Attack Models

Attack Models capture information used to think like an attacker: threat modeling, abuse case development and refinement, data classification, and technology-specific attack patterns.

Attack Models Level 1

[AM1.2: 75] Create a data classification scheme and inventory.

The organization agrees on a data classification scheme and uses it to inventory its software according to the kinds of data the software handles, regardless of whether the software is on or off premise. This allows applications to be prioritized by their data classification. Many classification schemes are possible—one approach is to focus on PII, for example. Depending on the scheme and the software involved, it could be easiest to first classify data repositories and then derive classifications for applications according to the repositories they use. Other approaches to the problem include data classification according to protection of intellectual property, impact of disclosure, exposure to attack, relevance to GDPR, or geographic boundaries.

[AM1.3: 38] Identify potential attackers.

The SSG identifies potential attackers in order to understand their motivations and abilities. The outcome of this exercise could be a set of attacker profiles that include generic sketches for categories of attackers and more detailed descriptions for noteworthy individuals. In some cases, a third-party vendor might be contracted to provide this information. Specific and contextual attacker information is almost always more useful than generic information copied from someone else’s list. Moreover, a list that simply divides the world into insiders and outsiders won’t drive useful results.

[AM1.5: 53] Gather and use attack intelligence.

The SSG stays ahead of the curve by learning about new types of attacks and vulnerabilities. The information comes from attending conferences and workshops, monitoring attacker forums, and reading relevant publications, mailing lists, and blogs. Make Sun Tzu proud by knowing your enemy; engage with the security researchers who are likely to cause you trouble. In many cases, a subscription to a commercial service provides a reasonable way of gathering basic attack intelligence. Regardless of its origin, attack information must be made actionable and useful for software builders and testers.

Attack Models Level 2

[AM2.1: 10] Build attack patterns and abuse cases tied to potential attackers.

The SSG prepares for security testing and architecture analysis by building attack patterns and abuse cases tied to potential attackers (see [AM1.3 Identify potential attackers]). These resources don’t have to be built from scratch for every application to be useful. Instead, there could be standard sets for applications with similar profiles. The SSG will add to the pile based on attack stories, for example, a story about an attack against a poorly designed cloud application could lead to a cloud security attack pattern that drives a new type of testing. If a firm tracks fraud and monetary costs associated with particular attacks, this information can be used to prioritize the process of building attack patterns and abuse cases.

[AM2.2: 10] Create technology-specific attack patterns.

The SSG creates technology-specific attack patterns to capture knowledge about attacks that target particular technologies. For example, if the organization’s cloud software relies on the cloud vendor’s security apparatus (e.g., cryptography), the SSG could catalogue the quirks of the crypto package and how it might be exploited. Attack patterns directly related to the security frontier (e.g., IoT) can be useful as well. Simply republishing a general guideline (e.g., “Ensure data are protected in transit”) and adding “for mobile applications” on the end does not constitute a technology-specific attack pattern.

[AM2.5: 16] Build and maintain a top N possible attacks list.

The SSG helps the organization understand attack basics by maintaining a living list of important attacks and using it to drive change. This list combines input from multiple sources such as observed attacks, hacker forums, industry trends, new technology stacks or deployment methods in use, etc. It does not need to be updated with great frequency, and attacks can be coarsely sorted. For example, the SSG might brainstorm twice per year to create lists of attacks the organization should be prepared to counter “now,” “soon,” and “someday.” In some cases, attack model information is used in a list-based approach to architecture analysis, helping focus the analysis as in the case of STRIDE. Don’t just build the list; use it.

[AM2.6: 14] Collect and publish attack stories.

To maximize the benefit from lessons that don’t always come cheap, the SSG collects and publishes stories about attacks against the organization. Both successful and unsuccessful attacks can be noteworthy, and discussing historical information about software attacks has the added effect of grounding software security in a firm’s reality. This is particularly useful in training classes, to help counter a generic approach that’s overly focused on top 10 lists or irrelevant and outdated platform attacks (see [T1.6 Create and use material specific to company history]). Hiding information about attacks from people building new systems does nothing to garner positive benefit from a negative happenstance.

[AM2.7: 11] Build an internal forum to discuss attacks.

The organization has an internal forum where the SSG, the satellite, and others discuss attacks and attack methods. The forum serves to communicate the attacker perspective. The SSG could also maintain an internal mailing list where subscribers discuss the latest information on publicly known incidents. Dissection of attacks and exploits that are relevant to a firm are particularly helpful when they spur discussion of development mitigations. Simply republishing items from public mailing lists doesn’t achieve the same benefits as active discussion, nor does a closed discussion hidden from those actually creating code. Everyone should feel free to ask questions and learn about vulnerabilities and exploits. Vigilance means never getting too comfortable (see [SR1.2 Create a security portal]).

Attack Models Level 3

[AM3.1: 4] Have a science team that develops new attack methods.

The SSG has a science team that works to identify and defang new classes of attacks before real attackers even know that they exist. Because the security implications of new technologies have not been fully explored in the wild, doing it yourself is sometimes the best way forward. This isn’t a penetration testing team finding new instances of known types of weaknesses—it’s a research group that innovates new types of attacks. A science team may include well-known security researchers who publish their findings at conferences like DEF CON.

[AM3.2: 2] Create and use automation to mimic attackers.

The SSG arms testers with automation to mimic what attackers are going to do. For example, a new attack method identified by the science team could require a new tool, so the SSG packages the new tool and distributes it to testers. The idea here is to push attack capability past what typical commercial tools and offerings encompass, and then repurpose that information for others to use. Tailoring these new tools to a firm’s particular technology stacks and potential attackers is a good idea as well. When technology stacks and coding languages are evolving faster than vendors can innovate, creating your own tools might be the best way forward.