toolsmith: Microsoft Threat Modeling Tool 2014 - Identify & Mitigate

Prerequisites/dependencies

Windows operating system

Introduction

I’ve long been deeply invested in the performance of threat modeling with particular attention to doing so in operational environments rather than limiting the practice to simply software. I wrote the ITInfrastructure Threat Modeling Guide for Microsoft in 2009 with the hope of stimulating this activity. In recent months two events have taken place that contribute significantly to the threat modeling community. In February Adam Shostack published his book, Threat Modeling: Designing for Security and I can say, without hesitation, that it is a gem. I was privileged to serve as the technical proof reader for this book and found that its direct applicability to threat modeling across the full spectrum of target opportunities is inherent throughout. I strongly recommend you add this book to your library as it is, in and of itself, a tool for threat modelers and those who wish to reduce risk, apply mitigations, and improve security posture. This was followed in mid-April by the release of the Microsoft Threat Modeling Tool 2014. The tool had become a bit stale and the 2014 release is a refreshing update that includes a number of feature improvements that we’ll discuss shortly. We’ll also use the tool to conduct a threat model that envisions the ISSA Journal’s focus for the month of May: Healthcare Threats and Controls.

First, I sought out Adam to provide us with insight regarding his perspective on operational threat modeling. As expected, he indicated that whether you're a system administrator, system architect, site reliability engineer, or IT professional, threat modeling is important and applicable to your job. Adam often asks four related questions:

1)      What are you building?

He describes that building an operational system is more likely to be building additional components on top of an existing system and that it's therefore important to model both what you have and how it's changing.    

2)      What can go wrong? 

Adam reminds us that you can use any of the threat enumeration techniques, but that, in particular, STRIDE relates closely to the “CIA” set of properties that are desirable for an operational system. I’ll add OWASP Risk Rating Methodology to the tool’s KB for good measure, given its direct integration of CIA.  

3)      What are you going to do about it? 

Several frameworks can be used here, such as prevent, detect, and respond as well as available technologies. 

4)      Did you do a good job at 1-3? 

Adam points out that assurance activities (which can include compliance) can help you.  More importantly, you can also use approaches such as penetration testing and red teaming to help you determine if you did a good job. I am a strong proponent for this approach. My team at Microsoft includes both threat engineers for threat modeling and assessment as well as penetration testers for discovery and validation of mitigations.

To supplement the commitment to operational threat modeling, I asked Steve Lipner, one of the founding fathers of Microsoft’s Security Development Lifecycle and the Security Response Center (MSRC), for his perspective, which he eloquently provided as follows:

“While threat modeling originated as an approach to evaluating the security of software components, we have found the techniques of security threat modeling to have wide applicability.  Like software components, operational services are targets of attack and can exhibit vulnerabilities.  Threat modeling and STRIDE have proven to be effective for identifying and mitigating vulnerabilities in operational services as well as software products and components.”

With clear alignment around the premise of operational threat modeling let’s take a look at what it means to apply it. 

Identifying Threats and Mitigations with TMT 2014

Emil Karafezov, who is responsible for the Threat Modeling component of the Security Development Lifecycle (SDL) at Microsoft, wrote a useful introduction to the Microsoft Threat Modeling Tool 2014 (TMT). Emil let me know that there are additional details and pointers in the Getting Started Guide and the User Guide which are part of the Threat ModelingTool 2014 Principles SDK. You should definitely read the introduction as well as the guides before proceeding here as I will not be revisiting the basic usage information for the TMT tool or how to threat model (read the book) and will instead focus more in depth on some key new capabilities. I will do so in the context of a threat model for the operational environment of a fictional medical services company called MEDSRV.

Figure 1 includes a view of the MEDSRV operational environment for its web application and databases implementation.

FIGURE 1: A MEDSRV threat model with TMT 2014

Emil offered some additional pointers not shared in his blog post that we’ll explore further with the MEDSRV threat model specific to data extraction and search capabilities.

Data extraction:

From a workflow perspective, the ability to extract information from the tool for record keeping or bug filing is quite useful. The previous version of the TMT included Product Studio and Visual Studio plugins for bug filing but Emil describes them as rather rigid templates that were problematic for users syncing with their server. With TMT 2014 there is a simple right-click Copy Threats for each entry that can be pasted into any text editor or bug tracking system. For bulk threat entry manipulation there is another feature ‘Copy Custom Threat Table’ which lets you dump results conveniently into Excel, which in turn can be imported into workflow management systems via automation. When in Analysis View with focus set in the Threat Information list use the known Ctrl+A shortcut to select all threat entries and with right-click you can edit the constants in the Custom Threat Table as seen in Figure 2.

FIGURE 2: TMT 2014’s Copy Custom Threat Table feature

Search for Threat Information:

Emil also pointed out that TMT 2014’s Search for Threat Information area, while seemingly a standard-to-have option, is new and worth mentioning. This feature is really important if you have a massive threat model with a plethora of threats; the threat list filter is not always the most efficient way to narrow down your criteria. I have found this to be absolute truth during threat modeling sessions of online services at Microsoft where a large model may include hundreds or thousands of threats. To find threats that contained keywords specific to a particular implementation of your mitigations as an example, using Search is the way to go. You might be focusing on data store accessibility as seen in Figure 3.

FIGURE 3: Search for threat information

I also asked Ralph Hood, Microsoft Trustworthy Computing’s Group Program Manager for Secure Development Policies & Tools (the group that oversees the TMT) what stood out for him with this version of the tool. He offered two items in particular:

1)      Migration capability of models from the old version of the tool

2)      The ability to customize threats

Ralph indicated that the TMT tool has not historically supported any kind of migration to newer versions; the ability to migrate models from earlier versions to the 4.1 version is therefore a powerful feature for users who have already conducted numerous threat models with older versions. Threat models should always be considered dynamic (never static) as systems always change and you’ll likely update a model at a later date.

The ability to customize threats is also very important, particularly in the operations space. The ability to change the threat elements and information (mitigation suggestions, threat categories, etc.) for specific environments is of significant importance. Ralph points out as an example that if a specific service or product owner knows that certain threats are assessed differently because of specific characteristics of the service or platform, they can change the related threat information. Threat modelers can do so using a Knowledge Base (KB) created for all related models so any user going forward can utilize the modified KB rather than having to always change threat attributes for each threat manually. According to Ralph, this is important functionality in the operations space where certain service dependencies and platform benefits and/or downfalls may consistently alter threat information. He’s absolutely right so I’ll take the opportunity to tweak the imaginary MEDSRV KB here for your consideration using Appendix II of the User Guide (read it).  The KB is installed by default in C:\Program Files (x86)\Microsoft Threat Modeling Tool 2014\KnowledgeBase. Do not tweak the original, create a copy and modify that. I called my copy KnowledgeBaseMEDSRV and saved it in C:\tmp. I focused exclusively on ThreatCategories.xml and ThreatTypes.xml. Using the OWASP Risk Rating Methodology I added Technical Impact Factors to ThreatCategories.xml and ThreatTypes.xml. Direct from the OWASP site, “technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited.”

·         Loss of confidentiality

o   How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9)

·         Loss of integrity

o   How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9)

·         Loss of availability

o   How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9)

·         Loss of accountability

o   Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)

Note: I renamed the original KnowledgeBase to KnowledgeBase.bak then copied KnowledgeBaseMEDSRV back to the original destination directory and renamed it KnowledgeBase. This prevents corruption of your original files and eliminates the need to re-install TMT. If you’d like my changes to ThreatCategories.xml and ThreatTypes.xml hit me over email or Twitter and I’ll send them to you. That said, following are snippets (Figures 4 & 5) of the changes I made.

FIGURE 4: Additions to ThreatCategories.xml

FIGURE 5: Additions to ThreatTypes.xml

Take notice of a few key elements in the modified XML. I set OTI1 for OWASP Technical Impact and O to O for OWASP. J Remember that each subsequent needs to be unique. I declared source is 'GE.P' and (target is 'GE.P' or target is 'GE.DS') and flow crosses 'GE.TB' because GE.P defines a generic process, GE.DS defines a generic data store and GE.TB defines a generic trust boundary. Therefore, per my modification, data subject to technical impact factors flows across trust boundaries between processes and data stores. Make sense? I used the resulting TMT KB update to provide a threat model of zones defined for MEDSRV as seen in Figure 6.

FIGURE 6: A threat model of MEDSRV zones using Technical Impact Factors

I’m hopeful these slightly more in depth investigations of TMT 2014 features entices you to utilize the tool and to engage in the practice of threat modeling. No time like the present to get started.

In Conclusion

We’ll learned enough here to conclude that you have two immediate actions. First, purchase Threat Modeling: Designing For Security and begin to read it. Follow this by downloading the Microsoft Threat Modeling Tool 2014 and practice threat modeling scenarios with the tool while you read the book. Conducting these in concert will familiarize you with both the practice of threat modeling as well as the use of TMT 2014.  

Remember that July’s ISSA Journal will be entirely focused on the Practical Use of InfoSec Tools. Send articles or abstracts to editor at issa dot org.

Ping me via email if you have questions or suggestions for topic via russ at holisticinfosec dot org or hit me on Twitter @holisticinfosec.

Cheers…until next month.

Acknowledgements

Microsoft’s:

Adam Shostack, author, Threat Modeling: Designing for Security & Principal Security PM, TwC Secure Ops

Emil Karafezov, Security PM II, TwC Secure Development Tools and Policies

Ralph Hood, Principal Security GPM, TwC Secure Development Tools and Policies

Steve Lipner, Partner Director, TwC Software Security

toolsmith: SimpleRisk - Enterprise Risk Management Simplified

Prerequisites/dependencies

LAMP/XAMPP server

Introduction

Our editorial theme for February’s ISSA Journal happens to be Risk, Threats, and Vulnerabilities which means that Josh Sokol’s SimpleRisk as our toolsmith topic is bona fide kismet. I am a major advocate for simplicity and as the occasional practitioner of simpleton arts, SimpleRisk fits my needs perfectly. SimpleRisk is a free and open source web application, released under Mozilla Public License 2.0, and is extremely useful in performing risk management activities. In my new role at Microsoft, I’m building, with a fine team of engineers, a Threat Intelligence and Engineering practice. This effort is intended to be much more robust than what you may currently understand to be Threat Intelligence. Limiting such activity to monitoring threat feeds, deriving indicators of compromise, and reporting out findings is insufficient to cover the vast realm of risk, threats, and vulnerabilities. As such, we include constant threat assessments of our infrastructure and services in a manner that includes risk analysis and threat modeling, based on SDL principles and the infrastructure threat modeling guidance I wrote some years ago. Keeping in mind that threat modeling can be software-centric, asset-centric, and attacker-centric, recognize that the amount of data you generate can be overwhelming. In addition to embracing the principles of good data science, we’ve also expanded our tooling to include the likes of SimpleRisk. I asked Josh to provide us with insight on SimpleRisk in his own words:

“As security professionals, almost every action we take comes down to making a risk-based decision.  Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boil down to some combination of the likelihood of an event happening and the impact of that event.  Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set.  The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk.  The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets.  It's cumbersome, time consuming, and just plain sucks.  After starting a Risk Management program from scratch at a $1B a year company, I ran into these same barriers, and when budget wouldn't allow me the GRC route, I finally decided to do something about it.  At Black Hat and BSides Las Vegas 2013, I formally debuted SimpleRisk. A SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews.  It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly.  It is under active development with new features being added all the time and can be downloaded at http://www.simplerisk.org.  SimpleRisk is truly Enterprise Risk Management simplified.”

I can tell you with certainty that a combination of tactics, techniques, and procedures inclusive of threat modeling and analysis, good data science (read The Field Guide to Data Science), and risk management with the likes of SimpleRisk, will lead to an improved security posture. I’ll walk you through a recreation of various real world scenarios and current events using SimpleRisk after some quick installation pointers.

Quick installation notes

I run SimpleRisk on an Ubuntu 13.10 virtual machine configured with a full LAMP stack. Without question you should read the SimpleRisk LAMP Installation Guide, but I’ll give you a quick overview of my installation steps, establishing SimpleRisk as the primary application in the Apache web root:

1)      cd /var/www

2)      Download the latest installation bundle, currently (subject to change): sudo wget http://simplerisk.googlecode.com/files/simplerisk-20131231-001.tgz

3)      sudo tar zxvf simplerisk-20131231-001.tgz

4)      sudo mv simplerisk/ * . (moves all SimpleRisk app files to the web root)

5)      sudo rm simplerisk-20131231-001.tgz (removes the installation bundle)

6)      sudo rm simplerisk (removes the now empty simplerisk directory)

7)      cd ~

8)      Download the SimpleRisk database import: wget http://simplerisk.googlecode.com/files/simplerisk-20131231-001.sql

9)      mysql –u root -p

10)   create database simplerisk;

11)   use simplerisk;

12)   source ~/simplerisk-20131231-001.sql (populates the SimpleRisk database)

13)   GRANT SELECT, INSERT, UPDATE, DELETE ON simplerisk.* TO 'simplerisk'@'localhost' IDENTIFIED BY 'CHANGEME'; (creates the SimpleRisk database user, change CHANGEME to your preferred password)

14)   exit

15)   sudo gedit /var/www/includes/config.php

16)   Edit line 16 with the database password you set in step 13 (you can also change your timezone in config.php)

17)   Browse to your web server’s root and login as admin with password admin

18)   Click the Admin button in the upper right of the UI then click My Profile

19)   Change the admin password!

SimpleRisk and the Flintstones

Flintstone, Inc. a prehistoric cave retailer with a strong online presence has been hacked by the Bedrock Electronic Militia. In one breach, 40 million clams have been stolen, and soon thereafter it is revealed that 70 million additional clams are compromised. Additionally, the attackers have used social engineering to gain access to Flintstone.net social media accounts, including Critter and Cavebook, as well as the Flintstone, Inc. blog. Even the Bedrock news media outlet, Cave News Network, is not immune to Bedrock Electronic Militia’s attacks. Fred and Wilma, the CISO and CEO, are very concerned that their next PCI audit is going to be very difficult given the breach and they want to use SimpleRisk to track and manage the risks they need to mitigate, as well as the related projects necessary to fulfill the mitigations. The SimpleRisk admin has created two accounts for Fred and Wilma; they’re impressed with the fact that the User Management options under Configure are so granular specific to User Responsibilities, including the ability to Submit New Risks, Modify Existing Risks, Close Risks, Plan Mitigations, Review Low Risks, Review Medium Risks, Review High Risks, and Allow Access to "Configure" Menu. Fred and Wilma are also quite happy that the SimpleRisk user interface is so…simple. Fred first uses the Configure | Add and Remove Values menu to add Online and Retail Stores as Site/Location values given the variety and location of risks identified. He also adds Identity Management under Team, as well as POS and Proxy under Technology. Fred notes that the Configure menu also offers significant flexibility in establishing risk formula preferences, review (high, medium, low) settings, and the ability to redefine naming conventions for impact, likelihood, and mitigation effort. He and Wilma then immediately proceed to the Risk Management menu to, you guessed it, begin to manage risks exposed during the breach root cause analysis and after action report. To get started the Flintstones immediately identify five risks to document:

1)      Account compromise via social engineering

a.       The Flintstone.net Critter and Cavebook accounts were compromised when one of their social media management personnel were spear phished

2)      Inadequate antimalware detection

a.       One of the spear phishing emails included a malicious attachment that was not detected by Dinosoft Security Essentials

3)      Flintstone, Inc. users compromised via watering hole attacks

a.       A lack of egress traffic analysis, detection, and prevention from Flintstone.net corporate networks meant that users were compromised when enticed to visit a known good website that had been compromised with the Blackrock Exploit Kit

4)      Flintstone.com web application vulnerable to cross-site scripting (XSS)  

a.       Attackers can use XSS vulnerabilities to deliver malicious payloads in a more trusted manner given that they execute in the context of the vulnerable site

5)      Flintstone, Inc. Point Of Sale (POS) compromised with Frack POS malware

a.       All POS devices must be scanned with the SecureSlate’s Frack POS Malware Scan

As seen in Figure 1, Fred can be very specific in his risk documentation.

FIGURE 1: Fred submits risk for SimpleRisk documentation

As Fred works on the watering hole risk, he decides he’d rather use CVSS risk scoring than classic and is overjoyed to discover that SimpleRisk includes a CVSS calculator as seen in Figure 2. There is also an OWASP calculator the Fred uses when populating the XSS risk and a DREAD calculator he uses for the POS risk.

FIGURE 2: Fred calculates a CVSS score with SimpleRisk CVSS calculator

When Fred and Wilma move to the Plan Your Mitigations phase they are a bit taken aback to find that SimpleRisk has stack ranked the XSS risk as the highest, as seen in Figure 3, but they recognize that risk calculations can be somewhat subjective and that each scoring calculator (CVSS, DREAD, OWASP) derives scores differently. SimpleRisk does include links to references for how each is calculated.

FIGURE 3: SimpleRisk risk ranking allows mitigation prioritization

Fred and Wilma believe that the XSS vulnerability happens to be one they can have mitigated rather quickly and at a low cost, so they choose to focus there first. Clicking No under Mitigation Planned for ID 1004 leads them to the Submit Risk Mitigation page. They submit their planned mitigation as seen in Figure 4.

FIGURE 4: SimpleRisk XSS mitigations submittal

After SimpleRisk accepts the mitigation Fred and Wilma are sent promptly to the Perform Management Reviews phase where they choose to review ID 1001 Account Compromised via social engineering by clicking No in the related row under the Management Review column. Under Submit Management Review they choose to Approve Risk (versus reject), Consider for Project as the Next Step and add Deploy two factor authentication under Comments.

Under Prioritize for Project Planning, Fred and Wilma then add a new project called Two Factor Authentication Deployment. They can add other projects and prioritize them later. They also set a schedule to review risks regularly after planning mitigations for, and a conducting reviews of, their remaining risks.

As the CISO and CEO of Flintstone, Inc., Fred and Wilma love their executive dashboards. They check the SimpleRisk Risk Dashboard under Reporting, as seen in Figure 5.

FIGURE 5: SimpleRisk Risk Dashboard

They also really appreciate that SimpleRisk maintains an audit trail for all changes and updates made.

Finally, Fred and Wilma decide to take advantage of some SimpleRisk “extras” that cost a bit but are offered under a perpetual license:

·         Custom Authentication Extra: Currently provides support for Active Directory Authentication and Duo Security multi-factor authentication, but will have other custom authentication types in the future.

·         Team Based Separation Extra: Restriction of risk viewing to team members the risk is categorized as.

·         Notification Extra: Email notifications when risks are updated or due for action.

·         Encrypted Database Extra: Encryption of sensitive text fields in the database.

In Conclusion

Josh has devised a great platform in SimpleRisk; I’m really glad to have caught mention of it rolling by in Twitter reads. It fits really nicely in any threat/risk management program. On a related note, as I write this Adam Shostack’s new book, ThreatModeling: Designing for Security is nearing its publication date (17 FEB 2014, Wiley). Be sure to grab a copy and incorporate its guidance into your risk, threat and vulnerability management practice along with the use of SimpleRisk.

Ping me via email if you have questions or suggestions for topic via russ at holisticinfosec dot org or hit me on Twitter @holisticinfosec.

Cheers…until next month.

Acknowledgements

Josh Sokol, SimpleRisk developer and project lead