intelligence

Cyber Threat Modeling

Nick

Nov 28, 2021 • 6 min read

As a cybersecurity program matures, threat intelligence can inform an exercise known as "threat modeling." At a high level, threat modeling is something people inside and outside of Information Security do daily, whether they realize it or not. Threat modeling is all about understanding a system/process/application/infrastructure, then determining what vulnerabilities or things can go wrong with it and how to prioritize and avoid those weaknesses. In practice, good threat modeling follows a more standard and repeatable process by utilizing the numerous available methodologies.

STRIDE

The first method we will review is STRIDE, which identifies threats from an attacker's point of view against a system or process in its current state. Microsoft adopted STRIDE in 2002, and since then, it has become one of the more popular and mature thread modeling methodologies (Shevchenko, 2018). As a mnemonic, STRIDE stands for the six most common types of threats and their countermeasures (Aviani, 2019):

Threat	Countermeasure
Spoofing - impersonating a different identity	Authentication - you must prove you are who you say you are
Tampering - making changes to information	Data protection - making sure all data is assured
Reputation - taking action without proof	Confirmation - there are immutable logs for all actions
Information disclosure - exposure of information to an unauthorized party	Confidentiality - access is restricted to only those who are authorized
Denial of service - making it unavailable to use	Availability - there are continuity measures in place to prevent loss of use
Elevation of privileges - gaining more rights than intended	Authorization - you can only perform actions intended for your level of permission

DREAD

STRIDE helps identify common threats and provides ways to counter them, but there is still an essential piece of threat modeling missing from it: prioritizing the threats. DREAD is another Microsoft mnemonic that serves as a risk assessment model for risk rankings:

Damage – how bad is the problem?

Reliability – how reliable is the attack?

Exploitability – how much work is it to launch the attack?

Affected users – does it impact all the users or just some of them?

Discoverability – how easy is it to find? (controversial, often described as a 'security through obscurity' metric)

(LeBlanc, 2007)

Using these categories, it's possible to give a 1 to 10 rating for each type, sum each category's rating for each threat and have comparison values to work with to prioritize your identified threats from STRIDE. You may start to see some inconsistency issues with using DREAD this way, so there have also been other formulas that will weigh categories in different ways or switch to a 1 to 4 rating system. It is generally agreed upon that DREAD is not a one-size-fits-all type of methodology for risk assessments. It's also worth noting that DREAD was phased out in 2008 at Microsoft in favor of a bug bar incorporated in the software development lifecycle.

PASTA

The second methodology we will review is PASTA, a more risk-centric framework than STRIDE. Developed in 2012, PASTA is the Process for Attack Simulation and Threat Analysis and "...bring[s] business objectives and technical requirements together" (Shevchenko, 2018). Seen as a more modern alternative to STRIDE, PASTA aims to identify threats and provide guidance for secure software development adequate for how threats have evolved, beyond the basics which STRIDE covers. And since PASTA incorporates a risk-based approach, it is easier to integrate into business processes.

There are seven stages in PASTA. The example below describes the stages to build a threat model and secure a web application.

Define business objectives - "Capture requirements for the analysis and management of web based risks."
Define technical scope - "Defining the scope of technical assets/components for which threat enumeration will ensue."
Application decomposition - "Identify the application controls that protect high risk web transactions sought by adversaries."
Threat analysis - "Identifying and extracting threat information from sources of intelligence to learn about threat-attack scenarious used by web focesed attack agents" Cyber Threat Intel!
Vulnerability detection - "Analyze the weaknesses and vulnerabilities of web application security controls."
Attack enumeration - What attacks and exploits exist
Risk and impact analysis - Impact analysis, residual risk, and countermeasure development.

(Ucedavelez, 2012)

LINDDUN

LINDDUN is the third and last threat modeling framework we will look at today. According to the official website https://www.linddunn.org, "LINDDUN is a privacy threat modeling methodology that supports analysts in systematically eliciting and mitigating privacy threats in software architectures." A privacy focused threat modeling framework sounds perfect. An yes, you are correct if you think LINDDUN might be another mnemonic covering the privacy threat categories it supports!

Linkability
Identifiability
Non-repudiation
Detectability
Disclosure of information
Unawareness
Non-compliance

The website also lists reasons to utilize LINDDUN:

You need to know what can go wrong in order to assess its risk and fix it.
A thorough privacy assessment can only be guaranteed by a systematic execution of a step-by-step method that guides you through the analysis.
Privacy is a complex matter. A repository documenting expert privacy knowledge on common threats and suggested solutions is indispensible.

That last one is key towards LINDDUN's strengths over some of the other frameworks. The organzations that maintain the framework have compiled a repository full of materials, implementation guides and tools to help organizations of any maturity begin using LINDDUN.

Threat Group-3390

This week's threat group targeting the American defense industry is Threat Group-3390. MITRE describes Threat Group-3390 as "a Chinese threat group that has extensively used strategic Web compromises to target victims." and notes that they have been active since 2010.

BRONZE UNION

Starting in 2015, Secureworks began tracking Threat Group-3390 as "BRONZE UNION" and observing them performing espionage within multiple U.S. defense contractor's networks that may give China and its allies an edge in technological advancements of the west. As Secureworks identified and removed BRONZE UNION from networks, they uncovered several tools used by the group for infiltration and surveillance.

China Chopper web shell for interactive control over the victim host
Rcmd for lateral movement
Wrapikatz for evade detection of the mimikatz code
Netview for network enumeration
Kekeo for interacting and manipulating Microsoft Kerberos

The initial attack vector used by the group involves compromising an industry organization's website and planting malicious download links where those within the defense industry will go to retrieve seemingly legitimate files but download and execute BRONZE UNION's payloads instead, creating a remote shell from the target network to the attacker's by way of the compromised third-party site.

IOCs

Secureworks notes the following Indicators of Compromise associated with BRONZE UNION as of 2017:

Filenames

javaws.exe - Malware used in BRONZE UNION SWC that downloads and executes a second-stage payload

IP Addresses

198.56.185.179 - Used by BRONZE UNION to connect to China Chopper web shell
211.255.155.194 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
211.255.155.199 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
211.255.155.202 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
211.255.155.204 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
211.255.155.215 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
211.255.155.218 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
211.255.155.219 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
211.255.155.224 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
104.130.244.126 - Used by BRONZE UNION to connect to web shells
96.90.63.57 - Used by BRONZE UNION to connect to web shells
117.136.63.145 - Used by BRONZE UNION to connect to web shells
45.114.9.174 - Used by BRONZE UNION to host second-stage payload for SWC

SHA256

0e823a5b64ee761b70315548d484b5b9c4b61968b5068f9a8687c612ddbfeb80 - OwaAuth web shell used by BRONZE UNION
ec60e57419f24fabbe67451cb1055b3d2684ab2534cd55c4a88cc395f9ed1b09 - Malware used in BRONZE UNION SWC (javaws.exe)

References

Aviani, G. (2019, July 30). How to analyze the security of your application with threat modeling. FreeCodeCamp. https://www.freecodecamp.org/news/threat-modeling-goran-aviani/
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Www.secureworks.com. https://www.secureworks.com/research/bronze-union
DistriNet Research Group. (2020). LINDDUN privacy threat modeling. Linddun.org. https://www.linddun.org/
LeBlanc, D. (2007, August 14). DREADful. Docs.microsoft.com. https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/dreadful
Microsoft. (2015, March 2). Appendix N: SDL Security Bug Bar (Sample). Web.archive.org. https://web.archive.org/web/20150302011702/https://msdn.microsoft.com/en-us/library/cc307404.aspx
Shevchenko, N. (2018, December 3). Threat Modeling: 12 Available Methods. SEI Blog. https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/
Ucedavelez, T. (2012). Real World Threat Modeling Using the PASTA Methodology. https://owasp.org/www-pdf-archive/AppSecEU2012_PASTA.pdf
Writing Secure Software. (2012, September 15). PASTA Process for Attack Simulation and threat analysis (PASTA) Risk-centric Threat Modeling. http://securesoftware.blogspot.com/2012/09/rebooting-software-security.html