To improve your (threat) modeling career, you need a better (threat) agent (library)! Threat modeling is a process for capturing, organizing, and analyzing the security of a system based on the perspective of a threat agent. Threat modeling enables informed decision-making about application security risk. In addition to producing a model, typical threat modeling efforts also produce a prioritized list of security improvements to the concept, requirements, design, or implementation. In 2009, OWASP posted wiki pages on threat modeling. Although there was the start of a section on threat agents, it has yet to be completed.
Intel developed a unique standardized threat agent library (TAL) that provides a consistent, up-to-date reference describing the human agents (AKA; threat actors) that pose threats to IT systems and other information assets. Instead of picking threat agents based on vendor recommendations and space requirements in Powerpoint, the TAL produces a repeatable, yet flexible enough for a range of risk assessment uses. We will cover both the TAL, the Threat Agent Risk Assessment (TARA), how they can be used to improve threat modeling.
Speaker
Eric Jernigan
Information Security Architect, Umpqua Bank
2. …Or as we used to
be called, simply:
Our mission was different back then.
3. A little more about me…
• Served as the NCOIC for Counter Intelligence, Psychological
Operations, and Operation Security and network warfare for an
Air Force Information Warfare Flight
Information Security Architect Umpqua Bank
• Risk Assessments
• Project Engagement Security Support
• Security Awareness
Previous:
• Information Security Manager: Portland Community College
• Network Warfare Operations / Influence Operations NCOIC:
Air Force
• Intelligence Detachment Section Leader: Army National
Guard
Eric Jernigan MSIA, CISSP, CISM, CRISC
Actual me
7. Questions
• Do you do application risk assessments?
• Do you use threat modeling?
• Are you familiar with OWASP’s Threat
Agent content?
• Do you use a taxonomy of threat actors?
• Why? Why Not?
10. Intel Threat Agent Library
Timothy Casey, Intel Corporation
• Threat Agent Library Helps Identify Information Security Risks
• Prioritizing Information Security Risks with Threat Agent Risk Assessment
11. What the TAL?
• TAL identifies 22 threat agent archetypes, such
as disgruntled employee, competitor, and
organized crime
• Provides consistent, reference describing the
human threat actors that pose threats to IT
systems and other information assets
• Use it as a stand-alone tool or as part of other
standard risk assessment methodologies
13. • Build upon OWASP’s threat agent materials
• Increase the accuracy of your threat models
• Use alone or in conjunction with other
methodologies
• Build threat based risk assessments
• Use the output to feed into risk assessments
• Integrate into Threat Intelligence
Why the Threat Agent Library?
14. Vulnerability Part of the information security infrastructure that could represent a
weakness to attack in the absence of a control.
Threat Agent Person who originates attacks, either with malice or by accident,
taking advantage of vulnerabilities to create loss.
Threat Actor An individual or group that can manifest a threat.
Motivation Internal reason a threat agent wants to attack. Objective What the
threat agent hopes to accomplish by the attack.
Method Process by which a threat agent attempts to exploit a vulnerability to
achieve an objective.
Attack Action of a threat agent to exploit a vulnerability.
Control Tools, processes, and measures put in place to reduce the risk of loss
due to a vulnerability.
Exposure Vulnerability without a control.
Operating Terms
16. Internal Agent has internal access.
External Agent has only external access.
Access
Access This defines the extent of the agent’s access to the company’s
assets.
17. Acquisition/
Theft
Illicit acquisition of valuable assets for resale or extortion in a way
that preserves the assets’ integrity but may incidentally damage
other items in the process
Business
Advantage
Increased ability to compete in a market with a given set of products.
The goal is to acquire business processes or assets.
Damage Injury to Intel personnel, physical or electronic assets, or intellectual
property
Embarrassment Public portrayal of Intel in an unflattering light, causing Intel to lose
influence, credibility, competitiveness, or stock value
Technical
Advantage
Illicit improvement of a specific product or production capability. The
primary target is to acquire production processes or assets rather
than a business process
Outcome (Objective)
The agent’s primary goal— what the agent hopes to accomplish with a typical
attack. Also consider: Information Operations Effects
18. Code of
Conduct
Agents typically follow both the law and a code of
conduct accepted within a profession. Example: an
auditor
Legal Agents act within the limits of applicable laws. Example:
Legal Adversary
Extra-legal,
minor
Agents may break the law in relatively minor, non-
violent ways, such as minor vandalism or trespass.
Example: Activist
Extra-legal,
major
Agents take no account of the law and may engage in
felonious behavior resulting in significant impact or
extreme violence. Example: organized crime
Limits
The legal and ethical limits to which the agent may be prepared to
break the law.
19. Individual Resources limited to the average individual; agent acts independently.
Minimum skill level: None
Club Members interact on a social and volunteer basis, often with little personal
interest in the specific target. Group persists long term. Minimum skill
level: Minimal
Contest A short-lived and perhaps anonymous interaction that concludes when the
participants have achieved a single goal. Minimum skill level: Minimal
Operational Team: A formally organized group with a leader, typically motivated by a
specific goal and organized around that goal. Group persists long term and
typically operates within a single region. Minimum skill level: Operational.
Organization Larger and better resourced than a Team. Usually operates in multiple
geographies and persists long term. Minimum skill level: Adept.
Government Controls public assets and functions within a jurisdiction; very well
resourced and persists long term. Minimum skill level: Adept.
Resource Level
The organizational level at which determines the resources available
to that agent for use in an attack. Linked to the Skill Level attribute
20. None Has average intelligence and ability and can easily carry
out random acts of disruption or destruction, but has no
expertise or training in the specific methods necessary
for a targeted attack.
Minimal Can copy and use existing techniques. Example:
Untrained Employee.
Operational Understands underlying technology or methods and can
create new attacks within a narrow domain.
Adept Expert in technology and attack methods, and can both
apply existing attacks and create new ones to greatest
advantage
Skill Level
The special training or expertise an agent typically possesses.
21. Copy Make a replica of the asset so the agent has
simultaneous access to it.
Destroy Destroy the asset, which becomes worthless to either
Intel or the agent.
Injure Damage the asset, which remains in Intel’s possession
but has only limited functionality or value.
Take Gain possession of the asset so that Intel has no
access to it.
Don’t Care: The agent does not have a rational plan, or may make
a choice opportunistically at the time of attack.
Obective (Intended Action)
The action that the agent intends to take in order to achieve a desired
outcome.
22. Overt The agent deliberately makes the attack and the
agent’s identity is known before or at the time of
execution
Covert The victim knows about the attack at the time it
occurs, or soon after. However, the agent of the
attack intends to remain unidentified
Clandestine The agent intends to keep both the attack and his or
her identity secret
Visibility
The extent to which the agent intends to conceal or reveal his or
her identity.
25. Intel’s TARA
• Build’s upon the TAL
• Identifies the most
likely attack vectors to
support secure
development
• Pinpoint the
information security
areas of greatest
concern
• Stand alone threat
centric methodology
26. 1. Measure current threat agent risks
2. Distinguish threat agents that exceed baseline
acceptable risks.
3. Derive primary intent of those threat agents.
4. Assess capabilities likely to manifest.
5. Assess Operational Constraints.
6. Align strategy to target the most significant
exposures.
TARA Process
27.
28. Call to action
• OWASP Threat Agent Page out of date
• Updates needed to both home page and
template
• Most sub categories are empty
Proposal:
• Nix Force Majeure (Natural: Flood, fire, etc.
unless secure code is affected by it…)
• Implement TAL into OWASP Threat Actor
Page/articles
29. While you napped… (summary)
• Don’t let vendors and news broadcasters
determine who is your top threat actors are
• Build upon OWASP’s threat agent materials
• Increase the accuracy of your threat models
• Pinpoint the information security areas of
greatest concern
• Use the output to feed into risk assessments
• Proposal: Implement TAL into OWASP Threat
Actor Page/articles
33. Image Credits
All images in this presentation were found on public facing websites.
The presenter believes such use constitutes a 'fair use' of copyrighted
material as provided in Section 107 of the US Copyright Law. In
accordance with Title 17 U.S.C. Section 107, the material in the
presentation is provided without profit to those who have expressed a
prior interest in receiving the included information for research and
educational purposes. For further information on fair use, go
to: http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_0
0000107----000-.html.
Please do not reprint any photos. If you wish to use copyrighted
material from the presentation for purposes of your own that go
beyond fair use, you must obtain permission from the copyright owner.
Notes de l'éditeur
Assess
Access This defines the extent of the agent’s access to the company’s assets.
Internal: Agent has internal access.
External: Agent has only external access.
Outcome
This usually defines the agent’s primary goal— what the agent hopes to accomplish with a typical attack. However, with non-hostile agents, such as an untrained employee, the outcome may be unintentional. The agent may use many methods to achieve this goal, and the primary goal may have secondary or ancillary effects.
Acquisition/Theft: Illicit acquisition of valuable assets for resale or extortion in a way that preserves the assets’ integrity but may incidentally damage other items in the process.
Business Advantage: Increased ability to compete in a market with a given set of products. The goal is to acquire business processes or assets.
Damage: Injury to Intel personnel, physical or electronic assets, or intellectual property.
Embarrassment: Public portrayal of Intel in an unflattering light, causing Intel to lose influence, credibility, competitiveness, or stock value. Technical Advantage: Illicit improvement of a specific product or production capability. The primary target is to acquire production processes or assets rather than a business process.
Limits
These are the legal and ethical limits that may constrain the agent. This characteristic also defines the extent to which the agent may be prepared to break the law. Options are:
Code of Conduct: Agents typically follow both the applicable laws and an additional code of conduct accepted within a profession or an exchange of goods or services. Example: an auditor falls within the Information Partner agent archetype.
Legal: Agents act within the limits of applicable laws. Example: Legal Adversary
Extra-legal, minor: Agents may break the law in relatively minor, non-violent ways, such as minor vandalism or trespass. Example: Activist. Extra-legal, major: Agents take no account of the law and may engage in felonious behavior resulting in significant financial impact or extreme violence. Example: members of organized crime organizations (Mobster agent).
This defines the organizational level at which an agent typically works, which in turn determines the resources available to that agent for use in an attack. This attribute is linked to the Skill Level attribute—a specific organizational level implies that the agent has access to at least a specific skill level.
Individual: Resources limited to the average individual; agent acts independently. Minimum skill level: None.
Club: Members interact on a social and volunteer basis, often with little personal interest in the specific target. An example might be a core group of unrelated activists who regularly exchange tips on a particular blog. Group persists long term. Minimum skill level: Minimal.
Contest: A short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal. For example, people who break into systems just for thrills or prestige (agent Cyber-Vandal) may run contests to see who can break into a specific target first. Minimum skill level: Minimal
Operational. Team: A formally organized group with a leader, typically motivated by a specific goal and organized around that goal. Group persists long term and typically operates within a single geography. Minimum skill level: Operational.
Organization: Larger and better resourced than a Team; typically a company. Usually operates in multiple geographies and persists long term. Minimum skill level: Adept.
Government: Controls public assets and functions within a jurisdiction; very well resourced and persists long term. Minimum skill level: Adept.
Skill Level
The special training or expertise an agent typically possesses.
None: Has average intelligence and ability and can easily carry out random acts of disruption or destruction, but has no expertise or training in the specific methods necessary for a targeted attack.
Minimal: Can copy and use existing techniques. Example: Untrained Employee.
Operational: Understands underlying technology or methods and can create new attacks within a narrow domain.
Adept: Expert in technology and attack methods, and can both apply existing attacks and create new ones to greatest advantage. Example: Legal Adversary.