Chapter 1. Threat Analysis
This chapter covers the following topics:
Defining and understanding confidentiality, integrity, and availability
Defining and analyzing the attack vector
Understanding the attack complexity
Understanding privileges and user interaction
Understanding the attack scope
In this chapter, you will learn the fundamentals of threat analysis. Cyber threat analysis is a process that evaluates internal and external threats and vulnerabilities and matches them against real-world attacks. Ultimately, the desired result of a threat assessment is to develop best practices on how to protect your organization’s assets and their availability, confidentiality, and integrity, without hindering usability and functionality.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in this chapter’s topics. The 10-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time. Table 1-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
1. You must have adequate control mechanisms in order to enforce and ensure that data is only accessed by the individuals who should be allowed to access it and nobody else. Which of the following techniques can be used to prevent any attacks that could impact confidentiality?
a. Secure routing protocols
b. Network scanners
c. Encryption
d. Metasploit
2. Which of the following statements is not true about integrity protection?
a. Integrity protection encompasses only data and information.
b. Integrity protection encompasses more than just data; it not only protects data, but also operating systems, applications, and hardware from being altered by unauthorized individuals.
c. Integrity protection encompasses more than just data; it not only protects data, but also operating systems, applications, and hardware from being altered by authorized individuals.
d. Integrity protection can only be applied to protect operating systems, applications, and hardware from being altered by unauthorized individuals.
3. Which of the following are examples of threat modeling techniques? (Select all that apply.)
a. STRIDE
b. STRIKE
c. DREAD
d. THREAD
4. Which of the following is not a component of DREAD?
a. Damage potential
b. Reproducibility
c. Prosecution
d. Discoverability
5. Which of the following is not a component of STRIDE?
a. SQL injection
b. Tampering
c. Repudiation
d. Information disclosure
e. Denial of service
6. Which of the following are examples of attack vectors? (Select all that apply.)
a. A malicious email attachment or a malicious link on an email
b. Malicious web page content
c. A vulnerable or compromised network service used maliciously
d. The Common Vulnerability Scoring System (CVSS)
7. Which of the following is not an example of a tool that can help analyze the attack surface of a system?
a. Web application scanner
b. Fuzzer
c. The Common Vulnerability Assessment Language (CVAL)
d. Network scanner
8. Which of the following is true about the attack complexity in terms of threat analysis?
a. The attack complexity is categorized as high when specialized access conditions or mitigating circumstances do not exist.
b. The attack complexity is categorized as low when specialized access conditions or mitigating circumstances do not exist.
c. The attack complexity is changed if the attacker fails to launch the attack.
d. The attack complexity is dependent on the attack scope.
9. Which of the following is not true about privileges and user interaction in terms of threat analysis?
a. The risk is considered low if the attacker is required to have privileges or system credentials on the system, in order to launch the attack.
b. The risk is considered high if the attacker is already authorized or is required to have privileges on the system.
c. The risk is high if the attack does not require the attacker to be authenticated or have significant (for example, administrative) control over the vulnerable system.
d. CVSS version 3 also includes the requirements of privileges in its base metrics.
10. What is an example of a vulnerability that could lead to an attack scope change?
a. VM injection
b. VM escape
c. Denial of service
d. SQL injection
Foundation Topics
What Is the CIA Triad: Confidentiality, Integrity, and Availability?
The three fundamental security control principles are confidentiality, integrity, and availability. Collectively, these are often referred to as the “CIA triad.” This threat is illustrated in Figure 1-1.
Threat analysis embraces the identification of threats that can negatively impact the availability, integrity, and confidentiality of assets and also identifies protection and mitigation capabilities.
Confidentiality
Confidentiality is the promise that data is not unveiled to unauthorized users, applications, or processes. Depending on the type of information, a higher level of confidentiality might be required, depending on how sensitive it is. You must have adequate control mechanisms in place to enforce and ensure that data is only accessed by the individuals who should be allowed to access it and no one else. Also, you must enforce what the users can do with that data once they have accessed it. Another important part of confidentiality is that all sensitive data needs to be controlled, audited, and monitored at all times. Here are some examples of sensitive data:
Social security numbers
Bank and credit card account information
Criminal records
Trade secrets
Source code
Military secrets
The following are examples of security mechanisms designed to preserve confidentiality:
Logical and physical access controls
Encryption (in motion and at rest)
Database views
Controlled traffic routing
Data classification is important when you’re deciding how to protect data. By having a good data classification methodology, you can enhance the way you secure your data across your network and systems.
Many organizations deploy virtual private networks (VPNs) between their sites using IPSec. In some cases, they also use internal site-to-site tunnels to protect their sensitive data. The VPN tunnel is an example of encryption while data is in motion.
Integrity
Integrity is the next component of the CIA triad. It is very important that systems and the data they maintain are accurate, complete, and protected from unauthorized modification. Integrity protection encompasses more than just data; it not only protects data, but also operating systems, applications, and hardware from being altered by unauthorized individuals. For example, what if a router is modified to send data to a destination that it was not intended to? What if a confidential email is modified by an attacker before it reaches its originally intended recipient? What if an Internet of Things (IoT) device, such as an IP camera, is modified to send crafted packets to a victim and cause a denial-of-service condition? All these are examples of integrity compromises of a system or data.
Availability
The last component of the CIA triad is availability, which states that systems, applications, and data must be available to users without impacting productivity. The most common attack against availability is a denial-of-service (DoS) attack. User productivity can be greatly affected, and companies can lose a lot of money if data is not available. For example, if you are an online retailer or a cloud service provider and your ecommerce site or service is not available to your users, you could potentially lose current or future business, thus impacting revenue.
You have to understand the various security technologies, methodologies, policies, and procedures that can provide different levels of availability, integrity, and confidentiality protection. Your security goals must be evaluated to ensure the proper security mechanisms are put into place to always protect against threats that could affect the CIA triad.
Threat Modeling
Risk analysis is crucial. You need to know what you are protecting and how you are protecting it. What are your critical systems and assets? What constitutes your organization today? These are some initial questions you should ask yourself when starting any risk analysis process. You must know the difference between threats and vulnerabilities. Threats are occurrences that can affect a system or an organization as a whole. Examples of threats include fraud, theft of information, and physical theft. Vulnerabilities are flaws that make a system, an individual, or an organization exposed and susceptible to a threat or an attack.
Tip
It is very important that you “think” like an attacker to better understand the safeguards needed in order to protect your systems and data.
Typically, when you ask security engineers, managers, architects, and executives to list or describe the critical systems of their organization, their answers are contradictory. One of the main goals that members of an organization should have is to understand their environment to better comprehend what they are trying to protect and what risks are most imminent.
Several methods of risk analysis have been published in books, websites, magazines, and blogs. Some take the quantitative approach, some take the qualitative approach, and others measure impact versus probability.
The primary goal of any threat modeling technique is to develop a formal process while identifying, documenting, and mitigating security threats. This process has a huge impact on any organization because it is basically a methodology used to understand how attacks can take place and how they will impact the network, systems, and users. Organizations have adopted several threat modeling techniques. For example, Microsoft uses the DREAD model. The DREAD acronym defines five key areas:
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
In the DREAD model, the first step is to quantify or estimate the damage potential of a specific threat. This estimate can include monetary and productivity costs, followed by a probability study on the reproducibility and exploitability of the vulnerability at hand. In addition, the first step should identify which users and systems will be affected and how easily the threat can be discovered and identified.
You can find more information about Microsoft threat modeling at https://msdn.microsoft.com/en-us/library/ff648644.aspx. Microsoft also has a threat modeling tool at https://www.microsoft.com/en-us/download/details.aspx?id=49168.
Another very popular threat modeling technique is STRIDE, which stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. STRIDE was created by Loren Kohnfelder and Praerit Garg. This is a framework designed to help software developers identify the types of threats against the applications they are creating. The following are the different components of STRIDE:
Spoofing: Sometimes referred to as identify spoofing. Attackers can disguise themselves as someone else. They can also disguise their systems as some other systems. For instance, in many distributed denial-of-service (DDoS) attacks, attackers can spoof the source of the attacks (that is, the IP addresses of the attacking machines or bots) in order to carry out the attack and maintain anonymity. This is why systems should have protection in place against spoofing attacks—and not just for DDoS. In general, users should not be able to become any other users or assume the attributes of other users, period.
Tampering: This ties into the discussion earlier in this chapter about integrity. Users must not be able to tamper with data, applications, or systems. In threat modeling, you must understand what threats could allow an attacker to tamper with data, applications, or systems in your organization.
Repudiation: You must consider if the system or applications requires nonrepudiation controls, such as system logs, web access logs, and audit trails. Another consideration is that an application should run with the user’s privileges, not more.
Information disclosure: You must make sure that a system or application does not disclose information that is not intended. For example, a web application should not store usernames and passwords in its source. Also, user credentials should not be stored in logs or in any other configuration or troubleshooting feature in plain text.
Denial of service: You should evaluate what threats can cause a denial-of-service condition. This is beyond just performance testing and should employ methodologies such as fuzzing (sending random data to an application or protocol).
Elevation of privilege: It is very important that you ensure in any application or system that users cannot elevate their privileges. Many organizations develop an authorization matrix to ensure that only authorized users and roles can access privileged functionality.
Another threat modeling technique is to create attack trees. Bruce Schneier, the chief technology officer of Counterpane Internet Security and the inventor of the Blowfish and Twofish encryption algorithms, initially introduced this method. Attack trees represent attacks against a system or network in a hierarchical tree structure. The root node describes a goal, and the leaf nodes are various ways of reaching such a goal. For example, the main goal of a specific attack may be to interrupt the services of an ecommerce web server farm. This goal will be the root of the tree. Each subsequent “tree branch or leaf” describes the methods used to take down that web server farm (such as sending millions of spoofed TCP packets, compromising zombies on the Internet to launch DDoS attacks, and so on).
A detailed white paper on attack trees by Bruce Schneier is posted at http://www.schneier.com/paper-attacktrees-ddj-ft.html.
Several other threat modeling techniques suggest the use and understanding of system and device roles. You need to identify what the network devices do and how they are used and placed within the infrastructure. You should also document and identify their functionality in the context of the organization as a whole; furthermore, you need to configure them according to their role. For example, the configuration used for Internet-edge routers is not suitable for data center devices. In addition, you should create easy-to-understand architecture diagrams that describe the composition and structure of your infrastructure and its devices, and then elaborate the diagram by adding details about the trust boundaries, authentication, and authorization mechanisms.
The following are great resources that you should become familiar with and that may help you study for the exam:
OWASP threat modeling site: https://www.owasp.org/index.php/Threat_Risk_Modeling
SANS threat modeling whitepaper: https://www.sans.org/reading-room/whitepapers/securecode/threat-modeling-process-ensure-application-security-1646
SANS practical analysis and threat modeling spreadsheet: https://cyber-defense.sans.org/blog/2009/07/11/practical-risk-analysis-spreadsheet
NIST Special Publication 800-154: Guide to Data-Centric System Threat Modeling: http://csrc.nist.gov/publications/drafts/800-154/sp800_154_draft.pdf
Defining and Analyzing the Attack Vector
According to NIST, an attack vector is “a segment of the entire pathway that an attack uses to access a vulnerability. Each attack vector can be thought of as comprising a source of malicious content, a potentially vulnerable processor of that malicious content, and the nature of the malicious content itself.” The following are a few examples of attack vectors:
A malicious email attachment or a malicious link on an email.
Malicious web page content
A vulnerable or compromised network service used maliciously
A social engineering conversation by a threat actor done in person or by phone, email, text, or instant messaging to obtain sensitive information from the user, such as credentials, date of birth, account information, social security numbers, and so on.
Personal information gathered by a threat actor from social media to carry out a targeted attack.
An open port on a system that could lead to services being exposed to an attacker.
A database with default or no credentials.
An infrastructure device with default or easily guessable credentials.
Many other terms are used when describing attack vectors. In addition to studying and understanding attack vectors is analyzing all of the attack vectors directly against a particular system. This methodology is often referred to as the system’s “attack surface.”
In order to measure and understand the attack surface, you can read through the source code of an application and identify different points of entry and exit, including the following:
Application programming interfaces (APIs)
Databases
Email or other kinds of messages
Files
Other local storage
Runtime arguments
User interface (UI) forms and fields
It is important to understand that the total number of different attack entry or exit points can be numbered in the dozens, hundreds, or even thousands, depending on the system or application’s complexity. Sometimes this will feel like an unmanageable task. In order to make this task more manageable, you can break the model into different categories, depending on the function, design, and technology. Here are some examples:
Admin interfaces
Business workflows
Data entry (CRUD) forms
Inquiries and search functions
Interfaces with other applications/systems
Login/authentication entry points
Operational command and monitoring interfaces/APIs
Transactional interfaces/APIs
Several tools can accelerate your analysis of the overall attack surface of a system or application. These include network and vulnerability scanners such as the following:
nmap
Nessus
Nexpose
Qualys
You can also use web application scanners such as these:
OWASP_Zed_Attack_Proxy_Project
Arachni
Skipfish
w3af
Several commercial dynamic testing and vulnerability scanning tools such as IBM AppScan
Note
You learned different examples of network and application scanners while preparing for the CCNA Cyber Ops SECFND exam.
Understanding the Attack Complexity
The attack complexity describes the conditions beyond the attacker’s control that must exist in order to exploit a given vulnerability. For example, an attacker may need to collect additional information about the target, including network topologies, specific system configurations, and computational exceptions. The Common Vulnerability Scoring System (CVSS) base metrics analyze the attack complexity. CVSS is an industry standard maintained by the Forum of Incident Response and Security Teams (FIRST) that is used by many product security incident response teams (PSIRTs) to convey information about the severity of the vulnerabilities they disclose to their customers.
Tip
Although you learned about CVSS when studying for the CCNA Cyber Ops SECFND exam, Chapter 6 includes additional details about the standard. For the SECOPS exam, you must also be familiar with the CVSS metrics, as covered in Chapter 6 and also at FIRST’s website at https://www.first.org/cvss/specification-document.
The attack complexity is categorized as low when specialized access conditions or mitigating circumstances do not exist. When the attack complexity is low, the attacker or threat actor can carry out the attack in a consistent and repeatable manner. When the attack complexity is considered high, the attack depends on conditions beyond the attacker’s control. For instance, a successful attack probably cannot be executed successfully or a vulnerability exploited without the attacker having to invest some time and effort in preparing and orchestrating the attack. Here are a few examples:
The need for the attacker to obtain additional configuration information, sequence numbers, and credentials.
The need for an attacker to “win” a race condition and/or overcome advanced exploit mitigation techniques.
The need for the threat actor to place him- or herself into the logical network path between the victim and the destination or resource that victim is trying to access. This is done in order to read and/or modify network communications, and is referred to as a man-in-the-middle attack.
Privileges and User Interaction
The risk of a specific threat or vulnerability can increase depending on the requirements around privileges and user interaction—in other words, depending on if the attacker needs to have user credentials prior to successfully launching the attack or if the attacker can launch the attack without authentication. The risk is considered low if the attacker is required to have privileges or system credentials on the system in order to launch the attack. On the contrary, the risk is high if the attack does not require the attacker to be authenticated or have significant (for example, administrative) control over the vulnerable system.
CVSS version 3 also includes the requirements of privileges in its base metrics.
The Attack Scope
It is also important that you understand the attack scope and how an attack or vulnerability can impact resources beyond the attacker’s means or privileges. The attack scope is also represented in CVSS by the base metric Authorization Scope, or simply Scope. CVSS defines scope as “when the vulnerability of a software component governed by one authorization scope is able to affect resources governed by another authorization scope, a Scope change has occurred.”
A good example of a scope change is when an attacker is able to break out of a sandbox. Another example is when an attacker can perform a virtual machine (VM) escape (see Figure 1-2). In other words, when the attacker compromises a VM and then is able to access, modify, or delete files on the host operating system (hypervisor), thereby getting access to all VMs on the host machine.
If an attack or exploited vulnerability can only affect resources managed by the same authority, the scope is not changed. When such a vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component, then the scope is considered to be changed.
Exam Preparation Tasks
Review All Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 1-2 lists these key topics and the page numbers on which each is found.
Complete Tables and Lists from Memory
Print a copy of Appendix B, “Memory Tables and Lists,” (found on the book website), or at least the section for this chapter, and complete the tables and lists from memory. Appendix C, “Memory Tables and Lists Answer Key,” also on the website, includes completed tables and lists to check your work.
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
Q&A
The answers to these questions appear in Appendix A, “Answers to the ‘Do I Know This Already’ Quizzes and Q&A.” For more practice with exam format questions, use the exam engine on the website.
1. A denial-of-service attack against a web server affects which of the following?
a. Availability
b. Confidentiality
c. Integrity
d. Repudiation
2. An attacker is able to compromise a system and change files in the affected system. Which of the following is affected?
a. Availability
b. Confidentiality
c. Integrity
d. Repudiation
3. An attacker is able to eavesdrop on the conversation between two users launching a man-in-the-middle attack. Which of the following is affected?
a. Availability
b. Confidentiality
c. Integrity
d. Repudiation
4. Which of the following is an example of an attack whose scope has been potentially changed?
a. An attack against a VM escape vulnerability
b. A denial-of-service attack
c. A spoofing attack
d. A man-in-the-middle attack
5. Which of the following are examples of thread modeling techniques? (Select all that apply.)
a. STRIDE
b. DREAD
c. SREAD
d. SDL
6. Which of the following is not an attack vector?
a. Malicious web page content
b. A malicious email attachment or a malicious link on an email
c. DDoS
d. Social engineering conversation by a threat actor done in person or by phone, email, text, or instant messaging to obtain sensitive information from the user such as credentials, date of birth, account information, social security numbers, and so on.