Rafal M. Los: Hi! I’m Raf, that’s Shane right over here. We’re going to be talking about the topic called: Offensive Threat Modeling for Attackers. Is everybody familiar with threat modeling, for a start? Who has not done any threat modeling before?
So, what is threat modeling? Just very quickly, we’re not going to take too much time on this. It’s the analysis which exposes possible threat factors. And we traditionally look at it as the system, the asset and the attacker perspective from a defensive purpose. It’s primarily used as a tool to develop countermeasures. People use threat modeling to figure out how their system is vulnerable so they can put a fix in place so it’s not vulnerable anymore.
The idea is to understand the attack and design compensating defense. It’s one of those: “How would somebody want to break this, given all its exposure, and what can we do about it to make sure those exposures don’t exist anymore?”So, how this is actually essentially completely different is we turn the focus back on the defenders; we intend to understand defenses and defenders, because the idea behind being a bad guy – or let’s pretend we’re doing something less nefarious, like a pentester – but the reality is most folks that we talk to, in my line of work and in Shane’s as well, see security the following way: the main kind of threats are the ones you can write patterns against. We can catch hackers by putting an antivirus signature out or putting an IPS filter or some firewall rules. The reality is: that’s not the way they’re going to get you if they really want to get you. As they say, the determined attacker can’t be stopped. Everybody familiar with that?
This is the determined attacker, so we’re going to seek to develop an offensive strategy based on what we know about the good guys; so, completely opposite way around here. Also, it’s useful for pentesting and assessments, and this is how someone like an APT, to use that buzzword, will get you, right? This is how you will be attacked, essentially.So, looking at this example up here (see image): this is our typical sort of web app out there, right? We model out where everything is: you’ve got low-security zones, high-security zones, a hypervisor, we’ve got some VMs, we’ve got some third-party feeds in there, and we can look at the attacker, the system and the asset, well, from an attacker perspective. We think that the attackers will probably go after that application side of things. Because that’s what you can see from the Internet, from the outside, unless you’re an insider threat and you get there from the other side, from the inside.
So, we can model the system by saying: “As a collective, where is this system vulnerable to attack?” We can also look at it from the asset perspective, and if you look at it from the asset perspective, if you want that data that is stored in that big red chunk on top in that database – how do we get to that? How is that best defended?
And so, looking at that perspective of things, we thought we’d go: “You know, that’s interesting; but where are the defenses weak?” Rather than looking at this and saying: “Where will the bad guys get us from?” – let’s look at it from the bad guys’ perspective and say: “Where are the defenses weak here? Where are they least likely to be fortified? And even if they have really good technical defense, where are they weak physically, where are they weak on the human side of things?” So, this is a holistic attack perspective.And so, the perspective here is taking an approach as an attacker, learn how the defenders operate, where the defenses are fortified, where they have stacked themselves. Most networks are stacked really high at the perimeter, unfortunately. You guys must have heard the M&M comparison: you got a hard outer shell and soft, chewy middle? How many of you guys have met networks like that in the past year?
Most networks are still built around this perimeter idea, and they’re still built around the technology-based perimeter. So, the objective here is to exploit defenses or the defenders to attack the target. The whole idea here is to get in, to get what you need, and either establish a porthole permanently or get out without being detected. The idea is minimal risk to the attacker.So, I thought we’d figure out how to express this from a very short perspective, and that’s: “Get into the defender’s head.” We’re going to exploit human behavior; we’re going to exploit defensive imperfections. You know how everybody says: the bad guy only has to be right once, and the defenders have to be right always. This is our advantage. We figure out the defender’s modus operandi: how they operate, when they are all at the bar, where the CEO lives, when his vacation is, when he is out of the office, so we can come in and be the new IT guy, that kind of stuff. We exploit the weaknesses in defenders and defenses. That’s kind of where we’re going.