Offensive Threat Modeling for Attackers: Turning Threat Modeling on its Head

Research presented by Rafal M. Los (left) and Shane MacDougall (right)

Research presented by Rafal M. Los (left) and Shane MacDougall (right)

Rafal M. Los, HP Software’s Chief Security Evangelist, and Shane MacDougall, principal partner at Tactical Intelligence, give a presentation at Black Hat Europe 2012 to show a non-standard perspective of threat modeling as an offensive tool.

Rafal M. Los: Hi! I’m Raf, that’s Shane right over here. We’re going to be talking about the topic called: Offensive Threat Modeling for Attackers. Is everybody familiar with threat modeling, for a start? Who has not done any threat modeling before?

Threat Modeling Primer

Breaking down the key concept

Breaking down the key concept

The short version of what we’re doing is this. We’re going to take the traditional approaches of threat modeling: the asset, the system, and the attacker, rather than looking at it from the defensive perspective, because that’s what we all do here, right? We’re defensive. So, rather than the good guys kind of looking back out at the bad guys, we’re going to flip this a little bit around and give you the bad guys’ perspective on the way in.

So, what is threat modeling? Just very quickly, we’re not going to take too much time on this. It’s the analysis which exposes possible threat factors. And we traditionally look at it as the system, the asset and the attacker perspective from a defensive purpose. It’s primarily used as a tool to develop countermeasures. People use threat modeling to figure out how their system is vulnerable so they can put a fix in place so it’s not vulnerable anymore.

The idea is to understand the attack and design compensating defense. It’s one of those: “How would somebody want to break this, given all its exposure, and what can we do about it to make sure those exposures don’t exist anymore?”

Offensive threat modeling perspective

Offensive threat modeling perspective

So, how this is actually essentially completely different is we turn the focus back on the defenders; we intend to understand defenses and defenders, because the idea behind being a bad guy – or let’s pretend we’re doing something less nefarious, like a pentester – but the reality is most folks that we talk to, in my line of work and in Shane’s as well, see security the following way: the main kind of threats are the ones you can write patterns against. We can catch hackers by putting an antivirus signature out or putting an IPS filter or some firewall rules. The reality is: that’s not the way they’re going to get you if they really want to get you. As they say, the determined attacker can’t be stopped. Everybody familiar with that?

This is the determined attacker, so we’re going to seek to develop an offensive strategy based on what we know about the good guys; so, completely opposite way around here. Also, it’s useful for pentesting and assessments, and this is how someone like an APT, to use that buzzword, will get you, right? This is how you will be attacked, essentially.

Typical web app model

Typical web app model

So, looking at this example up here (see image): this is our typical sort of web app out there, right? We model out where everything is: you’ve got low-security zones, high-security zones, a hypervisor, we’ve got some VMs, we’ve got some third-party feeds in there, and we can look at the attacker, the system and the asset, well, from an attacker perspective. We think that the attackers will probably go after that application side of things. Because that’s what you can see from the Internet, from the outside, unless you’re an insider threat and you get there from the other side, from the inside.

So, we can model the system by saying: “As a collective, where is this system vulnerable to attack?” We can also look at it from the asset perspective, and if you look at it from the asset perspective, if you want that data that is stored in that big red chunk on top in that database – how do we get to that? How is that best defended?

Most networks have hard outer shell and soft, chewy middle.

And so, looking at that perspective of things, we thought we’d go: “You know, that’s interesting; but where are the defenses weak?” Rather than looking at this and saying: “Where will the bad guys get us from?” – let’s look at it from the bad guys’ perspective and say: “Where are the defenses weak here? Where are they least likely to be fortified? And even if they have really good technical defense, where are they weak physically, where are they weak on the human side of things?” So, this is a holistic attack perspective.

Key points of offensive threat modeling

Key points of offensive threat modeling

And so, the perspective here is taking an approach as an attacker, learn how the defenders operate, where the defenses are fortified, where they have stacked themselves. Most networks are stacked really high at the perimeter, unfortunately. You guys must have heard the M&M comparison: you got a hard outer shell and soft, chewy middle? How many of you guys have met networks like that in the past year?

Most networks are still built around this perimeter idea, and they’re still built around the technology-based perimeter. So, the objective here is to exploit defenses or the defenders to attack the target. The whole idea here is to get in, to get what you need, and either establish a porthole permanently or get out without being detected. The idea is minimal risk to the attacker.

Think like a defender

Think like a defender

So, I thought we’d figure out how to express this from a very short perspective, and that’s: “Get into the defender’s head.” We’re going to exploit human behavior; we’re going to exploit defensive imperfections. You know how everybody says: the bad guy only has to be right once, and the defenders have to be right always. This is our advantage. We figure out the defender’s modus operandi: how they operate, when they are all at the bar, where the CEO lives, when his vacation is, when he is out of the office, so we can come in and be the new IT guy, that kind of stuff. We exploit the weaknesses in defenders and defenses. That’s kind of where we’re going.

Read next: Offensive Threat Modeling for Attackers 2: Exploiting Defenders’ Weaknesses

Like This Article? Let Others Know!
Related Articles:


  1. balaji patnala says:

    “We can catch hackers by putting an antivirus signature out or putting an IPS filter or some firewall rules. The reality is: that’s not the way they’re going to get you if they really want to get you. As they say, the determined attacker can’t be stopped. Everybody familiar with that?”

    Good statement..!!

  2. julie says:

    There a guy buy juine charles talkin bad to me threating coded messages he gave me his no 5413755680 what do i do

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: