Risk Management

Lecture 15 & 16
 Threat

▪ a person or thing likely to

cause damage or danger
▪ cyber security threat refers to
any possible malicious
attack that seeks to
unlawfully access data,
disrupt digital operations or
damage information.
 Threat Modeling
Threat modeling is a proactive approach to Key Components of Threat Modeling:
identify, assess, and mitigate potential security ● Trust Boundaries: Identify boundaries between
threats and vulnerabilities in software systems. trusted and untrusted components within the
system architecture.
Threat modeling involves analyzing software to ● Entry Points: Determine the points of interaction
determine its attack surface, including trust where external entities (users, systems) interact
boundaries, entry points, data flow, and exit points. with the software.
● Data Flow: Map the flow of data throughout the
It complements security objectives by informing system to identify potential points of exposure or
trade-off decisions and reducing security risks leakage.
during both development and operations phases. ● Exit Points: Identify where processed data leaves
the system and ensure its integrity and
Aims to identify the assets / functionalities of the confidentiality.
application and to protect them
Threat Modeling
Steps
 Threat Modeling
Benefits of Threat Modeling:

● Risk Reduction: By identifying and addressing potential threats early in the development lifecycle, the risk of security
breaches and vulnerabilities is significantly reduced.

● Cost-Efficiency: Addressing security issues during the design phase is more cost-effective than fixing them
post-deployment.

● Compliance: Helps organizations meet regulatory and compliance requirements by ensuring that security measures
are integrated into the software development process.

● Enhanced Security Awareness: Promotes a culture of security awareness among development teams, leading to
better security practices and behaviors.
 Risk Assessment Process
● Ranking Threats: Prioritize threats based on organizational objectives, compliance, regulatory requirements, and
security exposures.
● Prioritization: Plan countermeasures for newly identified threats to mitigate risks effectively.

Identifying Threats:
● Iterative-Structured Technique: Break down software into physical and logical constructs to generate detailed
artifacts.
● Generated Artifacts:
a. Data Flow Diagrams: Visual representations of how data moves through the system, including inputs, outputs,
and processing components.
b. Deployment Scenarios: Descriptions of how the software is deployed in various environments, such as
development, testing, and production.
c. Entry/Exit Points: Identification of where data enters and exits the system, including user interfaces, APIs, and
network interfaces.
d. Protocols: Specification of communication protocols used within the system, such as HTTP, TCP/IP, or custom
protocols.
e. Components: Enumeration of software components, modules, and libraries used in the system, along with
their functionalities and dependencies.
f. Identities: Identification of users, roles, and permissions within the system, including authentication and
authorization mechanisms.
g. Services: Description of services provided by the system, including internal and external interfaces, endpoints,
and communication channels.
 Risk Assessment Process
Attack Surface Analysis:

1. Subset of Threat Modeling:

● Attack surface analysis is a specialized aspect of threat modeling that focuses specifically on identifying the
parts of the software exposed to untrusted users or entities.
● It involves analyzing the software context to pinpoint areas of potential vulnerability and exposure to security
threats.
2. Analysis:
● Examination of Software Context: Assessing how the software interacts with its environment, including users,
external systems, and network infrastructure.
● Identifying Vulnerabilities: Determining potential weaknesses or entry points that could be exploited by
attackers to compromise the system's security.
● Prioritizing Threats: Evaluating the severity and likelihood of identified threats to prioritize mitigation efforts
and security controls.
Threat Modeling Recipe (SANS Institute Cyber Defense):
Threat Modeling Recipe (SANS Institute Cyber Defense):

1. Identify Assets to Protect:

● Determine the critical assets, components, and data that need protection within the software system.
● Consider sensitive information, intellectual property, user data, and system resources.
2. Draw a Diagram and Add Notes:
● Create visual representations, such as data flow diagrams or architectural diagrams, to illustrate the
software's structure and interactions.
● Annotate the diagram with relevant notes, including system components, interfaces, and trust
boundaries.
3. List Adversaries and Their Objectives:
● Identify potential attackers or adversaries who may seek to exploit vulnerabilities in the system.
● Understand their motivations, capabilities, and objectives to anticipate potential threats.
4. Brainstorm Threats from Adversaries:
● Use techniques like STRIDE to brainstorm potential threats and attacks that adversaries might employ.
● Consider various attack vectors, such as spoofing, tampering, repudiation, information disclosure, denial
of service, and elevation of privilege.
Threat Modeling Recipe (SANS Institute Cyber Defense):
Threat Modeling Recipe (SANS Institute Cyber Defense):

5. Estimate Probability and Potential Damage:

● Assess the likelihood and impact of each identified threat on the system's security and functionality.
● Consider factors like the system's exposure, attacker sophistication, and potential consequences of
successful attacks.
6. Brainstorm Countermeasures and Issues:
● Propose countermeasures and security controls to mitigate identified threats and vulnerabilities.
● Address any challenges or issues that may arise in implementing these countermeasures effectively.
7. Plan, Test, Pilot, Monitor, Troubleshoot, and Repeat:
● Develop a comprehensive plan for implementing and testing the proposed security measures.
● Conduct pilot tests, monitor the system for security incidents, and troubleshoot any issues that arise.
● Iterate on the threat modeling process to incorporate lessons learned and adapt to changes in the
system or threat landscape.
 Brainstorming Threats with STRIDE
STRIDE is an approach use to identify potential vulnerabilities and threats to products

SPOOFING: TEMPERING:
▪Impact related to Authentication ▪Impact related to Integrity
▪Pretending to be someone or something other ▪Modifying something on disk, memory or
than yourself somewhere

REPUDIATION: INFORMATION DISCLOSURE:

▪Impact related to Non-Repudiation ▪Impact related to Confidentiality
▪Claiming you didn’t do something (can be ▪Providing information to someone not authorized
honest or not) to access it

DENIAL OF SERVICE: ELEVATION OF PRIVILEGE :

▪Impact related to Availability ▪Impact related to Authorization
▪Exhausting resources needed to provide ▪Allowing someone to do something they are not
service authorized to do.
 Identifying Adversaries
Questions to consider when identifying adversaries:
● Who are the actual or likely adversaries?
● What do they aim to achieve?
● What are their skills and resources?
● How determined are they?
● What would they be willing to risk?
● Consideration of insider threats.

Mapping Cyber Attacks:

● Cyber attacks can be analyzed and mapped to the STRIDE model to understand their
nature and impact on system security.
● Attacks may involve one or more categories within the STRIDE model, depending on
their
 Example: WannaCry Ransomware Attack
WannaCry was a notorious ransomware attack that affected thousands of systems worldwide.

Let's map WannaCry to the STRIDE model:

● Spoofing: WannaCry attackers exploited vulnerabilities in the Windows SMB protocol to
impersonate trusted entities or sources, tricking users into executing malicious files.
● Tampering: The ransomware tampered with system files and encrypted user data, rendering
it inaccessible without payment.
● Information Disclosure: WannaCry may have disclosed sensitive information if attackers
gained unauthorized access to systems before encryption.
● Denial of Service: Some variants of WannaCry caused system downtime by encrypting
critical files, disrupting normal operations.
● Elevation of Privilege: While WannaCry primarily focused on file encryption, it could
potentially elevate privileges to gain deeper access to compromised systems.
● Repudiation: While repudiation may not be a primary aspect of the WannaCry attack, it could
be considered if attackers attempted to deny involvement or attribution.
Risk Outcome = (DAMAGE POTENTIAL + REPRODUCIBILITY + EXPLOITABILITY +

AFFECTED USERS + DISCOVERABILITY) / 5

 DREAD

(Damage Potential)

If the vulnerability is exploited, how much damage will be caused?

● 0 = Nothing
● 3 = Individual user data is compromised or affected or availability denied
● 5 = A subset of data is compromised or affected or availability denied
● 7 = All data is compromised or affected, or its availability denied
● 7 = Availability of a specific component/service is denied
● 8 = Availability of all components is denied
● 9 = Underlying infrastructure data is compromised or affected
● 10 = Complete system or data destruction, failure, or compromise
 DREAD

(Reproducibility)

How reliably can the vulnerability be exploited?

● 0 = Very hard or impossible, even for administrators. The vulnerability is unstable or statistically
unlikely to be reliably exploited.
● 5 = Some extra steps are required; tooling/scripting readily available.
● 10 = Unauthenticated users can trivially and reliably exploit using only a Web browser.
 DREAD

(Exploitability)

How difficult is the vulnerability to exploit?

● 0 = N/A (The assertion here is that every vulnerability is exploitable, given time and effort. All scores
should be 1–10.)
● 1 = Even with direct knowledge of the vulnerability, we do not see a viable path for exploitation.
● 2 = Advanced techniques are required, bespoke tooling. Only exploitable by authenticated users.
● 5 = Exploit is available/understood, usable with only moderate skill by authenticated users.
● 7 = Exploit is available/understood, usable by non-authenticated users.
● 10 = Trivial—just a web browser.
 DREAD

(Affected Users)

How many users will be affected?

● 0 = None

● 5 = Specific to a given project

● 10 = All users impacted

 DREAD

(Discoverability)

How easy is it to discover the threat, to learn of the vulnerability?

● 0 = Very hard to impossible to detect even given access to source code and privilege access to
running systems.
● 5 = Can figure it out by guessing or by monitoring network traces.
● 9 = Details of faults like this are already in the public domain and can be easily discovered
using a search engine.
● 10 = The information is visible in the web browser address bar or in a form.
 Risk Assessment (General)
Steps to perform Risk Assessment:

1. Define you scale from 0 to 10

a. 0 to 3: Low Risk
b. 4 to 6: Modest Risk
c. 7 to 8: High Risk
d. 9 to 10: Critical Risk
2. Map an attack to DREAD
a. Answer the question to D-R-E-A-D.
3. Based on the analysis, give score to each D-R-E-A-D using the defined scale
4. Finally, calculate risk

Risk = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5

 Example: DREAD - Wannacry

● Damage:
○ WannaCry encrypted files on infected systems, rendering them inaccessible to users.
○ It caused significant disruption to businesses, hospitals, and other organizations, impacting their ability to
operate effectively.
○ Many victims lost access to critical data and systems, leading to financial losses and reputational
damage.
● Reproducibility:
○ The WannaCry attack was highly reproducible due to its use of a known vulnerability in the Windows
operating system (EternalBlue exploit).
○ Attackers could easily replicate the attack by scanning for vulnerable systems and deploying the
ransomware payload.
● Exploitability:
○ The exploit used by WannaCry (EternalBlue) was relatively easy to use and did not require advanced
technical skills.
○ Tools for exploiting the vulnerability were readily available online, making it accessible to a wide range of
attackers.
 Example: DREAD - Wannacry

● Affected Users:
○ WannaCry affected hundreds of thousands of systems worldwide, including computers in hospitals,
businesses, and government organizations.
○ The widespread impact of the attack resulted in a large number of affected users, ranging from individual
users to large enterprises.
● Discoverability:
○ The vulnerability exploited by WannaCry (EternalBlue) was publicly disclosed months before the attack.
○ While security patches were available, many organizations failed to apply them promptly, leaving their
systems vulnerable to exploitation.
○ The attack was discovered relatively quickly after it began, but by then, it had already infected a significant
number of systems.
 Example: DREAD - Wannacry
Based on this analysis, we can assign scores to each factor on a scale of 0 to 10:

Damage: 9
Reproducibility: 10
Exploitability: 8
Affected Users: 10
Discoverability: 7

Now, we can calculate the overall risk score using the formula:

Risk = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5

Risk = (9 + 10 + 8 + 10 + 7) / 5 = 8.8
So, the overall risk score for the WannaCry attack is 8.8 out of 10, indicating a high level of risk associated with this threat.
 Risk Assessment (Based on MITRE)
Steps to perform Risk Assessment:

1. Define you scale from 0 to 10

a. 0 to 3: Low Risk
b. 4 to 6: Modest Risk
c. 7 to 8: High Risk
d. 9 to 10: Critical Risk
2. Map an attack to MITRE ATT&CK Path (any possible path)
3. Map each phase of an attack path to D-R-E-A-D
a. Answer the question to D-R-E-A-D.
4. Based on the analysis, assign score to each D-R-E-A-D using the defined scale
5. Calculate risk

Attack path phase Risk = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5

6. Repeat the step 3 to 5 for all phases of attack.

7. Finally calculate the total risk as:

Risk = Sum of expected Risk of each phase of an attack path / Total number of phases of an attack path
 Example: DREAD - Wannacry - MITRE
WannaCry Adversary Tactics and Techniques in MITRE ATT&CK:

Tactics Techniques -> Sub Description

Technique

Impact Inhibit System Recovery WMIC.exe can be used to delete all volume shadow
copies on a system

Defense Evasion File and Directory WannaCry uses attrib +h to make some of its files
Permissions Modification hidden and uses icacls . /grant Everyone:F /T /C /Q to
grant all users full access controls.

Command and Control Proxy -> Multi-hop Proxy Use Tor nodes for command and control traffic

Impact Service Stop Stopping critical services can inhibit or stop response to
an incident or aid in the adversary's overall objectives to
cause damage to the environment.
 Example: DREAD - Wannacry - MITRE

Attack Path: Impact

● Damage Potential (8): Deleting all volume shadow copies inhibits
WMIC.exe is used to delete all volume
system recovery, leading to potential data loss or extended
shadow copies on a system.
downtime.
● Reproducibility (7): Utilizing WMIC.exe to delete shadow copies is
● Tech: Inhibit System Recovery
relatively straightforward and can be easily repeated.
● Impact:
● Exploitability (9): Although requiring administrative privileges, the
● Damage Potential: 8
use of WMIC.exe is a well-known technique and can be executed
● Reproducibility: 7
with relatively low effort.
● Exploitability: 9
● Affected Users (7): All users on the affected system may suffer
● Affected Users: 7
data loss or extended downtime due to inhibited recovery options.
● Discoverability: 6
● Discoverability (6): The presence of deleted shadow copies may
● Risk: (8 + 7 + 9 + 7 + 6) / 5 = 7.4
be detected during system maintenance or forensic analysis.
 Example: DREAD - Wannacry - MITRE
Attack Path: Defense Evasion

WannaCry uses attrib +h to make some of ● Damage Potential (7): Modifying file permissions hides critical
its files hidden and uses icacls . /grant files and grants full access to all users, potentially compromising
Everyone:F /T /C /Q to grant all users full system integrity and confidentiality.
access controls.
● Reproducibility (8): The use of attrib +h and icacls commands can
● Tech: File and Directory Permissions be easily replicated across multiple files and directories.
Modification ● Exploitability (8): Executing attrib and icacls commands requires
● Impact: basic command-line knowledge but can be carried out with
● Damage Potential: 7 moderate effort.
● Reproducibility: 8 ● Affected Users (8): All users with access to the affected files and
● Exploitability: 8 directories may be impacted by unauthorized access or system
● Affected Users: 8 compromise.
● Discoverability: 7 ● Discoverability (7): Changes to file permissions may be detected
● Risk: (7 + 8 + 8 + 8 + 7) / 5 = 7.6 during security audits or file integrity checks.
 Example: DREAD - Wannacry - MITRE
Attack Path: Command & Control

Tor nodes are used for command and ● Damage Potential (8): Modifying file permissions hides critical
control traffic. files and grants full access to all users, potentially compromising
system integrity and confidentiality.
● Tech: Proxy ● Reproducibility (8): The use of attrib +h and icacls commands can
● Impact: be easily replicated across multiple files and directories.
● Damage Potential: 8 ● Exploitability (9): Executing attrib and icacls commands requires
● Reproducibility: 8 basic command-line knowledge but can be carried out with
● Exploitability: 9 moderate effort.
● Affected Users: 7 ● Affected Users (7): All users with access to the affected files and
● Discoverability: 7 directories may be impacted by unauthorized access or system
● Risk: (8 + 8 + 9 + 7 + 7) / 5 = 7.8 compromise.
● Discoverability (7): Changes to file permissions may be detected
during security audits or file integrity checks.
 Example: DREAD - Wannacry - MITRE
Attack Path: Impact
● Damage Potential (9): Stopping critical services can lead to
significant disruption of operations, potentially causing financial
Critical services are stopped to inhibit loss or reputational damage.
incident response or cause damage. ● Reproducibility (7): Stopping critical services may require specific
knowledge of the system's architecture and dependencies,
● Tech: Stop Service
limiting its reproducibility.
● Impact:
● Exploitability (8): Exploiting vulnerabilities to stop critical services
● Damage Potential: 9
may require advanced technical skills but can be achieved with
● Reproducibility: 7
persistence.
● Exploitability: 8
● Affected Users (9): All users relying on the affected services may
● Affected Users: 9
experience downtime or loss of functionality, impacting
● Discoverability: 6
productivity and service delivery.
● Risk: (9 + 7 + 8 + 9 + 6) / 5 = 7.8
● Discoverability (6): Detection of service stoppage may vary
depending on monitoring and alerting capabilities in place, but
unusual service disruptions may trigger investigation.
 Example: DREAD - Wannacry - MITRE

Attack Path: Impact -> Defense Evasion -> C&C -> Impact

Now, let's calculate the overall risk by averaging the risks for each attack path:

Total Risk = (7.4 + 7.6 + 7.8 + 7.8) / 4 = 7.65

So, the overall risk for this attack, calculated using the DREAD model, is approximately 7.65.