<div class="container"> <div class="col"> # Intro to the Defense ## CS 3710: Intro to Cybersecurity </div> <div class="col"> <figure> <img src="../../img/misc/virus_firewall.png"> <figcaption> </figcaption> </figure> </div> </div> === <div class="container"> <div class="col" style="display: flex; align-items: center;"> <div> ## Threat modeling *Credit: [Alex Curtiss](https://twitter.com/apccurtiss)* </div> </div> <div class="col"> <figure> <img src="../../img/defense/threat_model_shark.webp"style="max-height: 60vh;"> <figcaption> *Source: [@thegrugq](https://twitter.com/thegrugq/status/864023197145944064)* </figcaption> </figure> </div> </div> --- ## What is threat modeling? <div class="fragment semi-fade-out" data-fragment-index=0> Chances are that you've done threat modeling at some point in your life, whether you've realized it or not. </div> <div class="fragment" data-fragment-index=0> Any time you've thought about *"what might go wrong"* and *"what can I do to stop it from happening?"*, you've been implicitly threat modeling. </div> --- ## Threat modeling Threat modeling works in three steps: <div class="fragment semi-fade-out" data-fragment-index=0> 1. Understand what we're protecting. </div> <div class="fragment fade-in-then-semi-out" data-fragment-index=0> 2. Identify potential threats. </div> <div class="fragment" data-fragment-index=1> 3. Determine how to prevent them. </div> --- ## 1. Understand what we're protecting <div class="fragment semi-fade-out" data-fragment-index=0> The first step in threat modeling is *determining what you want to protect*. </div> <div class="fragment fade-in-then-semi-out" data-fragment-index=0> These are often assets: money, vehicles, etc., </div> <div class="fragment" data-fragment-index=1> But they can also be things like time, physical and mental health, etc. </div> <figure> <img src="../../img/defense/shield.png"style="height: 30vh;"> <figcaption> </figcaption> </figure> --- ## The CIA triad <figure> <img src="../../img/intro/cia_triad.drawio.png"style="max-height: 40vh;"> <figcaption> </figcaption> </figure> <div class="text-center"> We will use the *CIA triad* as our model for what kinds of things we want to protect. </div> --- ## Confidentiality <div class="container"> <div class="col"> _**Confidentiality:**_ is sensitive data kept private? The Equifax breach is a classic example of a breach of confidentiality. </div> <div class="col"> <figure> <img src="../../img/intro/equifax_ftc_summary.webp"style="max-height: 30vh;"> <figcaption> *Source: Federal Trade Commission* </figcaption> </figure> </div> </div> --- ## Integrity _**Integrity:**_ are data or systems being tampered with? <div class="container"> <div class="col"> <figure> <img src="../../img/defense/csuva_https_1.webp"style="max-height: 30vh;"> <figcaption> </figcaption> </figure> </div> <div class="col"> <figure> <img src="../../img/defense/csuva_https_2.webp"style="max-height: 30vh;"> <figcaption> </figcaption> </figure> </div> </div> --- ## Availability <div class="container"> <div class="col"> _**Availability:**_ are users able to access systems? _**Example:**_ your ability to access a website; your ability to read your emails, texts, etc. </div> <div class="col"> <figure> <img src="../../img/malware/mirai_krebs.webp"> <figcaption> *Source: Krebs on Security* </figcaption> </figure> </div> </div> --- ## 2. Identify potential threats <div class="fragment semi-fade-out" data-fragment-index=0> Once we've identified what we want to protect, we should start thinking about the *risks* that it faces. </div> <div class="fragment" data-fragment-index=0> Part of our goal here is to think like the attacker. But it can be difficult to anticipate all of the different ways in which something might be attacked! </div> --- ## 2. Identify potential threats <figure> <img src="../../img/defense/xkcd_538.png"style="height: 40vh;"> <figcaption> *Source: [XKCD](https://xkcd.com/538/)* </figcaption> </figure> --- ## 2. Identify potential threats <figure> <img src="../../img/defense/fish_tank_hack.webp"style="max-height: 40vh;"> <figcaption> *Source: [The Washington Post](https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/)* </figcaption> </figure> notes: Fish tank had IoT sensors to help control the temperature, food, and cleanliness of the tank. Attackers pivoted off of that device to get further into the casino's network and exfiltrate 10 GB of data. --- ## 2. Identify potential threats When evaluating threats, it's important to understand the *risk* that they pose. <div class="fragment"> You can think of risk as <div class="text-center"> `risk = probability * severity` </div> </div> --- ## 2. Identify potential threats In cybersecurity, threats can come from a lot of different areas: <div class="r-stack"> <div class="fragment fade-out" data-fragment-index=0> <div class="container"> <div class="col"> _**Script kiddies:**_ less-skilled attackers who use relatively basic methods to obtain access _**Examples:**_ Mirai </div> <div class="col"> <figure> <img src="../../img/defense/script_kiddie.jpg"> <figcaption> </figcaption> </figure> </div> </div> </div> <div class="fragment fade-in-then-out" data-fragment-index=0> <div class="container"> <div class="col"> _**Professional attackers, ransomware groups:**_ professional groups of attackers who gain access to networks to ransom systems, exfiltrate data, sell access, etc. _**Examples:**_ REvil, Maze </div> <div class="col"> <figure> <img src="../../img/defense/professional_hacker.jpg"> <figcaption> </figcaption> </figure> </div> </div> </div> <div class="fragment fade-in-then-out" data-fragment-index=1> <div class="container"> <div class="col"> _**Nation-state attackers:**_ state-sponsored groups that perform attacks against digital infrastructure in order to advance military and intelligence objectives. _**Examples:**_ Fancy Bear / Cozy Bear, NSA / TAO </div> <div class="col"> <figure> <img src="../../img/defense/eff_nsa_att_graphic.webp"style="max-height: 40vh;"> <figcaption> </figcaption> </figure> </div> </div> </div> <div class="fragment fade-in-then-out" data-fragment-index=2> <div class="container"> <div class="col"> _**Partners, family members, and personal acquaintances:**_ have physical access to the victim and know them personally; motives may vary. </div> <div class="col"> <figure> <img src="../../img/intro/stalkerware_article_censored.webp"> <figcaption> </figcaption> </figure> </div> </div> </div> <div class="fragment fade-in-then-out" data-fragment-index=3> <div class="container"> <div class="col"> _**Insider threat:**_ somebody who's already inside an organization and has access to its infrastructure. Often motivated by financial incentives, grievances against the organization, etc. </div> <div class="col"> <figure> <img src="../../img/defense/kim_philby_stamp.jpg"style="max-height: 30vh;"> <figcaption> *Kim Philby on a Soviet Union stamp* </figcaption> </figure> </div> </div> </div> <div class="fragment fade-in-then-out" data-fragment-index=4> <figure> <img src="../../img/defense/us_nk_hiring_it.webp"style="max-height: 40vh;"> <figcaption> *Source: [Reuters](https://www.reuters.com/world/asia-pacific/us-warns-against-inadvertently-hiring-north-korean-it-workers-2022-05-16/)* </figcaption> </figure> </div> <!-- End r-stack --> </div> notes: - Cambridge Five: https://en.wikipedia.org/wiki/Cambridge_Five - The Cambridge Five were a group of spies for the Soviet Union that attained high positions in British intelligence services (MI5 and MI6). --- ## 2. Identify potential threats _**Example:**_ which adversaries will each of these password storage / memorization mechanisms face? <div class="fragment semi-fade-out" data-fragment-index=0> - Using the same long and complex password for everything </div> <div class="fragment fade-in-then-semi-out" data-fragment-index=0> - Writing passwords in a journal </div> <div class="fragment fade-in-then-semi-out" data-fragment-index=1> - Using password management software </div> --- ## 3. Determine how to prevent threats Once we've identified threats and the risk that they pose, we start thinking about how to *prevent* those threats. <figure> <img src="../../img/site/ticktock.webp"style="max-height: 50vh;"> <figcaption> </figcaption> </figure> --- ## 3. Determine how to prevent threats Even if it's not possible to fully prevent a threat, you can often find *mitigations* that can reduce its impact. <div class="r-stack"> <div class="fragment fade-out" data-fragment-index=0> <figure> <img src="../../img/defense/google_cloud_log4j_logging.png"style="max-height: 30vh;"> <figcaption> *Source: [Google Cloud](https://cloud.google.com/logging/docs/log4j2-vulnerability)* </figcaption> </figure> </div> <div class="fragment" data-fragment-index=0> <figure> <img src="../../img/defense/Swiss_cheese_model.svg"class="image-background"> <figcaption> </figcaption> </figure> </div> </div> --- ## Updating your threat model <div class="container"> <div class="col"> <div class="fragment semi-fade-out" data-fragment-index=0> A threat model adapts and evolves over time. </div> <div class="fragment" data-fragment-index=0> It's often useful to update your threat model after a big change, e.g.: - Adding infrastructure - Obtaining new resources and assets - Organizational and personnel shifts </div> </div> <div class="col"> <figure> <img src="../../img/defense/cat_local_access.webp"style="max-height: 50vh;"> <figcaption> *Source: [@SchmiegSophie](https://twitter.com/SchmiegSophie/status/1370534372252606469)* </figcaption> </figure> </div> </div>