats can exist anywhere within the
architecture (even in non-ZT things like applications).
It is easy to make assumptions about the strength of a portion of the ZT system.
ZT is vast and complex, and securing something
complex vs. simple is more challenging.
There are no reference architectures in the real world.
Key takeaways
1.
Threat modeling and secure by design/default are constructs that move security and
privacy forward with ZT.
2.
The threat modeling process is scope, draw, analyze, mitigate, and retrospective.
3.
Reality is never as clear or clean as the art of the reference.
4.
ZT Capitals methodology: compromise & exploit, authentication & session management,
poisoning, info disclosure, tampering, authorization, lack of logs, and
segmentation/visibility/DoS.
5.
Threat model all the things, including all the ZT things!
Questions?
Chris Romeo
CEO | Devici
chris@devici.com
Listen:
The Application Security Podcast
The Security Table
The Threat Modeling Podcast
Read:
Reasonable Application Security
https://appsec.beehiiv.com/
🔐 📰🎙 📷
References
1.
Zero Trust Maturity Model, https://www.cisa.gov/sites/default/files/202304/zero_trust_maturity_model_v2_508.pdf
2.
Zero Trust Cybersecurity Current Trends, https://www.actiac.org/system/files/ACTIAC%20Zero%20Trust%20Project%20Report%2004182019.pdf
3.
Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-byDesign and –Default,
https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-designdefault_508c.pdf
4.
Department of Defense (DoD) Zero Trust Reference Architecture,
https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf
5.
NIST Special Publication 800-207, Zero Trust Architecture
Related documents
ex_buisness_expansion
ex_buisness_expansion
The foremost goal of the information security function should be to
The foremost goal of the information security function should be to
1984 Anticipation Guide
1984 Anticipation Guide
Apocalypse Assignment
Apocalypse Assignment
Stress Management - Dr. Fayose
Stress Management - Dr. Fayose
RULE
RULE
Download
advertisement