Upload
devseccon-limited
View
145
Download
5
Embed Size (px)
Citation preview
Join the conversation #devseccon
Using Adversarial Modelling In Driving Secure Application Development
By Pishu MahtaniApplication Security ConsultantTrustwave SpiderLabs
Agenda
• Introduction• Overview• Goal of Adversarial Modelling• How do you conduct it?• Case Study• Conclusion• Q & A
Introduction ($whoami)
• Singaporean. Over 12 years of progressive experience in Information Security in various capacities.
• Previous roles as a pentester, auditor, incident response/forensics.• Application Security Consultant @ SpiderLabs, the advanced security team in
Trustwave.• Currently focused on security & privacy of applications, mobile and Internet of
Things (IoT) devices.• Professionally, previously contributed to the development of Center for Internet
Security (CIS) benchmarks and currently contributing to OWASP Mobile Security Testing Guide.
Overview
• Adversarynoun, plural adversaries.
1. a person, group, or force that opposes or attacks; opponent; enemy; foe.2. a person, group, etc., that is an opponent in a contest; contestant.
• Adversarial Modeling• A practice in identifying, learning and emulating the tactics, techniques and procedures
that may be adopted by a malicious user to defeat a system or an organization so as to build defences dedicated to countering such a threat.
• Example: if you design a castle and moat to keep out enemies, but do not realize the enemy has catapults that can breach castle walls from afar, then your castle is wholly ineffective against the threat you face.
Goal Of Adversarial Modelling
• Start thinking like the REALLY bad guy (if you haven’t started doing so).• Learn why they ALWAYS get in.• Ask yourselves these key questions when developing an application.
• What are your ‘Crown Jewels’?• What’s the worst that can happen?• Am I prepared with the correct understanding in developing a defensive and resilient
application that can deter the most motivated adversaries?• Do I want to suffer first and develop a strong and robust application and sleep well later?
• Enable you to start developing applications with an adversarial mindset!
Enterprise Adversarial Modelling Strategies
• Lockheed Martin Cyber Kill Chain• Mandiant APT Attack Lifecycle• DoD Joint Publication 3-13, 2006• MITRE ATT&CK Matrix
Adversary Model
• Adversary Type (AT) • Campaign Objective (CO) • Campaign Vehicle (CV) • Campaign Weapon (CW) • Payload Delivery (PD) • Payload Capabilities (PC)
Adversary Type (AT)
• Script kiddy • Hacktivist• Insider threat • Commercial hacking (for theft of IP, customer data, etc.) • Nation-state cyber warfare
Campaign Objective (CO)
• Account take-over/Identify fraud• Botnet farming• DDOS• Data/Intellectual property theft• Intelligence collection• Data/System destruction• Corporate/political agenda
Campaign Vehicle (CV)
• Spear-phish with link/attachment • Compromised legitimate website • Malicious website • Social engineering • Insider threat • Remote login • Physical media (USB/DVD) • Supply chain
Campaign Weapon (CW)
• IE, Firefox, Chrome exploit • Adobe Flash exploit • Oracle Java exploit • Microsoft Silverlight exploit • Microsoft Office macro • Adobe Reader exploit • User-installed malware • Socially engineered remote access
Payload Delivery (PD)
• Executable file – pre-assembled • Executable file – just-in-time assembly on-host • Process hijacking/ROP • Scripting • DLL injection/side-loading
Payload Capabilities (PC)
• Command and control (Backdoor for remote access)• DDOS • Privilege escalation • Keystroke logging• Screen capture • Ransomware• Network mapping • Lateral movement • Data discovery/archiving/exfiltration/corruption/destruction• System wiping
Characteristics of Adversarial Modelling Strategies
• Heavyweight process with substantial documentation• All encompassing, used in an enterprise level • Includes a very in-depth view of various existing mechanisms that are in place• Time-consuming and lots of work needs to be done
Let’s think about this
• Developers they write code• Faced with time constrains, deadlines…• Code needs to be pushed out ASAP. Deadline in 2 weeks.• If something is very complex, there must be a faster way to do it. • Security comes later (that’s why we have pentesters!), focus on
user experience first.
Reality of Application Development
Pentesters,overtoyou!Findthosebugsforus!Thankyou!
Adversarial Modelling for Applications
How do you conduct it?
• Create an overview of the application from a high level perspective• Define the all the actors that will use the system• Identify the primary components of the architecture of the system• Develop an transaction based application workflow (high-level) for the application from start to
finish incorporating the different elements of the application• Identify use cases for each individual function that is present in the application• Classify the different type of adversaries (misusers) that may compromise the system• Develop misuse cases for each valid use case in the application• Conduct an analysis at a high level view of the possible threats that can materialize in different
parts of the application. Focus on goal oriented threats.• Adopt a comprehensive application vulnerability classification list
Case Study
• Electronic Procurement Application• Used by the organization to create public tender opportunities for
the eventual procurement of goods and services to the organization• Users: Vendors (External) & Staff (Internal)• Connected to the Internet and thus accessible to everyone
Overview of the application
Actors (Users)
Transaction Based Application Workflow (1)
TenderingPhaseWorkflow
Transaction Based Application Workflow (2)
BidEvaluationWorkflow
Transaction Based Application Workflow (3)
AwardofContractWorkflow
Transaction Based Application Workflow (4)
PurchasingWorkflow
Use cases
• Use cases are a scenario-based technique for requirements elicitation.• Used as a modeling technique to analyze and specify functional requirements
in an early stage. • Provide scenarios about how the system works when the user is interacting,
and help to describe the requirements in a graphical way.• Put simply, a use case denotes as a function that a system should do.• In uses cases, an actor plays the role of the users that interact with the system
Use Cases (Sample)
Attacker Types (Misusers)
Threats (STRIDE)
Taxonomy of Software Vulnerabilities
• MITRE Common Weakness Enumeration (CWE)• Open Web Application Security Project (OWASP) – Top 10• Seven Pernicious Kingdoms (7PK)• Software Fault Pattern Clusters• CMU-SEI CERT Secure Coding Standards
Misuse Cases
• Introduced by Guttorm Sindre and Andreas Opdahl• Misuse cases are denoted as a function that a system should not
allow• In misuse cases, a malicious actor plays the function of the users
and spells out the situations that can break the system • Misuse cases analyze the interaction between applications and the
misusers• Tool for helping to think about your software the same way
attackers do
Misuse Cases (Sample)
Misuse Case Diagram
MisuseCaseDiagram(Victim:ProcurementOfficer)
Misuse Case Table
Conclusion
To Know Your Enemy, You Must Become Your Enemy.
Sun Tzu, The Art of War
Question? & Answer!
Join the conversation #devseccon
Thank you to everyone who contributed to the development of this presentation.
Twitter: @pishumahtani