WEBVTT

1
00:00:00.120 --> 00:00:01.920
In this section of the course,

2
00:00:01.920 --> 00:00:05.520
we are going to discuss threat modeling frameworks.

3
00:00:05.520 --> 00:00:08.340
The threat modeling framework section of the course,

4
00:00:08.340 --> 00:00:10.170
focuses on domain one,

5
00:00:10.170 --> 00:00:14.790
governance, risk and compliance, specifically objective 1.4.

6
00:00:14.790 --> 00:00:18.000
Objective 1.4 states that given a scenario,

7
00:00:18.000 --> 00:00:21.210
you must be able to perform threat modeling activities.

8
00:00:21.210 --> 00:00:24.210
Threat modeling frameworks provide structured approaches

9
00:00:24.210 --> 00:00:25.800
to understanding and defending,

10
00:00:25.800 --> 00:00:27.780
against potential cyber threats.

11
00:00:27.780 --> 00:00:30.930
By analyzing how attacks are typically carried out,

12
00:00:30.930 --> 00:00:33.630
organizations can identify vulnerabilities

13
00:00:33.630 --> 00:00:37.140
and anticipate the tactics that adversaries might use.

14
00:00:37.140 --> 00:00:39.390
Frameworks offer different perspectives

15
00:00:39.390 --> 00:00:41.550
from categorizing attack patterns

16
00:00:41.550 --> 00:00:44.220
to understanding the stages of an intrusion.

17
00:00:44.220 --> 00:00:48.270
This can help defensive teams prioritize security efforts.

18
00:00:48.270 --> 00:00:51.000
Ultimately, threat modeling frameworks serve

19
00:00:51.000 --> 00:00:54.540
as essential tools for building stronger defenses

20
00:00:54.540 --> 00:00:57.150
and improving overall security posture.

21
00:00:57.150 --> 00:00:58.800
As we go through this section,

22
00:00:58.800 --> 00:01:00.720
we will cover many topics related

23
00:01:00.720 --> 00:01:02.460
to threat modeling frameworks,

24
00:01:02.460 --> 00:01:04.890
including the cyber kill chain,

25
00:01:04.890 --> 00:01:08.100
Common Attack Pattern Enumeration and Classification,

26
00:01:08.100 --> 00:01:11.550
or CAPEC, MITRE Adversarial Tactics, Techniques,

27
00:01:11.550 --> 00:01:13.950
and Common Knowledge or MITRE ATT&amp;CK,

28
00:01:13.950 --> 00:01:16.410
the diamond model of intrusion analysis,

29
00:01:16.410 --> 00:01:20.280
Spoofing Tampering, Repudiation Information Disclosure,

30
00:01:20.280 --> 00:01:23.790
Denial of Service and Elevation of Privilege or STRIDE,

31
00:01:23.790 --> 00:01:28.500
and the Open Web Application Security Project or OWASP.

32
00:01:28.500 --> 00:01:31.380
First, we will look at the cyber kill chain.

33
00:01:31.380 --> 00:01:33.960
The cyber kill chain is a threat modeling framework

34
00:01:33.960 --> 00:01:37.140
that breaks down the steps an attacker must go through

35
00:01:37.140 --> 00:01:38.670
to complete an attack.

36
00:01:38.670 --> 00:01:41.880
In this framework, each step must occur sequentially

37
00:01:41.880 --> 00:01:43.620
for an attack to be successful.

38
00:01:43.620 --> 00:01:44.580
In this way,

39
00:01:44.580 --> 00:01:47.250
the cyber kill chain helps organizations understand

40
00:01:47.250 --> 00:01:49.650
and disrupt an adversary's attack,

41
00:01:49.650 --> 00:01:52.440
effectively breaking a link in the chain.

42
00:01:52.440 --> 00:01:54.480
The cyber kill chain was originally developed

43
00:01:54.480 --> 00:01:57.930
by Lockheed Martin and consists of seven steps.

44
00:01:57.930 --> 00:01:59.910
The first step is reconnaissance.

45
00:01:59.910 --> 00:02:01.440
During the reconnaissance step,

46
00:02:01.440 --> 00:02:04.500
attackers gather detailed information about their target

47
00:02:04.500 --> 00:02:07.500
to identify vulnerabilities or entry points.

48
00:02:07.500 --> 00:02:09.600
The second step is weaponization.

49
00:02:09.600 --> 00:02:11.280
During the weaponization step,

50
00:02:11.280 --> 00:02:14.370
attackers create malicious tools or payloads,

51
00:02:14.370 --> 00:02:17.250
tailored to exploit the identified weaknesses.

52
00:02:17.250 --> 00:02:19.050
The third step is delivery.

53
00:02:19.050 --> 00:02:20.580
During the delivery step,

54
00:02:20.580 --> 00:02:23.760
an attacker transmits the payload to the target,

55
00:02:23.760 --> 00:02:26.040
often through methods like phishing emails

56
00:02:26.040 --> 00:02:27.690
or malicious websites.

57
00:02:27.690 --> 00:02:30.180
The fourth step is exploitation.

58
00:02:30.180 --> 00:02:31.770
During the exploitation step,

59
00:02:31.770 --> 00:02:35.280
an attacker uses the payload to exploit a vulnerability,

60
00:02:35.280 --> 00:02:37.140
within the target system.

61
00:02:37.140 --> 00:02:39.240
The fifth step is installation.

62
00:02:39.240 --> 00:02:40.560
During the installation step,

63
00:02:40.560 --> 00:02:42.270
an attacker installs malware

64
00:02:42.270 --> 00:02:45.480
or other tools to maintain persistent access

65
00:02:45.480 --> 00:02:47.310
to the compromise system.

66
00:02:47.310 --> 00:02:50.070
The sixth step is command and control.

67
00:02:50.070 --> 00:02:51.810
During the command and control step,

68
00:02:51.810 --> 00:02:54.690
an attacker establishes a communication channel

69
00:02:54.690 --> 00:02:57.330
with the compromised system to control it

70
00:02:57.330 --> 00:02:59.160
and direct further actions.

71
00:02:59.160 --> 00:03:03.180
The seventh and final step is actions on objectives.

72
00:03:03.180 --> 00:03:04.920
During actions on objectives,

73
00:03:04.920 --> 00:03:08.340
an attacker achieves their goal such as stealing data,

74
00:03:08.340 --> 00:03:11.670
disrupting operations or spreading ransomware.

75
00:03:11.670 --> 00:03:13.590
Applying the cyber kill chain,

76
00:03:13.590 --> 00:03:15.990
an organization may detect an attack,

77
00:03:15.990 --> 00:03:20.160
during the delivery stage by identifying suspicious emails.

78
00:03:20.160 --> 00:03:23.430
Once detected, the organization can prevent the attack

79
00:03:23.430 --> 00:03:26.700
from progressing to the exploitation and installation phases

80
00:03:26.700 --> 00:03:29.340
by blocking the sender's address or domain,

81
00:03:29.340 --> 00:03:33.030
quarantining or deleting similar emails across the network,

82
00:03:33.030 --> 00:03:34.800
alerting employees to be cautious

83
00:03:34.800 --> 00:03:38.280
of similar phishing attempts and updating email filters

84
00:03:38.280 --> 00:03:39.630
to prevent similar emails

85
00:03:39.630 --> 00:03:41.760
from reaching users in the future.

86
00:03:41.760 --> 00:03:44.940
This response would effectively stop the attack,

87
00:03:44.940 --> 00:03:46.380
before it can continue

88
00:03:46.380 --> 00:03:50.280
and force the attacker back to step one in a new attack.

89
00:03:50.280 --> 00:03:54.360
Next, we will explore Common Attack Pattern Enumeration

90
00:03:54.360 --> 00:03:57.600
and Classification or the CAPEC framework.

91
00:03:57.600 --> 00:04:01.620
CAPEC is a threat modeling framework developed by MITRE.

92
00:04:01.620 --> 00:04:04.770
It categorizes and describes common attack patterns,

93
00:04:04.770 --> 00:04:08.820
used by adversaries to exploit vulnerabilities in systems.

94
00:04:08.820 --> 00:04:12.600
CAPEC provides detailed attributes for each attack pattern,

95
00:04:12.600 --> 00:04:16.950
such as the attacks prerequisites, potential outcomes,

96
00:04:16.950 --> 00:04:20.280
and the typical steps involved in executing the attack.

97
00:04:20.280 --> 00:04:23.220
These attributes enable security professionals

98
00:04:23.220 --> 00:04:25.650
to understand how attacks are carried out.

99
00:04:25.650 --> 00:04:27.450
A key use case for CAPEC

100
00:04:27.450 --> 00:04:30.330
is in identifying and mitigating vulnerabilities,

101
00:04:30.330 --> 00:04:32.640
during the software development lifecycle.

102
00:04:32.640 --> 00:04:34.830
By referencing CAPEC patterns,

103
00:04:34.830 --> 00:04:37.500
developers can anticipate potential threats

104
00:04:37.500 --> 00:04:39.690
and design more secure systems.

105
00:04:39.690 --> 00:04:42.750
For example, if a development team identifies

106
00:04:42.750 --> 00:04:46.140
that their application is vulnerable to SQL injection,

107
00:04:46.140 --> 00:04:49.170
they can refer to the relevant CAPEC entry

108
00:04:49.170 --> 00:04:51.900
to understand the attributes of this attack,

109
00:04:51.900 --> 00:04:55.950
allowing them to implement specific defenses against it.

110
00:04:55.950 --> 00:04:59.760
After that, we will look at the MITER Adversarial Tactics,

111
00:04:59.760 --> 00:05:03.630
Techniques and Common Knowledge or MITRE ATT&amp;CK framework.

112
00:05:03.630 --> 00:05:06.150
The MITRE ATT&amp;CK framework categorizes

113
00:05:06.150 --> 00:05:07.830
and documents the tactics,

114
00:05:07.830 --> 00:05:12.330
techniques and procedures or TTPs used by adversaries

115
00:05:12.330 --> 00:05:14.670
to compromise and exploit systems.

116
00:05:14.670 --> 00:05:17.220
The framework is organized into matrices

117
00:05:17.220 --> 00:05:19.950
that outline the various stages of an attack

118
00:05:19.950 --> 00:05:23.280
with each matrix entry detailing specific attributes,

119
00:05:23.280 --> 00:05:26.070
like the required permissions, platforms,

120
00:05:26.070 --> 00:05:28.290
and potential mitigation strategies.

121
00:05:28.290 --> 00:05:32.190
MITRE ATT&amp;CK matrices include the Enterprise ATT&amp;CK matrix,

122
00:05:32.190 --> 00:05:34.230
ATT&amp;CK for Mobile, pre-ATT&amp;CK

123
00:05:34.230 --> 00:05:38.130
and ATT&amp;CK for Industrial Control Systems or ICS.

124
00:05:38.130 --> 00:05:41.670
Part of the MITRE ATT&amp;CK framework is the ATT&amp;CK Navigator.

125
00:05:41.670 --> 00:05:42.810
The ATT&amp;CK Navigator

126
00:05:42.810 --> 00:05:46.590
is a tool that allows security professionals to visually map

127
00:05:46.590 --> 00:05:48.870
and analyze how specific techniques,

128
00:05:48.870 --> 00:05:51.180
might be used by specific threat actors,

129
00:05:51.180 --> 00:05:52.620
against their systems.

130
00:05:52.620 --> 00:05:55.290
For example, a cybersecurity team might use

131
00:05:55.290 --> 00:05:58.440
the ATT&amp;CK Navigator to map out the tactics, techniques,

132
00:05:58.440 --> 00:06:02.010
and procedures associated with a specific threat actor,

133
00:06:02.010 --> 00:06:06.120
such as Advanced Persistent Threat or APT29.

134
00:06:06.120 --> 00:06:10.320
By highlighting the techniques that APT29 commonly employs,

135
00:06:10.320 --> 00:06:13.410
the team can visualize how these techniques align

136
00:06:13.410 --> 00:06:16.410
with their own organization security controls.

137
00:06:16.410 --> 00:06:18.300
This comparison would allow the team

138
00:06:18.300 --> 00:06:20.580
to identify gaps in their defenses

139
00:06:20.580 --> 00:06:23.010
and prioritize security enhancements

140
00:06:23.010 --> 00:06:25.050
to protect against the most relevant

141
00:06:25.050 --> 00:06:28.920
and dangerous methods used by APT29.

142
00:06:28.920 --> 00:06:32.880
Next, we'll explore the diamond model of intrusion analysis.

143
00:06:32.880 --> 00:06:35.070
The diamond model of intrusion analysis

144
00:06:35.070 --> 00:06:38.730
is a threat modeling framework that dissects cyber incidents

145
00:06:38.730 --> 00:06:41.280
by focusing on four key components,

146
00:06:41.280 --> 00:06:45.390
the adversary, infrastructure, capability and victim.

147
00:06:45.390 --> 00:06:47.850
In the diamond model of intrusion analysis,

148
00:06:47.850 --> 00:06:50.160
these four components are visualized

149
00:06:50.160 --> 00:06:52.080
as the vertices of a diamond.

150
00:06:52.080 --> 00:06:54.840
The adversary component represents the individual

151
00:06:54.840 --> 00:06:56.730
or group behind the attack,

152
00:06:56.730 --> 00:06:59.910
including their motives, resources, and intent.

153
00:06:59.910 --> 00:07:03.690
The infrastructure component refers to the tools, networks,

154
00:07:03.690 --> 00:07:06.120
and other resources used by the adversary

155
00:07:06.120 --> 00:07:07.710
to carry out the attack.

156
00:07:07.710 --> 00:07:10.950
Infrastructure can include command and control servers,

157
00:07:10.950 --> 00:07:13.290
malware, or phishing websites.

158
00:07:13.290 --> 00:07:14.760
The capability component,

159
00:07:14.760 --> 00:07:16.860
encompasses the specific techniques,

160
00:07:16.860 --> 00:07:20.190
tactics and procedures employed by the adversary.

161
00:07:20.190 --> 00:07:23.700
Capabilities include exploiting a software vulnerability

162
00:07:23.700 --> 00:07:25.320
or deploying malware.

163
00:07:25.320 --> 00:07:28.920
Finally, the victim component is the target of the attack.

164
00:07:28.920 --> 00:07:31.710
Victims include the organization, individuals

165
00:07:31.710 --> 00:07:35.280
or systems affected along with the specific vulnerabilities

166
00:07:35.280 --> 00:07:36.690
that were exploited.

167
00:07:36.690 --> 00:07:38.760
These four components are interconnected

168
00:07:38.760 --> 00:07:41.040
with each one influencing the others.

169
00:07:41.040 --> 00:07:44.880
Together, they provide a holistic view of the intrusion.

170
00:07:44.880 --> 00:07:47.220
The model also includes meta-features.

171
00:07:47.220 --> 00:07:49.680
A meta-feature is an additional attribute

172
00:07:49.680 --> 00:07:53.370
that provides context and depth to the four components

173
00:07:53.370 --> 00:07:57.090
by linking them with specific details like time, phase

174
00:07:57.090 --> 00:07:58.500
and methodology.

175
00:07:58.500 --> 00:08:03.500
The meta-features are timestamp, phase, result, direction,

176
00:08:03.540 --> 00:08:05.850
methodology and resources.

177
00:08:05.850 --> 00:08:08.160
The diamond model can also be integrated

178
00:08:08.160 --> 00:08:11.010
with other frameworks such as MITRE ATT&amp;CK

179
00:08:11.010 --> 00:08:13.320
to map specific tactics and techniques

180
00:08:13.320 --> 00:08:15.270
to the broader intrusion strategy.

181
00:08:15.270 --> 00:08:18.630
For example, an organization might use the diamond model

182
00:08:18.630 --> 00:08:20.550
to trace the path of an attack

183
00:08:20.550 --> 00:08:22.470
from an adversaries capabilities,

184
00:08:22.470 --> 00:08:24.540
through their infrastructure to the victim,

185
00:08:24.540 --> 00:08:26.550
and then cross-reference these findings

186
00:08:26.550 --> 00:08:29.700
with the attack matrix to develop targeted defenses

187
00:08:29.700 --> 00:08:31.530
and response strategies.

188
00:08:31.530 --> 00:08:34.950
Following that, we will look at the Spoofing, Tampering,

189
00:08:34.950 --> 00:08:38.730
Repudiation, Information Disclosure, Denial of Service,

190
00:08:38.730 --> 00:08:42.120
and Elevation of Privilege or STRIDE framework.

191
00:08:42.120 --> 00:08:44.400
The STRIDE framework is used to identify

192
00:08:44.400 --> 00:08:46.890
and categorize potential security threats,

193
00:08:46.890 --> 00:08:48.510
across six categories,

194
00:08:48.510 --> 00:08:51.360
spoofing, tampering, repudiation,

195
00:08:51.360 --> 00:08:54.210
information disclosure, denial of service

196
00:08:54.210 --> 00:08:56.250
and elevation privilege.

197
00:08:56.250 --> 00:08:57.900
Each of these categories represents

198
00:08:57.900 --> 00:08:59.610
a different type of threat.

199
00:08:59.610 --> 00:09:02.880
Spoofing involves impersonating another entity.

200
00:09:02.880 --> 00:09:06.510
Tampering refers to unauthorized modification of data.

201
00:09:06.510 --> 00:09:08.880
Repudiation deals with denying actions,

202
00:09:08.880 --> 00:09:10.620
after they have been performed.

203
00:09:10.620 --> 00:09:12.120
Information disclosure

204
00:09:12.120 --> 00:09:15.060
is the unauthorized release of sensitive data,

205
00:09:15.060 --> 00:09:17.760
denial of service disrupts system availability,

206
00:09:17.760 --> 00:09:19.650
and elevation of privilege occurs

207
00:09:19.650 --> 00:09:22.770
when a user gains higher access rights than intended.

208
00:09:22.770 --> 00:09:23.970
The STRIDE framework

209
00:09:23.970 --> 00:09:26.370
is commonly used during the design phase

210
00:09:26.370 --> 00:09:30.270
of software development to evaluate security vulnerabilities

211
00:09:30.270 --> 00:09:33.600
by examining how each threat category could be exploited

212
00:09:33.600 --> 00:09:34.710
in a system.

213
00:09:34.710 --> 00:09:37.620
For example, a developer might use STRIDE

214
00:09:37.620 --> 00:09:40.170
to identify that a web application is vulnerable

215
00:09:40.170 --> 00:09:43.110
to tampering if input validation is weak

216
00:09:43.110 --> 00:09:46.110
and then implement measures such as data integrity checks

217
00:09:46.110 --> 00:09:47.700
to mitigate that risk.

218
00:09:47.700 --> 00:09:49.740
Finally, we will explore

219
00:09:49.740 --> 00:09:53.670
the Open Web Application Security Project or OWASP.

220
00:09:53.670 --> 00:09:56.430
OWASP is a nonprofit organization

221
00:09:56.430 --> 00:09:58.830
that provides a comprehensive framework

222
00:09:58.830 --> 00:10:01.020
for improving the security of software,

223
00:10:01.020 --> 00:10:03.150
particularly web applications.

224
00:10:03.150 --> 00:10:06.900
One widely recognized product is the OWASP Top 10.

225
00:10:06.900 --> 00:10:08.940
The OWASP Top 10 is a list

226
00:10:08.940 --> 00:10:12.450
of the 10 most critical web application security risks.

227
00:10:12.450 --> 00:10:15.720
The OWASP Top 10 serves as an essential reference

228
00:10:15.720 --> 00:10:18.120
for developers and security professionals

229
00:10:18.120 --> 00:10:21.120
to understand and mitigate common vulnerabilities,

230
00:10:21.120 --> 00:10:23.280
such as injection flaws,

231
00:10:23.280 --> 00:10:26.460
broken authentication and Cross-site Scripting.

232
00:10:26.460 --> 00:10:28.620
Beyond the OWASP Top 10,

233
00:10:28.620 --> 00:10:32.310
OWASP offers a variety of other tools and resources,

234
00:10:32.310 --> 00:10:36.570
such as OWASP Application Security Verification Standard

235
00:10:36.570 --> 00:10:39.030
for standardizing security requirements.

236
00:10:39.030 --> 00:10:43.680
In practice, a development team might use the OWASP Top 10

237
00:10:43.680 --> 00:10:45.960
as a checklist during code reviews

238
00:10:45.960 --> 00:10:47.880
to ensure their web application

239
00:10:47.880 --> 00:10:50.340
is protected against the most common threats,

240
00:10:50.340 --> 00:10:54.930
while employing OWASP tools like the Zed Attack Proxy or ZAP

241
00:10:54.930 --> 00:10:57.450
to perform dynamic security testing,

242
00:10:57.450 --> 00:10:59.520
throughout the development process.

243
00:10:59.520 --> 00:11:00.750
To finish things off,

244
00:11:00.750 --> 00:11:02.010
we'll take a short quiz

245
00:11:02.010 --> 00:11:04.860
to see what you learned during this section of the course

246
00:11:04.860 --> 00:11:07.650
and we will review each of those quiz questions

247
00:11:07.650 --> 00:11:09.720
to fully ensure you can explain

248
00:11:09.720 --> 00:11:11.310
why the right answers were right

249
00:11:11.310 --> 00:11:12.990
and the wrong answers were wrong.

250
00:11:12.990 --> 00:11:16.500
So, let's get ready to dive into threat modeling frameworks

251
00:11:16.500 --> 00:11:18.543
in this section of the course.