🚥PRODUCT & APPLICATION SECURITY THREAT MODELING with MITRE ATT&CK FRAMEWORK 🔰

For many years, we have been thought and practicing different methodologies and frameworks to apply risk mitigations through various threat modeling like STRIDE, DREAD, PASTA, VAST, TRIKE, hTMM, OCTAVE, LINDUNN, and more. Whilst there is no problem with these “traditional” approaches, why there are many organizations from different sectors are still falling into the adversaries’ den and getting breached? Simultaneous attacks from different directions are even more rampant. Is this because of the negligence of software engineers developing where codes are buggy and vulnerable against exploitations.

In spite that “DevSecOps” are performing code reviews during the development life cycle phase of different applications on the web, mobile, API, and more — still there are loopholes on the products that threat actors are able to compromise these platforms. Is there a lack of audit to ensure the necessary code scanning rules are enabled and defects are being bypassed or ignored just for the sake of hitting the deadline and deliverables?

With the constantly evolving sophistication and innovation of the threat landscape, application security and many of the cybersecurity domain seems to have accepted the adaptation of being a “whack-a-mole” and playing hide-and-seek against the advanced persistent threats (APTs) and state-sponsored adversaries.

Another gap that is clearly visible and yet being overlooked by many organizations is the lack of the offensive skills of their developers. Many, if not all DevSecOps are very focused on securing the products and applications with the mindsets of a defender. Instead, is it not more efficient if the programmers and software engineers have the skills and knowledge of an attacker? At least they would know the very reason why they are developing secured applications before it goes to production.

To visualize the different attack vectors for every application, here is the high-level threat modeling for each product mapped to the MITRE ATT&CK framework with mitigating control cited for cyber resiliency.

WEB APP’s Kill Chain (MITRE ATT&CK Framework — High-Level Visualization)

MITIGATION and CYBER RESILIENCE
1. Vulnerability Scanning — Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.

2. Update Software — Ensure all browsers and plugins are kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.

3. Privileged Account Management — Using the least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.

4. Data Loss Prevention — Data loss prevention can detect and block sensitive data being uploaded via web browsers.

5. Filter Network Traffic — Enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network.

6. Network Intrusion Prevention — Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.

7. Application Isolation and Sandboxing — Browser sandboxes can be used to mitigate some of the impacts of exploitation, but sandbox escapes may still exist. Other types of virtualizations and application micro-segmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.

8. Exploit Protection — Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. Many of these protections depend on the architecture and target application binary for compatibility.

9. Restrict Web-Based Content — For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.

10. Network Segmentation — Segment externally facing servers and services from the rest of the network with a DMZ or on a separate hosting infrastructure. IEC62443 compliance.

11. Data Backup — Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off the system and are protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

API’s Kill Chain (MITRE ATT&CK Framework — High-Level Visualization)

MITIGATION and CYBER RESILIENCE
1. Application Developer Guidance — Enable the Hardened Runtime capability when developing applications. Do not include the com.apple.security.get-task-allow entitlement with the value set to any variation of true.

2. Audit — Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

3. OS API Execution — Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions is common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.

4. Code Signing — Ensure all application component binaries are signed by the correct application developers.

5. Software Configuration — HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where an adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing the use of an expected certificate.

6. User Account Management — Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.

7. Privileged Account Management — Using the least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.

8. Execution Prevention — Identify and block potentially malicious software executed that may be executed through this technique by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.

MOBILE APP’s Kill Chain (MITRE ATT&CK Framework — Complete Visualization)

MITIGATION and CYBER RESILIENCE
1. Attestation — Device attestation could detect unauthorized operating system modifications.

2. System Partition Integrity — Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.

3. User Guidance — Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.

4. Enterprise Policy — An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features.

5. Deploy Compromised Device Detection Method — Mobile security products can potentially detect jailbroken or rooted devices.

IIoT’s Kill Chain (MITRE ATT&CK Framework — High-Level Visualization)

MITIGATION and CYBER RESILIENCE
1. Mechanical Protection Layers — Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc.

2. Safety Instrumented Systems — Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.

3. Data Backup — Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off the system and are protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

4. Out-of-Band Communications Channel — Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage. Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.

5. Redundancy of Service — Hot standbys in diverse locations can ensure continued operations if the primary system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network.

6. Communication Authenticity — Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).

7. Encrypt Sensitive Information — Encrypt any operational data with strong confidentiality requirements, including organizational trade secrets, recipes, and other intellectual property (IP).

8. Operational Information Confidentiality — Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.

9. Vulnerability Scanning — Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.

10. Update Software — Ensure all browsers and plugins are kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.

11. Network Segmentation — Segment externally facing servers and services from the rest of the network with a DMZ or on a separate hosting infrastructure. IEC62443 compliance.

12. Software Process and Device Authentication — Devices should authenticate all messages between master and outstation assets.

13. Access Management — All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.

14. Boot Integrity — Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. Move the system’s root of trust to hardware to prevent tampering with the SPI flash memory. Technologies such as Intel Boot Guard can assist with this.

15. Code Signing — Ensure all application component binaries are signed by the correct application developers.

16. Minimize Wireless Signal Propagation — Techniques can include reducing transmission power on wireless signals, adjusting antenna gain to prevent extensions beyond organizational boundaries, and employing RF shielding techniques to block excessive signal propagation.

17. Audit — Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

Lastly for the “blue teamers” in cybersecurity, it is good to have a deeper understanding of the business that they are protecting. The so-called “bread and butter” of their organizations. If it is an IIoT sector, for example, they should have knowledge of the industrial control system or operational technology (ICS/OT). If it is a mobile application-related company, at least they have the skills to do penetration testing or reverse engineering to do rooting and jailbreaking of the product if a fraudulent application is discovered through their threat intelligence for analysis. The same goes for web applications and API.

If the organization is capable of having a separate incident responder for the general IT (aka CSIRT or DFIR), products (aka PSIRT), and OT (ICSIRT), that would be recommended as it would be more focused on their respective specialization. While “jack of all trades” is the trend nowadays, it would still be more effective if these cybersecurity defenders have the specialization to respond efficiently.

DISCLAIMER: The contents cited in this article do not constitute the views and practices of my previous and current employer. This is merely the author’s own observations based on the previous breaches in the news. Any similarities are purely coincidences.