Shulou(Shulou.com)06/02 Report--

From the bulk crawling of bilibili data by competitive products to the information leakage of Huazhu Group; from the large-scale malicious occupation of seats by East China Sea Airlines to the hornet hive travel website incident; from earning millions a day on the receiving platform to the outbreak of Singles' Day e-commerce risk. For example, business risk monitoring data in the third quarter of 2018 show that malicious crawling accounts for the highest proportion of all business risks in Q3, followed by false registration, account embezzlement, promotion cheating and others, wool wool, and so on.

All kinds of business, such as wool, fake registration, malicious crawling, promotion and cheating, not only bring huge economic losses to the business platform, damage the legitimate rights and interests of users, but also destroy the business order.

In fact, these risks can be prevented and controlled by models. For example, in our daily life, we will pay attention to the weather and temperature changes every day. If the temperature drops suddenly, we will make a decision to add clothes. If it rains the next day, we will make a decision to go out with an umbrella, thus reducing the likelihood of catching a cold. What makes us have this subconscious is the threat model.

The so-called threat modeling is a countermeasure process that uses abstract concepts to analyze the risks that may exist or appear, and to mitigate or reduce risks. Through threat modeling, we can prevent the Internet business risks mentioned above; through threat modeling, we can prevent credit fraud, false registration, phishing fraud, credit deterioration, loan overdue and other financial fraud.

The necessity and Core value of threat Modeling

Perfect the design

The vast majority of development teams use system requirements analysis documents, software system design documents and functional module detailed design documents to standardize the system development and testing process; throughout the development cycle, only penetration testing or security code audit is introduced in the testing phase to improve the security of the delivered system. However, due to the lack of analysis and design of the security part in the design stage, penetration testing and security code audit often get half the result with twice the effort, with little effect. Testers are unable to estimate the coverage of security test cases according to the lack of security design documents; developers are also unable to quickly and efficiently provide development and repair ways to solve threats and security product procurement requirements for found threats.

Better identify risks

Security code audit and penetration testing are the two most common ways to find threats to improve system security. But both approaches have similar disadvantages: it is difficult to systematize and quantify the security of the system. The threat model pays more attention to which aspects may have security problems, abstracts and structures threats through modeling, uses charts to help determine the scope of threats, and uses tables and lists to track and update threats. to identify and manage threats in the development process or operation and maintenance process.

Provide guidance for testing

We use software testing to check the quality of software products and phased development results, strive to find various defects, and urge defects to be repaired, so as to control the quality of software products. As a part of software testing, security testing focuses on security defects and ensures the security quality of software products.

Software testing can use software requirements analysis and definition, software system design, module detailed functional design and even specific coding implementation to guide the design and execution of the test. Similarly, through threat modeling, we can get the following guidance in the design and implementation of security testing: what security threats the software system may face, what threats the system is experiencing, and what threats the system status can resist.

Repair defect

Threat modeling is designed to deliver more secure software, services, or technologies. Therefore, after finding and locating threats, how to deal with and manage threats is also an indispensable part of threat modeling. Threat modeling can weigh the strategies to solve threats and guide system developers to use which technologies and system configuration methods to deal with all kinds of threats found. Similar to functional test reports, tables and lists can also be applied to the tracking of overall threat modeling vulnerabilities.

How to do threat Modeling

Threat modeling was first proposed by Microsoft, and the construction process is mainly divided into three steps.

First of all, the specific business characteristics, real use cases and the products used in the scenario should be considered in the preset scenario. Graphing can help us understand the business scenario and system, as well as locate the attack surface of the threat. Then, with the help of specific models and methods to find and rate the threats found, and give priority to the threats that are difficult to attack and harmful. Finally, it is necessary to test whether the relevant threats have been dealt with effectively to achieve the convergence of threat modeling results and effectively improve the security of the system.

Three angles of modeling

Threat modeling is usually established from three dimensions: assets as the core, attackers as the core, and business as the core. In practice, which modeling method is used is often determined according to the concerns of the system builder. For example, risk control or business departments may pay more attention to assets or valuable things; security departments pay more attention to attackers, looking for system threats by using the list of attack libraries; while R & D departments pay more attention to the software under construction or deployed systems, using threat models as a supplement to commonly used software development models to improve the security of software systems.

Diagrams are the most handy weapons for understanding systems, data flow diagrams (data flow diagram), unified modeling language (UML), and state diagrams to understand the system being built. Therefore, we will apply the diagram to the following three steps to understand the system: confirming the system data flow model, confirming the trust boundary, and identifying the attack surface.

The data flow model is the best model for threat modeling because security problems often occur in the data flow rather than in the control flow. Process, data flow, data storage and external entities are the four basic elements of data flow graph. The following figure shows a typical data flow graph model.

Process: running code, such as services, components; represented by rounded matrix or circular graphics.

Data flow: interaction between external entities and processes, processes, or processes and data stores; indicated by arrows.

Data storage: an internal entity that stores data, such as databases, message queues, files, etc., represented by two parallel lines with labels in the middle.

External entity: a user, software system, or device outside the control of the system; represented by a right-angle matrix.

After the confirmation of the data flow graph, it is necessary to introduce the trust boundary to improve the data flow graph. The trust boundary is the place where different principals converge, that is, the location where entities interact with other entities with different permissions. Trust boundary is the best place to identify threats, because most threats often have cross-boundary behavior, and the data flow that divides trust boundaries is an element example that requires threat analysis.

After confirming the trust boundary of the data flow graph, you can easily get the exposed attack surface of the current scenario. The attack surface is often a trust boundary that allows attackers to launch attacks.

Find possible threats

With the help of the business scenario data flow graph and the division of trust boundaries, we have a certain concept of where threats are most likely to occur, and the next thing we need to do is to find out what specific threats may occur at these threat points.

STRIDE method is a threat modeling tool developed and promoted by Microsoft. This method divides threats into six dimensions to evaluate, and can almost cover most of the current security issues. STRIDE is the abbreviation of six words, which are:

Spoofing: impersonate, pretend to be someone else's identity

Tampering: tampering with or illegally modifying data or code content

Repudiation: deny, deny one's actions, claim that one has not done something

Information Disclosure: information is leaked to obtain information that cannot be obtained by its own permissions.

Denial of Service: a denial of service attack that consumes system resources and affects system availability

Elevation of Privilege: raise rights and get higher system permissions

Combined with the basic elements of the data flow graph, the STRIDE method is used as the threat dimension to analyze the basic elements, and the following table can be obtained:

The table describes which dimensions are threatened as a basic element. For example, external entities can be forged and deny their own actions. Data storage is rarely forged, but it is often threatened by data tampering, confidential data disclosure and denial of service attacks. At the same time, whether data storage will face the threat of denial depends on the purpose of data storage. When data storage is used for audit, it may face the threat of forgery.

Next, we can use this form to analyze the business risk of a specific business scenario. For example, if we locate the potential threats of each element in a business scenario of the air brigade mentioned above, we can get the following table:

After using the STRIDE method to analyze the potential threats of all the element examples in the data flow graph for a particular business scenario, we have an abstract threat location diagram. Next, we need to enumerate threats according to the attack library, build threat descriptions and attack methods for each potential threat, and output a threat list to describe each threat item.

Top elephant technology has accumulated a wealth of business risk experience in finance, Internet, air travel, etc., using threat numbers T1 and T4 as an example to output the threat description as follows:

Rate and deal with possible threats

After using the STRIDE method to analyze the data flow graph of the business scenario, we have obtained the potential threats faced by the current system in this business scenario. Then we need to deal with these threats one by one.

Before we confirm the approach to dealing with threats, we have to recognize some realities with the idea of "compromise": first, there are some threats that cannot be eradicated, and we can only reduce the chances of these threats or raise the threshold for them to occur; second, although some threats exist, the probability of occurrence is very low, and once it occurs, the harm is very small. We need to find some mechanisms to determine whether the cost is really needed to fix these vulnerabilities.

Because of this, we need to use threat rating to score the threat items we have identified, and then weigh the way to deal with the threat according to the actual situation of the system and the scoring results. whether to address the threat or mitigate the threat or accept the threat.

There are many ways to rate threats, such as DREAD and CVSS (Common Vulnerability Scoring System) methods. The dimension and risk level of the threat are slightly different in different rating methods, but in general, the level of the threat is equal to the probability of the threat multiplied by the potential loss caused by the threat. In the actual event, the appropriate rating method can be selected or even adjusted to adapt to the actual situation according to the characteristics of the system or business scenario.

How the DREAD risk model is calculated:

Threat level [ignore (0), serious (10)] = (harmfulness [0,4] + recurrence difficulty [0,4] + utilization difficulty [0,4] + affected users [0,4] + discovery difficulty [0,4]) / 2

Take threat number T4 as an example, the threat level is calculated as follows:

Hazard (Damage): 3 points: divulge confidential data, or lose a lot of money

Difficulty of recurrence (Reproducibility): 1: it is difficult to reproduce, the success rate of recurrence is low, and it requires a variety of factors and has higher requirements for technology.

Use difficulty (Exploitability): 2 points: skilled attackers can attack, need to customize scripts or advanced attack tools

Affected users (Affected Users): 1 score: a small number of users of general edge business

Discovery difficulty (Discoverability): 1: it is difficult to find vulnerabilities, which can be found by guessing or monitoring network activity.

Therefore, the threat level of threat number T4 = (3-3-1-2-1-1) / 2 = 4, medium-risk level, the threat is handled by using HTTPS protocol instead of HTTP protocol for data transmission, or using top image technology equipment fingerprint and risk control engine products to obtain real-time security protection for user login events. The threat levels and threat handling methods in the output threat items are as follows:

A similar process outputs the threat level and threat handling of threat number T1 as follows:

After giving examples of threat rating and threat handling methods for all potential threat instances, we can choose an appropriate way to deal with potential threats according to the business characteristics of the system.

We need to carefully evaluate and implement the threat handling methods for 2C business risks such as e-commerce and air travel, especially if the threat instance (the target being attacked) belongs to the external entity or the data flow / trust boundary category connected to the external entity. This is because 2C business not only considers business security, but also needs to take into account the friendliness and ease of use of the user experience. For example, in the treatment scheme of threat number T1, although forcing users to log in to query flight information can quickly and effectively reduce the risk of climbing tickets in the short term, it raises the threshold for normal users to use the system. it brings obvious "side effects" and is not conducive to long-term development.

The top image technology is based on the accumulation of practical experience in business risk control, and abstracts the analysis of business risks with the methodology of threat modeling to help businesses better identify risks. In view of different business risks in different industries, a large number of risk indicators, strategies and models are preset, and through real-time analysis models, the risk control system can better adapt to the changes of business risks in the way of machine learning.

For threat number T1 in the above case, a comprehensive data anti-crawling system is established with the help of top-like Dinsight risk control engine and end security.

At the same time, a scalable anti-crawling strategy configuration is adopted to implement different strategies for different scenarios, different regions and periods of the same business. The following is a threat model built by an intelligent platform like Xintell.

For threat number T4 in the above case, with the help of Dinsight risk control engine and end security of top image technology, multi-dimensional behavior data is collected for user requests, device dimension information, user behavior dimension information and environment dimension information are submitted to the real-time risk control engine, account security policy is called for comprehensive calculation and evaluation, and the risk of account embezzlement is identified.

Conclusion

Threat modeling is not only a methodology, but also an analytical model, which can help system builders find the most suitable risk solution for system and business scenarios.

Threat modeling provides a set of standardized tools and methods to help us deal with potential security risks in the system and deliver more secure systems. Ideally, when we start to build the business system, we introduce the security requirements analysis into the system requirements analysis steps, and introduce the threat modeling and analysis part in the system outline design and detailed involvement phase. and use it as the guidance of the security testing work in the test phase, and output the test report while outputting the security report.

This paper introduces the basic principle, modeling process and mainstream modeling methods of threat modeling. At the same time, it is also pointed out that when using threat modeling to analyze the business system abstractly, it is necessary to consider the difference between (2C) business security and traditional information security, and the cost of repair needs to be weighed in the stage of dealing with threats. it is also necessary to consider the impact of threat repair schemes on user experience friendliness and ease of use.

The top image technology relies on the accumulated data and experience in the attack and defense of real business, such as finance and the Internet, and has the following advantages in ensuring business security:

1. Rich experience in threat modeling in vertical business areas, covering credit, payment, transaction, interaction and other scenarios.

two。 Rich business risk attack database and corresponding protective measures, around the threat modeling process, output full-link, multi-link in-depth risk control system, which can effectively ensure the healthy operation of the business.

3. Years of experience in actual combat has been accumulated, and hundreds of risk indicators, risk strategies and risk models have been preset to achieve instant empowerment of business security.

4. The powerful Dinsight risk control engine can respond in milliseconds, use policies and real-time calculations to identify risks synchronously, block malicious risks directly, or identify suspected risks through secondary verification.

5.Xintell intelligent platform integrates a wealth of risk prevention and control models, with the goal of helping enterprises to use data to build a more secure ecological environment, and provides one-stop data processing, AI modeling, operation and maintenance management and other services.

6. The depth drawing technology of graph neural network algorithm based on association network can be applied to semi-supervised learning and unsupervised learning representation, which can directly reflect the results and prediction of the target network.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.