Since joining SensePost I've had a chance to get down and dirty with the threat modeling tool. The original principle behind the tool, first released in 2007 at CSI NetSec, was to throw out existing threat modeling techniques (it's really attack-focused risk) and start from scratch. It's a good idea and the SensePost approach fits nicely between the heavily formalised models like Octave and the quick-n-dirty's like attack trees. It allows fairly simple modeling of the organisation/system to quickly produce an exponentially larger list of possible risks and rank them.
We've had some time and a few bits of practical work to enhance the tool and our thinking about it. At first, I thought it would need an overhaul, mostly because I didn't like the terminology (hat tip to Mr Bejtlich). But, in testament to Charl's original thinking & the flexibility of the tool, no significant changes to the code were required. We're happy to announce version 2.1 is now available at our new tools page. In addition, much of our exploration of other threat modeling techniques was converted into a workshop of which the slides are available (approx 30MB).
The majority of the changes were in the equation. The discussion below will give you a good idea of how you can play with the equation to fundamentally change how the tool works.
There are 5 values you can play with in the equation:
In English that translates to: The risk is equal to; the average of the impact of the attack and it's likelihood, combined with the value of the asset (exposed through a particular interface), and reduced by the trust of the user performing the attack and the location they are performing it from.
We felt there were two problems with this equation:
Once again in English: The risk of an attack is; the likelihood of the attack reduced by the average of both the trust in the user & location, combined with, the value of the asset reduced by the potential impact of the attack (value at risk). (The 0.2 & 2.5 are just to make it fit the scales. Specifically, the 0.2 is because the scale of the entities is 1-5 and we're looking to make a percentage, and the 2.5 is to fit the 0-25 scale on the final graph.)
The key change which breaks backward compatibility here is that impact now becomes a moderator on value. i.e. the impact of an attack determines how much of the asset's value is exposed.
The way things are now modeled, interfaces represent the value of a system. For the most part, all a system's interfaces should have the same value, because as we often see, even minor interfaces that expose limited functionality can often be abused for a full compromise. However, the actual attack (called threats in the tool) determined how much of that value is exposed. For example, a worst-case XSS is (depending on the system of course) probably going to expose less of the system's value than a malicious sysadmin publicly pwning it (once again, dependent on the system and controls in place).
Unfortunately, there's still no provable way to perform threat modeling, but we feel we can go quite far in providing a quick and useful way of enumerating and prioritising attacks (and hence defenses) across complex system.
In a future blog post, I hope to cover some of the really cool scenario planning the tool can let you do, and the pretty graphs it gave us an excuse to justify budgets with.
[ Credit to the Online LaTeX Equation Editor for the formulas, although if you'd like to copy paste the formula described above into the tool, here's an ascii version:
( ( ( lik * ( ( ( (6 - usr) + (6 - loc) ) / 2 ) * 0.2 ) ) + ( int * ( imp * 0.2 ) ) ) * 2.5 )
After hearing our talk was accepted at BlackHat, we're happy to announce that our training will be back for it's 9th straight run. Speaking of a run, we're going to be hosting the usual marathon of courses: cadet, bootcamp, combat, web 2.0. But, while the names remain, we've spent some time updating the material. In particular, bootcamp, combat & web 2.0 have been through the ringer. We're hoping to get some detailed info on the updates out in the coming weeks.
In a cheap marketing ploy to introduce our new twitter account and remind people of our training, we're running one of those retweet competition things on twitter. In short, retweet this tweet, and if you're going to BH Vegas this year, you could win free attendance to one of our courses of your choice. That's worth about $2 700 at regular prices. Cheap marketing tricks for us == expensive training for you. We won't force you to tweet about how good looking we are (we are very good looking), or ask you for you password.
Sigh. We've never been much good at marketing or advertising, and I guess we still aren't. But we have tried to give our old website a bit of a face-lift, and it's starting to feel like we're finally making some progress.
Certainly most of the content is new and accurate and and certainly its much more comprehensive than our previous one. We've also gone to some effort to implement a more user-friendly CMS that will allow us to keep the content more current and interesting.
Please do us the favour of checking the site out at www.sensepost.com and letting us know what you think.
For those of you reading this blog, the following links would probably be the most useful:
Most of our clients that make use of our vulnerability management service, HackRack, manage a large and usually interactive web application environment, that makes use of SSL. HackRack would then often report on findings such as weak cyphers in use (critical if the client has to adhere to PCI DSS), mismatching cert names and domain names, and then expired certs.
Now, this is easy to check and re-check when you have a couple of single hosts and openssl foo. But, a couple of hundred sites and things get interesting and time consuming.
To enable our own guys and other security minded folk, we build a Java based SSL certificate miner that will show you the "Issue By" and "Issued To" information plus whether the cert is strong and have or will expire soon.
Its nice and clean, and does the job in reasonable time. Future checks will include SSL version checking - again something that is required by the PCI DSS to be up to date and reported. Monitor our blog for future releases.
Oh yes - please download from here.
Enjoy, and as always, please let us know where we have goofed or mistyped comments.
** Shameless training plug **
SensePost will be training and presenting again at BlackHat Vegas. Free stuff for those who attend!