Portland OWASP Chapter Meet

Add TAL, improve a threat model!

Welcome:

WASP!!

…Or as we used to be called, simply:

Our mission was different back then.

A little more about me…

• Served as the NCOIC for Counter Intelligence, Psychological Operations, and Operation Security and network warfare for an Air Force Information Warfare Flight

Information Security Architect Umpqua Bank • Risk Assessments• Project Engagement Security Support• Security Awareness

Previous: • Information Security Manager: Portland Community College• Network Warfare Operations / Influence Operations NCOIC:

Air Force• Intelligence Detachment Section Leader: Army National

Guard

Eric Jernigan MSIA, CISSP, CISM, CRISC

Actual me

TONIGHT LETS GET BETTER AT…

Modeling!

Umm, Threat Modeling

Questions

• Do you do application risk assessments?

• Do you use threat modeling?

• Are you familiar with OWASP’s Threat Agent content?

• Do you use a taxonomy of threat actors?

• Why? Why Not?

Look familiar

OWASP Threat Modeling

Threat Agent

Threat Agent = Capabilities + Intentions + Past Activities

Intel Threat Agent Library

Timothy Casey, Intel Corporation

• Threat Agent Library Helps Identify Information Security Risks

• Prioritizing Information Security Risks with Threat Agent Risk Assessment

What the TAL?

• TAL identifies 22 threat agent archetypes, such as disgruntled employee, competitor, and organized crime

• Provides consistent, reference describing the human threat actors that pose threats to IT systems and other information assets

• Use it as a stand-alone tool or as part of other standard risk assessment methodologies

Threat Agent Archetypes

• Build upon OWASP’s threat agent materials• Increase the accuracy of your threat models• Use alone or in conjunction with other

methodologies• Build threat based risk assessments• Use the output to feed into risk assessments• Integrate into Threat Intelligence

Why the Threat Agent Library?

Vulnerability Part of the information security infrastructure that could represent a weakness to attack in the absence of a control.

Threat Agent Person who originates attacks, either with malice or by accident, taking advantage of vulnerabilities to create loss.

Threat Actor An individual or group that can manifest a threat.

Motivation Internal reason a threat agent wants to attack. Objective What the threat agent hopes to accomplish by the attack.

Method Process by which a threat agent attempts to exploit a vulnerability to achieve an objective.

Attack Action of a threat agent to exploit a vulnerability.

Control Tools, processes, and measures put in place to reduce the risk of loss due to a vulnerability.

Exposure Vulnerability without a control.

Operating Terms

TAL Agent Attributes

Pronounced: “Tal” not “Towel…”

Internal Agent has internal access.

External Agent has only external access.

Access

Access This defines the extent of the agent’s access to the company’s assets.

Acquisition/ Theft

Illicit acquisition of valuable assets for resale or extortion in a way that preserves the assets’ integrity but may incidentally damage other items in the process

Business Advantage

Increased ability to compete in a market with a given set of products. The goal is to acquire business processes or assets.

Damage Injury to Intel personnel, physical or electronic assets, or intellectual property

Embarrassment Public portrayal of Intel in an unflattering light, causing Intel to lose influence, credibility, competitiveness, or stock value

Technical Advantage

Illicit improvement of a specific product or production capability. The primary target is to acquire production processes or assets rather than a business process

Outcome (Objective)

The agent’s primary goal— what the agent hopes to accomplish with a typical attack. Also consider: Information Operations Effects

Code of Conduct

Agents typically follow both the law and a code of conduct accepted within a profession. Example: an auditor

Legal Agents act within the limits of applicable laws. Example: Legal Adversary

Extra-legal, minor

Agents may break the law in relatively minor, non-violent ways, such as minor vandalism or trespass. Example: Activist

Extra-legal, major

Agents take no account of the law and may engage in felonious behavior resulting in significant impact or extreme violence. Example: organized crime

Limits

The legal and ethical limits to which the agent may be prepared to break the law.

Individual Resources limited to the average individual; agent acts independently. Minimum skill level: None

Club Members interact on a social and volunteer basis, often with little personal interest in the specific target. Group persists long term. Minimum skill level: Minimal

Contest A short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal. Minimum skill level: Minimal

Operational Team: A formally organized group with a leader, typically motivated by a specific goal and organized around that goal. Group persists long term and typically operates within a single region. Minimum skill level: Operational.

Organization Larger and better resourced than a Team. Usually operates in multiple geographies and persists long term. Minimum skill level: Adept.

Government Controls public assets and functions within a jurisdiction; very well resourced and persists long term. Minimum skill level: Adept.

Resource Level

The organizational level at which determines the resources available to that agent for use in an attack. Linked to the Skill Level attribute

None Has average intelligence and ability and can easily carry out random acts of disruption or destruction, but has no expertise or training in the specific methods necessary for a targeted attack.

Minimal Can copy and use existing techniques. Example: Untrained Employee.

Operational Understands underlying technology or methods and can create new attacks within a narrow domain.

Adept Expert in technology and attack methods, and can both apply existing attacks and create new ones to greatest advantage

Skill Level

The special training or expertise an agent typically possesses.

Copy Make a replica of the asset so the agent has simultaneous access to it.

Destroy Destroy the asset, which becomes worthless to either Intel or the agent.

Injure Damage the asset, which remains in Intel’s possession but has only limited functionality or value.

Take Gain possession of the asset so that Intel has no access to it.

Don’t Care: The agent does not have a rational plan, or may make a choice opportunistically at the time of attack.

Obective (Intended Action)

The action that the agent intends to take in order to achieve a desired outcome.

Overt The agent deliberately makes the attack and the agent’s identity is known before or at the time of execution

Covert The victim knows about the attack at the time it occurs, or soon after. However, the agent of the attack intends to remain unidentified

Clandestine The agent intends to keep both the attack and his or her identity secret

Visibility

The extent to which the agent intends to conceal or reveal his or her identity.

Intel’s TAL matrix. Next, lets look at TARA.

TARA!

Sorry, wrong TARA…

Intel’s TARA

• Build’s upon the TAL• Identifies the most likely

attack vectors to support secure development

• Pinpoint the information security areas of greatest concern

• Stand alone threat centric methodology

1. Measure current threat agent risks

2. Distinguish threat agents that exceed baseline acceptable risks.

3. Derive primary intent of those threat agents.

4. Assess capabilities likely to manifest.

5. Assess Operational Constraints.

6. Align strategy to target the most significant exposures.

TARA Process

Call to action

• OWASP Threat Agent Page out of date• Updates needed to both home page and

template• Most sub categories are emptyProposal:• Nix Force Majeure (Natural: Flood, fire, etc.

unless secure code is affected by it…)• Implement TAL into OWASP Threat Actor

Page/articles

While you napped… (summary)

• Don’t let vendors and news broadcasters determine who is your top threat actors are

• Build upon OWASP’s threat agent materials• Increase the accuracy of your threat models• Pinpoint the information security areas of

greatest concern• Use the output to feed into risk assessments• Proposal: Implement TAL into OWASP Threat

Actor Page/articles

You Need the Right Agent to Improve Your

Modeling Career…

Resources

OWASP –Threat Agents• Category: Threat Agent

https://www.owasp.org/index.php/Category:Threat_Agent

• Application Threat Modelinghttps://www.owasp.org/index.php/Application_Threat_Modeling

Intel TAL and TARA• Threat Agent Library Helps Identify Information Security Risks

https://communities.intel.com/servlet/JiveServlet/downloadBody/1151-102-1-1111/Threat%20Agent%20Library_07-2202w.pdf

• Prioritizing Information Security Risks with Threat Agent Risk Assessmenthttp://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf

Questions?

Image Credits

All images in this presentation were found on public facing websites. The presenter believes such use constitutes a 'fair use' of copyrighted material as provided in Section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material in the presentation is provided without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For further information on fair use, go to: http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000107----000-.html.

Please do not reprint any photos. If you wish to use copyrighted material from the presentation for purposes of your own that go beyond fair use, you must obtain permission from the copyright owner.