Attack trees are an essential method for threat

Chapter 5 Attack Libraries Some practitioners have suggested that STRIDE is too high level, and should be replaced with a more detailed list of what can go wrong. Insofar as STRIDE being abstract, they're right. It could well be useful to have a more detailed list of common problems. A library of attacks can be a useful tool for finding threats against the system you're building. There are a number of ways to construct such a library. You could collect sets of attack tools; either proof-of-concept code or fully developed (“weaponized”) exploit code can help you understand the attacks. Such a collection, where no modeling or abstraction has taken place, means that each time you pick up the library, each participant needs to spend time and energy creating a model from the attacks. Therefore, a library that provides that abstraction (and at a more detailed level than STRIDE) could well be useful. In this chapter, you'll learn about several higher-level libraries, including how they compare to checklists and literature reviews, and a bit about the costs and benefits of creating a new one.

Properties of Attack Libraries

As stated earlier, there are a number of ways to construct an attack library, so you probably won't be surprised to learn that selecting one involves trade- offs, and that different libraries address different goals. The major decisions to be made, either implicitly or explicitly, are as follows:

• Audience • Detail versus abstraction • Scope

Audience refers to whom the library targets. Decisions about audience dramatically influence the content and even structure of a library. For example, the “Library of Malware Traffic Patterns” is designed for authors of intrusion detection tools and network operators. Such a library doesn't need to spend much, if any, time explaining how malware works.

The question of detail versus abstraction is about how many details are included in each entry of the library. Detail versus abstraction is, in theory, simple. You pick the level of detail at which your library should deliver, and then make sure it lands there. Closely related is structure, both within entries and between them.

Some libraries have very little structure, others have a great deal. Structure between entries helps organize new entries, while structure within an entry helps promote consistency between entities. However, all that structure comes at a cost. Elements that are hard to categorize are inevitable, even when the things being categorized have some form of natural order, such as they all descend from the same biological origin. Just ask that egg-laying mammal, the duck-billed platypus. When there is less natural order (so to speak), categorization is even harder. You can conceptualize this as shown in Figure 5.1.

Figure 5.1 Abstraction versus detail

Scope is also an important characteristic of an attack library. If it isn't shown by a network trace, it probably doesn't fit the malware traffic attack library. If it doesn't impact the web, it doesn't make sense to include it in the OWASP attack libraries.

There's probably more than one sweet spot for libraries. They are a balance of listing detailed threats while still being thought provoking. The thought- provoking nature of a library is important for good threat modeling. A thought- provoking list means that some of the engineers using it will find interesting and different threats. When the list of threats reaches a certain level of granularity, it stops prompting thinking, risks being tedious to apply, and becomes more and more of a checklist.

The library should contain something to help remind people using it that it is not a complete enumeration of what could go wrong. The precise form of that reminder will depend on the form of the library. For example, in Elevation of Privilege, it is the ace card(s), giving an extra point for a threat not in the game. Closely related to attack libraries are checklists and literature reviews, so before examining the available libraries, the following section looks at checklists and literature reviews.

Libraries and Checklists

Checklists are tremendously useful tools for preventing certain classes of problems. If a short list of problems is routinely missed for some reason, then a checklist can help you ensure they don't recur. Checklists must be concise and actionable.

Many security professionals are skeptical, however, of “checklist security” as a substitute for careful consideration of threats. If you hate the very idea of checklists, you should read The Checklist Manifesto by Atul Gawande. You might be surprised by how enjoyable a read it is. But even if you take a big-tent approach to threat modeling, that doesn't mean checklists can replace the work of trained people using their judgment. A checklist helps people avoid common problems, but the modeling of threats has already been done when the checklist is created. Therefore, a checklist can help you avoid whatever set of problems the checklist creators included, but it is unlikely to help you think about security. In other words, using a checklist won't help you find any threats not on the list. It is thus narrower than threat modeling.

Because checklists can still be useful as part of a larger threat modeling process, you can find a collection of them at the end of Chapter 1, “Dive In and Threat Model!” and throughout this book as appropriate. The Elevation of Privilege game, by the way, is somewhat similar to a checklist. Two things distinguish it. The first is the use of aces to elicit new threats. The second is that by making threat modeling into a game, players are given social permission to playfully analyze a system, to step beyond the checklist, and to engage with the security questions in play. The game implicitly abandons the “stop and check in” value that a checklist provides. Libraries and Literature Reviews

A literature review is roughly consulting the library to learn what has happened in the past. As you saw in Chapter 2, “Strategies for Threat Modeling,” reviewing threats to systems similar to yours is a helpful starting point in threat modeling. If you write up the input and output of such a review, you may have the start of an attack library that you can reuse later. It will be more like an attack library if you abstract the attacks in some way, but you may defer that to the second or third time you review the attack list. Developing a new library requires a very large time investment, which is probably part of why there are so few of them. However, another reason might be the lack of prescriptive advice about how to do so. If you want to develop a literature review into a library, you need to consider how the various attacks are similar and how they differ. One model you can use for this is a zoo. A zoo is a grouping—whether of animals, malware, attacks, or other things—that taxonomists can use to test their ideas for categorization. To track your zoo of attacks, you can use whatever form suits you. Common choices include a wiki, or

a Word or Excel document. The main criteria are ease of use and a space for each entry to contain enough concrete detail to allow an analyst to dig in. As you add items to such a zoo, consider which are similar, and how to group them. Be aware that all such categorizations have tricky cases, which sometimes require reorganization to reflect new ways of thinking about them. If your categorization technique is intended to be used by multiple independent people, and you want what's called “inter-rater consistency,” then you need to work on a technique to achieve that. One such technique is to create a flowchart, with specific questions from stage to stage. Such a flowchart can help produce consistency.

The work of grouping and regrouping can be a considerable and ongoing investment. If you're going to create a new library, consider spending some time first researching the history and philosophy of taxonomies. Books like Sorting Things Out: Classification and Its Consequences (Bowker, 2000) can help.

CAPEC

The CAPEC is MITRE's Common Attack Pattern Enumeration and Classification. As of this writing, it is a highly structured set of 476 attack patterns, organized into 15 groups:

• Data Leakage • Attacks Resource Depletion • Injection (Injecting Control Plane content through the Data Plane) • Spoofing • Time and State Attacks • Abuse of Functionality • Probabilistic Techniques • Exploitation of Authentication • Exploitation of Privilege/Trust • Data Structure Attacks • Resource Manipulation • Network Reconnaissance • Social Engineering Attacks • Physical Security Attacks • Supply Chain Attacks

Each of these groups contains a sub-enumeration, which is available via MITRE (2013b). Each pattern includes a description of its completeness, with values ranging from “hook” to “complete.” A complete entry includes the following:

• Typical severity • A description, including:

• Summary • Attack execution flow

• Prerequisites • Method(s) of attack • Examples • Attacker skills or knowledge required • Resources required • Probing techniques • Indicators/warnings of attack • Solutions and mitigations • Attack motivation/consequences • Vector • Payload • Relevant security requirements, principles and guidance • Technical context • A variety of bookkeeping fields (identifier, related attack patterns and

vulnerabilities, change history, etc.) An example CAPEC is shown in Figure 5.2.

Figure 5.2 A sample CAPEC entry

You can use this very structured set of information for threat modeling in a few ways. For instance, you could review a system being built against either each CAPEC entry or the 15 CAPEC categories. Reviewing against the individual entries is a large task, however; if a reviewer averages five minutes for each of the 475 entries, that's a full 40 hours of work. Another way to use this information is to train people about the breadth of threats. Using this approach, it would be possible to create a training class, probably taking a day or more.

Exit Criteria

The appropriate exit criteria for using CAPEC depend on the mode in which you're using it. If you are performing a category review, then you should have at least one issue per categories 1–11 (Data Leakage, Resource Depletion, Injection, Spoofing, Time and State, Abuse of Functionality, Probabilistic Techniques, Exploitation of Authentication, Exploitation of Privilege/Trust, Data Structure Attacks, and Resource Manipulation) and possibly one for categories 12–15 (Network Reconnaissance, Social Engineering, Physical Security, Supply Chain).

Perspective on CAPEC

Each CAPEC entry includes an assessment of its completion, which is a nice touch. CAPECs include a variety of sections, and its scope differs from STRIDE in ways that can be challenging to unravel. (This is neither a criticism of CAPEC, which existed before this book, nor a suggestion that CAPEC change.)

The impressive size and scope of CAPEC may make it intimidating for people to jump in. At the same time, that specificity may make it easier to use for someone who's just getting started in security, where specificity helps to identify attacks. For those who are more experienced, the specificity and apparent completeness of CAPEC may result in less creative thinking. I personally find that CAPEC's impressive size and scope make it hard for me to wrap my head around it.

CAPEC is a classification of common attacks, whereas STRIDE is a set of security properties. This leads to an interesting contrast. CAPEC, as a set of attacks, is a richer elicitation technique. However, when it comes to addressing the CAPEC attacks, the resultant techniques are far more complex. The STRIDE defenses are simply those approaches that preserve the property. However, looking up defenses is simpler than finding the attacks. As such, CAPEC may have more

promise than STRIDE for many populations of threat modelers. It would be fascinating to see efforts made to improve CAPEC's usability, perhaps with cheat sheets, mnemonics, or software tools.

OWASP Top Ten OWASP, The Open Web Application Security Project, offers a Top Ten Risks list each year. In 2013, the list was as follows:

• Injection • Broken Authentication and Session Management • Cross-Site Scripting • Insecure Direct Object References • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross Site Request Forgery • Components with Known Vulnerabilities • Invalidated Requests and Forwards [sic]

This is an interesting list from the perspective of the threat modeler. The list is a good length, and many of these attacks seem like they are well-balanced in terms of attack detail and its power to provoke thought. A few (cross-site scripting and cross-site request forgery) seem overly specific with respect to threat modeling. They may be better as input into test planning.

Each has backing information, including threat agents, attack vectors, security weaknesses, technical and business impacts, as well as details covering whether you are vulnerable to the attack and how you prevent it.

To the extent that what you're building is a web project, the OWASP Top Ten list is probably a good adjunct to STRIDE. OWASP updates the Top Ten list each year based on the input of its volunteer membership. Over time, the list may be more or less valuable as a threat modeling attack library.

The OWASP Top Ten are incorporated into a number of OWASP-suggested methodologies for web security. Turning the Top Ten into a threat modeling methodology would likely involve creating something like a STRIDE-per-element approach (Top Ten per Element?) or looking for risks in the list at each point where a data flow has crossed a trust boundary.

Summary

By providing mode specifics, attack libraries may be useful to those who are not deeply familiar with the ways attackers work. It is challenging to find generally useful sweet spots between providing lots of details and becoming tedious. It is also challenging to balance details with the threat of fooling a reader into thinking a checklist is comprehensive. Performing a literature review and capturing the details in an attack library is a good way for someone to increase their knowledge of security. There are a number of attack libraries available, including CAPEC and the OWASP Top Ten. Other libraries may also provide value depending on the technology or system on which you're working.

Chapter 4 Attack Trees As Bruce Schneier wrote in his introduction to the subject, “Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes” (Schneier, 1999). In this chapter you'll learn about the attack tree building block as an alternative to STRIDE. You can use attack trees as a way to find threats, as a way to organize threats found with other building blocks, or both. You'll start with how to use an attack tree that's provided to you, and from there learn various ways you can create trees. You'll also examine several example and real attack trees and see how they fit into finding threats. The chapter closes with some additional perspective on attack trees.

Working with Attack Trees

Attack trees work well as a building block for threat enumeration in the four-step framework. They have been presented as a full approach to threat modeling (Salter, 1998), but the threat modeling community has learned a lot since then.

There are three ways you can use attack trees to enumerate threats: You can use an attack tree someone else created to help you find threats. You can create a tree to help you think through threats for a project you're working on. Or you can create trees with the intent that others will use them. Creating new trees for general use is challenging, even for security experts. Using Attack Trees to Find Threats

If you have an attack tree that is relevant to the system you're building, you can use it to find threats. Once you've modeled your system with a DFD or other diagram, you use an attack tree to analyze it. The attack elicitation task is to iterate over each node in the tree and consider if that issue (or a variant of that issue) impacts your system. You might choose to track either the threats that apply or each interaction. If your system or trees are complex, or if process documentation is important, each interaction may be helpful, but otherwise that tracking may be distracting or tedious. You can use the attack trees in this chapter or in Appendix B “Threat Trees” for this purpose.

If there's no tree that applies to your system, you can either create one, or use a different threat enumeration building block.

Creating New Attack Trees

If there are no attack trees that you can use for your system, you can create a project-specific tree. A project-specific tree is a way to organize your thinking about threats. You may end up with one or more trees, but this section assumes you're putting everything in one tree. The same approach enables you to create trees for a single project or trees for general use.

The basic steps to create an attack tree are as follows:

1. Decide on a representation. 2. Create a root node. 3. Create subnodes. 4. Consider completeness. 5. Prune the tree. 6. Check the presentation.

Decide on a Representation There are AND trees, where the state of a node depends on all of the nodes below it being true, and OR trees, where a node is true if any of its subnodes are true. You need to decide, will your tree be an AND or an OR tree? (Most will be OR trees.) Your tree can be created or presented graphically or as an outline. See the section “Representing a Tree” later in this chapter for more on the various forms of representation.

Create a Root Node To create an attack tree, start with a root node. The root node can be the component that prompts the analysis, or an adversary's goal. Some attack trees use the problematic state (rather than the goal) as the root. Which you should use is a matter of preference. If the root node is a component, the subnodes should be labeled with what can go wrong for the node. If the root node is an attacker goal, consider ways to achieve that goal. Each alternative way to achieve the goal should be drawn in as a subnode.

The guidance in “Toward a Secure System Engineering Methodology” (Salter, 1998) is helpful to security experts; however, it doesn't shed much light on how to actually generate the trees, comparative advice about what a root node should be

(in other words, whether it's a goal or a system component and, most important, when one is better than the other), or how to evaluate trees in a structured fashion that would be suitable for those who are not security experts. To be prescriptive:

• Create a root node with an attacker goal or high-impact action. • Use OR trees. • Draw them into a grid that the eye can track linearly.

Create Subnodes You can create subnodes by brainstorming, or you can look for a structured way to find more nodes. The relation between your nodes can be AND or OR, and you'll have to make a choice and communicate it to those who are using your tree. Some possible structures for first-level subnodes include:

• Attacking a system: • physical access • subvert software • subvert a person

• Attacking a system via: • People • Process • Technology

• Attacking a product during: • Design • Production • Distribution • Usage • Discard

You can use these as a starting point, and make them more specific to your system. Iterate on the trees, adding subnodes as appropriate.

NOTE

Here the term subnode is used to include leaf (end) nodes and nodes with children, because as you create something you may not always know whether it is a leaf or whether it has more branches.

Consider Completeness For this step, you want to determine whether your set of attack trees is complete enough. For example, if you are using components, you might need to add additional trees for additional components. You can also look at each node and ask “is there another way that could happen?” If you're using attacker

motivations, consider additional attackers or motivations. The lists of attackers in Appendix C “Attacker Lists” can be used as a basis.

An attack tree can be checked for quality by iterating over the nodes, looking for additional ways to reach the goal. It may be helpful to use STRIDE, one of the attack libraries in the next chapter, or a literature review to help you check the quality.

Prune the Tree In this step, go through each node in the tree and consider whether the action in each subnode is prevented or duplicative. (An attack that's worth putting in a tree will generally only be prevented in the context of a project.) If an attack is prevented, by some mitigation you can mark those nodes to indicate that they don't need to be analyzed. (For example, you can use the test case ID, an “I” for impossible, put a slash through the node, or shade it gray.) Marking the nodes (rather than deleting them) helps people see that the attacks were considered. You might choose to test the assumption that a given node is impossible. See the “Test Process Integration” section in Chapter 10 “Validating That Threats Are Addressed” for more details.

Check the Presentation Regardless of graphical form, you should aim to present each tree or subtree in no more than a page. If your tree is hard to see on a page, it may be helpful to break it into smaller trees. Each top level subnode can be the root of a new tree, with a “context” tree that shows the overall relations. You may also be able to adjust presentation details such as font size, within the constraints of usability.

The node labels should be of the same form, focusing on active terms. Finally, draw the tree on a grid to make it easy to track. Ideally, the equivalent level subnodes will show on a single line. That becomes more challenging as you go deeper into a tree.

Representing a Tree Trees can be represented in two ways: as a free-form (human-viewable) model without any technical structure, or as a structured representation with variable types and/or metadata to facilitate programmatic analysis.

Human-Viewable Representations

Attack trees can be drawn graphically or shown in outline form. Graphical representations are a bit more work to create but have more potential to focus attention. In either case, if your nodes are not all related by the same logic (AND/OR), you'll need to decide on a way to represent the relationship and communicate that decision. If your tree is being shown graphically, you'll also want to decide if you use a distinct shape for a terminal node: The labels in a node should be carefully chosen to be rich in information, especially if you're using a graphical tree. Words such as “attack” or “via” can distract from the key information. Choose “modify file” over “attack via modifying file.” Words such as “weak” are more helpful when other nodes say “no.” So “weak cryptography” is a good contrast to “no cryptography.”

As always, care should be taken to ensure that the graphics are actually information-rich and communicative. For instance, consider the three representations of a tree shown in Figure 4.1.

Figure 4.1 Three representations of a tree

The left tree shows an example of a real tree that simply uses boxes. This representation does not clearly distinguish hierarchy, making it hard to tell which nodes are at the same level of the tree. Compare that to the center tree, which uses a tree to show the equivalence of the leaf nodes. The rightmost tree adds the “OR gate” symbol from circuit design to show that any of the leaf nodes lead to the parent condition.

Additionally, tree layout should make considered use of space. In the very small tree in Figure 4.2, note the pleasant grid that helps your eye follow the layout. In contrast, consider the layout of Figure 4.3, which feels jumbled. To focus your attention on the layout, both are shown too small to read.

Figure 4.2 A tree drawn on a grid NOTE

In Writing Secure Code 2 (Microsoft Press, 2003), Michael Howard and David LeBlanc suggest the use of dotted lines for unlikely threats, solid lines for likely threats, and circles to show mitigations, although including mitigations may make the trees too complex.

Figure 4.3 A tree drawn without a grid

Outline representations are easier to create than graphical representations, but they tend to be less attention-grabbing. Ideally, an outline tree is shown on a single page, not crossing pages. The question of how to effectively represent AND/OR is not simple. Some representations leave them out, others include an indicator either before or after a line. The next three samples are modeled after the trees in “Election Operations Assessment Threat Trees” later in this chapter. As you look at them, ask yourself precisely what is needed to achieve the goal in node 1, “Attack voting equipment.”

1. Attack voting equipment 0. 1.1 Gather knowledge

0. 1.1.1 From insider 1. 1.1.2 From components

1. 1.2 Gain insider access 0. 1.2.1 At voting system vendor 1. 1.2.2 By illegal insider entry

The preceding excerpt isn't clear. Should the outline be read as a need to do each of these steps, or one or the other to achieve the goal of attacking voting equipment? Contrast that with the next tree, which is somewhat better:

1. Attack voting equipment 0. 1.1 Gather knowledge (and)

https://learning.oreilly.com/library/view/threat-mod

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.