MIT 6.805 24 October 2002 Threat Models What is a Threat Model? Requirements Spec / Functional Spec Constrains the solution – provides bounds for what needs to be done Why is this important? Security is not Binary Choices have costs Means to make sense of landscape Definitions Vulnerability Security relevant flaw in system Attack Means of exploiting a vulnerability Adversary A “bad guy” = entity with hostile intent Threat A motivated, capable adversary Countermeasure Mechanisms or procedures to counter attacks -1- MIT 6.805 24 October 2002 What are elements of a Threat Model? Who, why, how, risk sensitivity Common Adversaries Hackers Insiders Industrial Spies Criminals Activists Nation State Spies Complex Adversaries Who is the adversary? o Individual joy riding hacker, with no specific malicious intent o Individual coached by someone with extra knowledge and intent. Motivation for individual remains joy ride, coach may have more malicious aims o Team being run together – may or may not be aware of each other. o Limited information at each participant Multiple resources being applied – coordinated but oblivious Multiple access points Runner is a well-funded organization – with broad knowledge and capabilities. Possibly a nation-state or other organized criminal activity. Motives (why) -2- MIT 6.805 24 October 2002 How much power is available? Computation power, Network Bandwidth, Connectivity points. Source of attack? Cyberspace: (goals of the attack) Gaining unauthorized access to a trusted/privileged system Flooding the network and impacting connectivity performance Denial of Service attack on a point of entry of the service to be protected Taking over the points of entry to the emergency service to provide a fake service Pretending that an end-system used to access the service will perform some controls and authorization checks on its applications and users Physical access to privileged devices (inc. Insider attack) Gaining unauthorized access to a trusted/privileged system (i.e. Physically rebooting a system –floppy- into a different state to subvert existing security mechanisms) Gaining access to secrets on a privileged system (i.e. reading secrets from a hard-disk) Gaining access to networking equipment to deny connectivity or modify behavior of the device Gaining access to administrative privileges to modify the service configuration without alarms being raised Combined cyber and physical access to privileged devices (inc. Insider attack) -3- MIT 6.805 24 October 2002 Threat Modeling Process of creating a threat model Thinking out of the box Who are the actors What are the protocols Example: Stored Value Card (chap 19 Secrets & Lies – Bruce Schneier) Bank Deposit to account Load card Consumer Merchant Transfer funds -4- MIT 6.805 24 October 2002 Attacks that can be mounted by Consumer or Merchant o Attack the card – change the stored value o Alter records to reflect different value transfer o Forge cards o Clone cards Consumer attacks Repudiate a transaction Report another consumer’s card stolen and intercept replacement Merchant attacks Accept a transaction and skip town Replay valid transactions Bank attacks Load less money onto the card Don’t credit the account for merchant payments Collusion attacks Privacy attacks… Denial of service attacks Key connection to Risk Assessment What are the likely threats What is the likely loss? Estimate probability of attack and expected cost of loss Yields annual loss expectancy Point of the exercise Understand the real threats to the system – and assess the risk of these threats Describe the security policy required to defend against the threats Develop the countermeasures that enforce the policy -5- MIT 6.805 24 October 2002 Failure often occurs in getting the threat wrong Version rollback Anti-fraud measures in analog cell phones – scanners were “expensive” Anti fraud measures in digital cell phones… same rationale… Attack Trees (chap 21) Methodology for threat modeling Goal state, and / or leaves Metrics on the nodes – environment specific Possible / impossible Expensive / cheap Cost range… Iterative process – but more formal than brainstorming Exercise 2: Begin a threat model for your project -6-