vault backup: 2024-10-30 11:06:53
This commit is contained in:
boris
110
Penetration Testing/Week 6/Lecture 6 - Threat Modelling.md
Normal file
110
Penetration Testing/Week 6/Lecture 6 - Threat Modelling.md
Normal file
@@ -0,0 +1,110 @@
|
||||
Identifying vulnerabilities leading to compromise, or mission objectives, identifying business risk with and attack.
|
||||
|
||||
Identify attack surface presented to outside actors, bigger surface, bigger risk. Create clear scenarios relevant to organisation.
|
||||
Provides clarity to risk appetite and prioritisation.
|
||||
- Importance of assets
|
||||
- Threat community relevance
|
||||
Emulates tools, techniques, capabilities, accessibility and general profile of attacker
|
||||
- Focus on most relevant controls, processes and infra rather than inventory list of IT elements.
|
||||
**White Box**: Threat model should be constructed in coordination with organisation
|
||||
**Black Box**: Tester creates threat model based on attackers view, using OSINT related to organisation.
|
||||
|
||||
# Components
|
||||
|
||||
- Understand Assets
|
||||
- Business Asset Analysis: What systems to target
|
||||
- Business Process Analysis: How to attack systems
|
||||
- Understand Attacker (Community/Agent)
|
||||
- Attacker Analysis
|
||||
- Attacker Capability Analysis
|
||||
- Motivation Modelling
|
||||
- Value of assets available at target, cost of acquiring
|
||||
- Profit, grudge, fun, further access to parner / connected systems
|
||||
- Impact Modelling
|
||||
- What if scenarios surrounding loss event for each identified asset
|
||||
- Asset's net value, intrinsic value, other indirect costs associated with loss
|
||||
|
||||
## Business Asset Analysis
|
||||
|
||||
- Identify Assets and Business Processes
|
||||
- Most likely targets, value and impact of loss
|
||||
- Organisational Assets
|
||||
- Internal policies, plans and procedures identify key roles and critical business practices that keep company running.
|
||||
- Product information, trade secrets, plans, source code, marketing information
|
||||
- Financial information
|
||||
- Technical information, design and configuration, account information, credentials, ISMS
|
||||
- Employee, customer, partner, supplier data
|
||||
- Human Assets
|
||||
- Decision makers
|
||||
|
||||
# Business Process Analysis
|
||||
|
||||
- Business processes and assets supporting them form value chains
|
||||
- Mapping processes, identifying critical and non-critical processes, understand how business works, can assign weight and identify impact of specific threat scenarios
|
||||
- Technical infrastructure, information assets, human assets, 3rd party integration
|
||||
|
||||
# Threat Agents / Community Analysis
|
||||
|
||||
- Internal Threats
|
||||
- Employees
|
||||
- Management, Administrators, Developers, Engineers, Technicians
|
||||
- Contractors
|
||||
- General user community
|
||||
- Remote support
|
||||
- External Threats
|
||||
- Ex-employees
|
||||
- Business partners
|
||||
- Competitors
|
||||
- Contractors
|
||||
- Technical, outsourcing (ex. Cloud Providers), support, guards, cleaners
|
||||
- Both internal and external
|
||||
- Suppliers
|
||||
- Nation States, Organised Crime, Hacktivists, Skids
|
||||
- Differing Capabilities and motivations
|
||||
- Map threat communities against primary and secondary assets
|
||||
|
||||
## Attacker Capability Analysis
|
||||
|
||||
- Analysis of tools
|
||||
- Tools known to be available to community / agent included here. Skill level?
|
||||
- Availability of exploits / payloads
|
||||
- Exploits readily available (public dbs, frameworks, underground communities)
|
||||
- Threat agent capable of customising exploits or developing new ones
|
||||
- Communication mechanisms
|
||||
- Evaluate complexity of attacks against organisation
|
||||
- Types of threats can exist post-exploit
|
||||
- Exfiltration channels or C2 (command and control) channels
|
||||
- Bulletproof Hosting
|
||||
- Botnets
|
||||
- Drop boxes, ex rPi designed to be connected to network to facilitate ongoing breach
|
||||
- Accessibility
|
||||
|
||||
## Summary of Methods
|
||||
|
||||
- Attacker-Centric
|
||||
- Start from attacker, evaluate goals, how achieved through attack tree. Starts from entry points or attacker actions
|
||||
- System-Centric
|
||||
- Starts from model of system, attempts to follow model dynamics and logic. Look for types of attacks against each element of model. Approach is used for ex. Microsoft's Security Development Lifecycle
|
||||
- Asset-Centric
|
||||
- Starts from assets entrusted to system, such as collection of personal information, attempts to identify how security breaches of CIA properties can happen
|
||||
|
||||
### Attacker-Centric Example
|
||||
|
||||
```mermaid
|
||||
flowchart TD
|
||||
toac[/Theft of Auth Cookies\] --- o[OR]
|
||||
o --- and[and]
|
||||
o --- and2[and]
|
||||
and --- uc[/Unencrypted Connection\]
|
||||
and --- ed[/Eavesdropping\]
|
||||
and2 --- css[/Cross-Site Scripting\]
|
||||
and2 --- xss[/XSS Vulnerability\]
|
||||
```
|
||||
|
||||
### System-Centric Example
|
||||
|
||||
|
||||
|
||||
### Asset-Centric Example
|
||||
|
||||
|
||||
4
Penetration Testing/Week 6/Workshop 6.md
Normal file
4
Penetration Testing/Week 6/Workshop 6.md
Normal file
@@ -0,0 +1,4 @@
|
||||
|
||||
|
||||
|
||||
|
||||
1
Penetration Testing/Week 6/dns-exfil-infil
Submodule
1
Penetration Testing/Week 6/dns-exfil-infil
Submodule
Submodule Penetration Testing/Week 6/dns-exfil-infil added at b5156cd755
Reference in New Issue
Block a user