Week 9 - Cyber Risk Assessment and Threat Modelling

Question 1

What is threat modeling?

Answer 1

The structured process of determining the threat landscape for a given context. This context could be an application, a system etc..

Question 2

What is a threat landscape?

Answer 2

The possible range of attacks that can be present within a context.

Question 3

Why is the threat modelling approach better than the ad hoc approach?

Answer 3

Threat modelling is a lot more structured, and ad hoc is more likely to miss particular threats.

Question 4

What are the 4 parts of the process of threat modelling?

Answer 4

Diagram - what are we building?
Identify threats - what can go wrong?
Mitigate - what will we do about it?
Validate - how did we do?

Question 5

What might you do during the Diagram step of threat modelling?

Answer 5

Exploring a system, understanding it and explaining it and it’s functionality. You might make diagrams of the system, like class diagrmad or data flow diagrams.

Question 6

What do you do during the identify threats step of threat modelling?

Answer 6

You brainstorm the the type of potential threats that might target your system and it vulnerabilities. You might use a framework to structure discussions about threats around, Frameworks like Stride, Cyber Kill Chains, Attack trees etc..

Question 7

What do you do during the mitigate step of threat modelling?

Answer 7

Consider the mitigation techniques that you could implement to prevent the treats, and priorotize and implement them into the system.

Question 8

What happens during the validation step of threat modelling?

Answer 8

You reflect and review the fixes deployed in the mitigation step and evulate their effectiveness. You might revise these mitigations and add new ones if they are not working as well as intended.

Question 9

What does the STRIDE framework do?

Answer 9

It helps developers determine common types of potential attacks for their system. These common threats can be found in the words of the acronym STRIDE.
It is a proactive process of determining potential attacks and does not help analyse attacks that have happened.

Question 10

What does STRIDE stand for?

Answer 10

Spoofing
Tampering
Repudiation
Information disclosure 
Denial of service
Elevation or escalation of privilege

Question 11

Define Spoofing in terms of STRIDE e.g. Name the treat, property, definition and an example.

Answer 11

Threat - Spoofing
Property - Authentication
Definition - Masquerading as something or someone else
Example - Phishing website or email

Question 12

What is the data we look at for a given threat using STRIDE?

Answer 12

The threat, the property it affects, the definition of the threat, and an example of the threat.

Question 13

Define Tampering in terms of STRIDE e.g. Name the treat, property, definition and an example.

Answer 13

Threat - Tampering
Property - Integrity
Definition - Unauthorised modification of data
Example - Unauthorised modification of salary in a database

Question 14

Define Repudiation in terms of STRIDE e.g. Name the treat, property, definition and an example.

Answer 14

Threat - Repudiation
Property - Non-Repudiation
Definition - Refusal to accept responsibility for an action
Example - An individual claiming that an email sent from their address was not sent by them

Question 15

Define Information Disclosure in terms of STRIDE e.g. Name the treat, property, definition and an example.

Answer 15

Threat - Information Disclosure
Property - Confidentiality
Definition - Exposure of confidential information to unauthorised parties
Example - Password leaks

Question 16

Define Denial of Service in terms of STRIDE e.g. Name the treat, property, definition and an example.

Answer 16

Threat - Denial of Service
Property - Availability
Definition - Service unavailable to legitimate users when it should be available
Example - Service request floods such as on HTTPS

Question 17

Define Escalation of Privilege in terms of STRIDE e.g. Name the treat, property, definition and an example.

Answer 17

Threat - Escalation of Privilege
Property - Authorisation
Definition - Individual or process capable of actions they do not have authorisation for
Example - User with read only permissions escalates to write capability

Question 18

How do you apply STRIDE to systems?

Answer 18

Consider the potential attacks under each element of the STRIDE model in terms of a system e.g. Could an attacker Spoof this part of the system, are Denial of service attacks possible on this system server etc..

Record any details of threats as you progress.

Record any assumptions.

Question 19

How might you mitigate Repudiation?

Answer 19

Ensure Non-Repudiation protocol that provide assurance that an individual cannot deny responsibility for an action through authentication and digital signatures.

Question 20

How should you mitigate Spoofing?

Answer 20

Ensure appropriate authentication.

Question 21

How should you mitigate Tampering?

Answer 21

Ensure secure data protection and security policies for integrity of data.

Question 22

How might you mitigate Information Disclosure?

Answer 22

Ensure confidentiality of data using methods such as data encryption or cryptographic hashes or perhaps air gapped machines that aren’t connected to the network.

Question 23

How might you mitigate a Denial of Service attack?

Answer 23

Ensuring availability of servers using things like Firewalls, and intrusion detection systems that can prevent DoSs from happening.

Question 24

How could you mitigate an escalation of privilege?

Answer 24

Ensure appropriate authorisation mechanisms for services and data.

Question 25

What are the advantages of STRIDE?

Answer 25

Helps identify common vulnerabilitiesbin systems and processes.

Provides an easy to follow framework to consider possible threats.

Question 26

What are the disadvantages of STRIDE?

Answer 26

It is not fully comprehensive itself, the user must go into detail about potential threats themselves.

Only a proactive approach, does not find attacks that have happened or are currently happening.

Only ulincludes the most common attacks, so more novel attacks like Zero Day vulnerabilities may not be considered.

Question 27

What is a Cyber Kill Chain?

Answer 27

A sequence of steps required for an attacker to successfully infiltrate a given system
It is also known as the Cyber Instrusion Chain.

Question 28

What are the stages of a Cyber Kill Chain?

Answer 28

Reconnaissance
Weaponisation
Delivery
Exploitation
Installation
Comman and Control
Actions on Objective

Question 29

What happens during the reconnaissance stage of the CKC?

Answer 29

Reconnaissance is when the attacker tries to gather information about their target. It can either be active or reactive.

Active reconnaissance means that recon is likely to leave a trace that can be used to identify that recon happened. For example, the attackers leaving a digital footprint in a system that they’re are exploring, or speaking to specific individuals for more info on the system that could then identify them.

Passive reconnaissance is recon that includes looking at information already readily available and wouldn’t raise suspicious. For example, looking at data available to the public.

Question 30

Can the Cyber Kill Chain help during security? Why?

Answer 30

Yes.
Security teams can use the Cyber Kill Chain model to help identify potential APTs and treats against a system by looking at the steps of the CKC to see vulnerabilities in their security.

Question 31

What happens during the Weaponisation stage of CKC?

Answer 31

When the attacker takes the recon gathered from the recon stage to create a piece of malware or devise a malicious incident (DoS) to exploit any vulnerabilities found.

Question 32

What happens during the Delivery stage of CKC?

Answer 32

When you take the malware and attempt to delivery it and put it into the target system. This can range from disguising it as a trogan, to using a phishing email, sending it through open insecure ports, using SQL injection etc.

Question 33

What happens during the Exploitation stage of the CKC?

Answer 33

This is when the malware or malicious attack is executed on the target system.

Question 34

What happens during the Installation stage of CKC?

Answer 34

When the attacker expands through the system, spreading the malware or installing further malware. It increases the attackers foothold in the system.

Question 35

What happens during the Command and Control stage of a CKC?,

Answer 35

When the attacker sets up a an easy way in out and out the system by bypassing security with their installed malware. They also set up a feed of information or assets that will go back to the attacker.

Question 36

What happens during the Actions on Objectives in a CKC?

Answer 36

These are the final steps that the attacker takes after gaining the information and assets from the system. For example, this could be selling information on the black market or using the information to gain understanding on the targets intellectual properties etc..

Question 37

How can a organisation use the CKC model to identify ataccks that have already happened or are going to happen?

Answer 37

They look out for obvious signs of any of the Cyber Kill Chain steps, like phishing emails for delivery or suspicious packets during command and control. If these are noticed organisations can take preventive measures to stop ongoing attacks.

Question 38

What are the steps an organisation can take when they find a Cyber Kill Chain happening?

Answer 38

Detect - identifying whether an attacker is in the process of an attack
Deny - preventing disclosure of information and unauthorised access
Disrupt - stop or change outbound traffic going to the attacker
Degrade - provide counterattacks (E.g. Throttling the bandwidth)
Deceive - sending misinformation back to the attacker

Question 39

What can an organisation use to break or prevent CKCs?

Answer 39

Intrusion detection and prevention systems
Firewalls
Proper authentication and authorisation
Encryption
Security training for staff

Question 40

What are disadvantages of using the CKC to help with security?

Answer 40

It doesn’t consider insider threats.

Attackers are getting through the first couple of stages of CKC very fast so it’s harder to detect attacks in the Inital stages.