Cyber Threat Modeling
As a cybersecurity program matures, threat intelligence can inform an exercise known as "threat modeling." At a high level, threat modeling is something people inside and outside of Information Security do daily, whether they realize it or not. Threat modeling is all about understanding a system/process/application/infrastructure, then determining what vulnerabilities or things can go wrong with it and how to prioritize and avoid those weaknesses. In practice, good threat modeling follows a more standard and repeatable process by utilizing the numerous available methodologies.
STRIDE
The first method we will review is STRIDE, which identifies threats from an attacker's point of view against a system or process in its current state. Microsoft adopted STRIDE in 2002, and since then, it has become one of the more popular and mature thread modeling methodologies (Shevchenko, 2018). As a mnemonic, STRIDE stands for the six most common types of threats and their countermeasures (Aviani, 2019):
Threat | Countermeasure |
---|---|
Spoofing - impersonating a different identity | Authentication - you must prove you are who you say you are |
Tampering - making changes to information | Data protection - making sure all data is assured |
Reputation - taking action without proof | Confirmation - there are immutable logs for all actions |
Information disclosure - exposure of information to an unauthorized party | Confidentiality - access is restricted to only those who are authorized |
Denial of service - making it unavailable to use | Availability - there are continuity measures in place to prevent loss of use |
Elevation of privileges - gaining more rights than intended | Authorization - you can only perform actions intended for your level of permission |
DREAD
STRIDE helps identify common threats and provides ways to counter them, but there is still an essential piece of threat modeling missing from it: prioritizing the threats. DREAD is another Microsoft mnemonic that serves as a risk assessment model for risk rankings:
Damage – how bad is the problem?
Reliability – how reliable is the attack?
Exploitability – how much work is it to launch the attack?
Affected users – does it impact all the users or just some of them?
Discoverability – how easy is it to find? (controversial, often described as a 'security through obscurity' metric)
(LeBlanc, 2007)
Using these categories, it's possible to give a 1 to 10 rating for each type, sum each category's rating for each threat and have comparison values to work with to prioritize your identified threats from STRIDE. You may start to see some inconsistency issues with using DREAD this way, so there have also been other formulas that will weigh categories in different ways or switch to a 1 to 4 rating system. It is generally agreed upon that DREAD is not a one-size-fits-all type of methodology for risk assessments. It's also worth noting that DREAD was phased out in 2008 at Microsoft in favor of a bug bar incorporated in the software development lifecycle.
PASTA
The second methodology we will review is PASTA, a more risk-centric framework than STRIDE. Developed in 2012, PASTA is the Process for Attack Simulation and Threat Analysis and "...bring[s] business objectives and technical requirements together" (Shevchenko, 2018). Seen as a more modern alternative to STRIDE, PASTA aims to identify threats and provide guidance for secure software development adequate for how threats have evolved, beyond the basics which STRIDE covers. And since PASTA incorporates a risk-based approach, it is easier to integrate into business processes.
There are seven stages in PASTA. The example below describes the stages to build a threat model and secure a web application.
- Define business objectives - "Capture requirements for the analysis and management of web based risks."
- Define technical scope - "Defining the scope of technical assets/components for which threat enumeration will ensue."
- Application decomposition - "Identify the application controls that protect high risk web transactions sought by adversaries."
- Threat analysis - "Identifying and extracting threat information from sources of intelligence to learn about threat-attack scenarious used by web focesed attack agents" Cyber Threat Intel!
- Vulnerability detection - "Analyze the weaknesses and vulnerabilities of web application security controls."
- Attack enumeration - What attacks and exploits exist
- Risk and impact analysis - Impact analysis, residual risk, and countermeasure development.
(Ucedavelez, 2012)
LINDDUN
LINDDUN is the third and last threat modeling framework we will look at today. According to the official website https://www.linddunn.org, "LINDDUN is a privacy threat modeling methodology that supports analysts in systematically eliciting and mitigating privacy threats in software architectures." A privacy focused threat modeling framework sounds perfect. An yes, you are correct if you think LINDDUN might be another mnemonic covering the privacy threat categories it supports!
- Linkability
- Identifiability
- Non-repudiation
- Detectability
- Disclosure of information
- Unawareness
- Non-compliance
The website also lists reasons to utilize LINDDUN:
- You need to know what can go wrong in order to assess its risk and fix it.
- A thorough privacy assessment can only be guaranteed by a systematic execution of a step-by-step method that guides you through the analysis.
- Privacy is a complex matter. A repository documenting expert privacy knowledge on common threats and suggested solutions is indispensible.
That last one is key towards LINDDUN's strengths over some of the other frameworks. The organzations that maintain the framework have compiled a repository full of materials, implementation guides and tools to help organizations of any maturity begin using LINDDUN.
Threat Group-3390
This week's threat group targeting the American defense industry is Threat Group-3390. MITRE describes Threat Group-3390 as "a Chinese threat group that has extensively used strategic Web compromises to target victims." and notes that they have been active since 2010.
BRONZE UNION
Starting in 2015, Secureworks began tracking Threat Group-3390 as "BRONZE UNION" and observing them performing espionage within multiple U.S. defense contractor's networks that may give China and its allies an edge in technological advancements of the west. As Secureworks identified and removed BRONZE UNION from networks, they uncovered several tools used by the group for infiltration and surveillance.
- China Chopper web shell for interactive control over the victim host
- Rcmd for lateral movement
- Wrapikatz for evade detection of the mimikatz code
- Netview for network enumeration
- Kekeo for interacting and manipulating Microsoft Kerberos
The initial attack vector used by the group involves compromising an industry organization's website and planting malicious download links where those within the defense industry will go to retrieve seemingly legitimate files but download and execute BRONZE UNION's payloads instead, creating a remote shell from the target network to the attacker's by way of the compromised third-party site.
IOCs
Secureworks notes the following Indicators of Compromise associated with BRONZE UNION as of 2017:
Filenames
- javaws.exe - Malware used in BRONZE UNION SWC that downloads and executes a second-stage payload
IP Addresses
- 198.56.185.179 - Used by BRONZE UNION to connect to China Chopper web shell
- 211.255.155.194 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
- 211.255.155.199 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
- 211.255.155.202 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
- 211.255.155.204 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
- 211.255.155.215 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
- 211.255.155.218 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
- 211.255.155.219 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
- 211.255.155.224 - Likely associated with VPN used by BRONZE UNION to connect to China Chopper web shell
- 104.130.244.126 - Used by BRONZE UNION to connect to web shells
- 96.90.63.57 - Used by BRONZE UNION to connect to web shells
- 117.136.63.145 - Used by BRONZE UNION to connect to web shells
- 45.114.9.174 - Used by BRONZE UNION to host second-stage payload for SWC
SHA256
- 0e823a5b64ee761b70315548d484b5b9c4b61968b5068f9a8687c612ddbfeb80 - OwaAuth web shell used by BRONZE UNION
- ec60e57419f24fabbe67451cb1055b3d2684ab2534cd55c4a88cc395f9ed1b09 - Malware used in BRONZE UNION SWC (javaws.exe)
References
- Aviani, G. (2019, July 30). How to analyze the security of your application with threat modeling. FreeCodeCamp. https://www.freecodecamp.org/news/threat-modeling-goran-aviani/
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Www.secureworks.com. https://www.secureworks.com/research/bronze-union
- DistriNet Research Group. (2020). LINDDUN privacy threat modeling. Linddun.org. https://www.linddun.org/
- LeBlanc, D. (2007, August 14). DREADful. Docs.microsoft.com. https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/dreadful
- Microsoft. (2015, March 2). Appendix N: SDL Security Bug Bar (Sample). Web.archive.org. https://web.archive.org/web/20150302011702/https://msdn.microsoft.com/en-us/library/cc307404.aspx
- Shevchenko, N. (2018, December 3). Threat Modeling: 12 Available Methods. SEI Blog. https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/
- Ucedavelez, T. (2012). Real World Threat Modeling Using the PASTA Methodology. https://owasp.org/www-pdf-archive/AppSecEU2012_PASTA.pdf
- Writing Secure Software. (2012, September 15). PASTA Process for Attack Simulation and threat analysis (PASTA) Risk-centric Threat Modeling. http://securesoftware.blogspot.com/2012/09/rebooting-software-security.html