New security trend – “like running Sim City on fast-forward"
If you do not fully understand the weak points of your own IT system, how can you defend it against attacks?
Automated threat modeling helps secure the IT system where it is needed most.
How do attackers think? What does your IT system look like from their perspective? Where do they begin to attack - and why do they attack where they do? One thing you can be sure of: From the attacker's point of view, your IT system probably doesn’t look like you intended. As defender, the image you have of your IT system is not that of the attacker. Therefore, you must understand your weaknesses, as they are exactly what the attackers are looking for.
Analyzing and evaluating how well, or how poorly, an organization resists cyberattacks is a very important part of the organization's “full defense” and is an approach that has been used for a long time. All companies with self-preservation operations carry out regular evaluations, checks and tests of their IT systems. Yet cybercriminals always seem to be one step ahead.
A common way to evaluate and analyze an organization's IT defense is to gather information about all systems - clients, servers, services, applications, firewalls, network devices, etc. - and list them in what is often a vast list of everything the organization has, and then analyze which individual systems are vulnerable to different attacks based on the versions of software they use.
The idea, of course, is that updated systems are secure systems, which is also true in the sense that updated software should be protected against known vulnerabilities. But updating systems is a never-ending and extensive task and often entails consequential problems, so that almost never all systems within a larger organization are sufficiently updated. In addition, a list of all systems and their individual vulnerabilities provides a fairly one-dimensional risk analysis, and says very little about attack vectors and about which paths lead to the most desirable systems.
Things become pretty complex quite quickly
Threat modeling is a step in the right direction, towards understanding the attackers' approach and methodology. It's about thinking in graphs and not in lists, just like the attackers do when looking for entrances and ways in. Traditional threat modeling as a method is often a labor-intensive, large-scale manual process that costs a lot of money, and is therefore not carried out often enough. The model also quickly becomes extremely complex due to the almost infinite number of attack point combinations, and because an IT system is never static, the model is obsolete even before it is complete.
The purpose of creating a model, a kind of twin of the IT system within an organization, is that you can simulate attacks against the model, and not against the actual system. The simulations, in turn, will lead to insights about the most likely points of attack, which will allow the organization to prioritize where resources are to be invested. And for the same reason, the organization can avoid devoting resources to securing systems that an attacker is unlikely to attack, for example because the vulnerabilities require certain conditions that are not given in the current situation.
Traditional threat modeling and automated threat modeling are basically the same; both are about populating and building a model of reality with data from various sources, including information about the own infrastructure and information about current weak points. The difference, of course, is that automation removes all or part of the manual part of the process, which saves a considerable amount of time.
Thanks to automation and the operation of many systems on cloud platforms, the technology today has become so effective that the models can be developed so quickly, if not in real time, that they are not too outdated within a short time. The Swedish company foreseeti has developed a product for automated threat modeling for systems running on Amazon Web Services, AWS. Thanks to the fact that information about the entire IT environment can be obtained via APIs, in principle as depictions of the entire environment, the models can be kept updated at the same rate at which the real environment changes.
One of the companies in Sweden that has been using automated threat modeling is Klarna, whose IT environment largely runs on AWS. Mark Strande is the CISO at Klarna. The company started using automated threat modeling at the end of 2016.
“The time it takes to build a threat modeling model using traditional methods is not scalable for fast-growing organizations where the IT environment changes by the minute; by the time the model is complete, it's long outdated,” says Mark Strande.
Feed with safety information
Throughout its entire IT environment, Klarna works with automated threat modeling. They use the product Securicad Vanguard from foreseeti for AWS environments. The model consists of information from AWS APIs and manually entered information. In order for the system to provide a basis for deciding which vulnerabilities should be prioritized, it is fed with security and vulnerability information from Klarna's own vulnerability scanner, but it is also possible to enter information on vulnerabilities from third-party tools or the AWS Inspector tool..
“The fact that we can collect information about the architecture via APIs from AWS makes a huge difference; it’s like light years away from working with manual modeling. Sometimes, we release updates to the systems several times a day, which means that the map is constantly changing. Because everything is coded in the cloud, such as information about architecture, applications, configurations, IAM Policy and much more, we can establish a very detailed and up-to-date model for the simulation,” says Mark Strande.
“As our organization consists of autonomous teams, where each team acts as a startup, threat modeling offers great benefits because we can eliminate human error. Our teams don't need to know much about what the other teams are doing; they do not need to keep track of changes in other systems but can focus on their changes and systems.”
According to Mark Strande, the major advantage of automated threat modeling in cloud environments is that the system can cover the full scope of the IT environment, which traditional threat modeling or penetration tests, for example, cannot quite manage within reasonable time. Automating parts of the process speeds up threat modeling, which is an excellent complement to the in-depth manual methods.
Although cloud service providers like AWS offer various built-in or accompanying tools such as the AWS Inspector, which help customers identify deficiencies in their solutions, they do not provide a broad general picture. Most of these built-in tools are based on pre-defined rules and mechanisms that provide information such as how serious different vulnerabilities are, but not how the exposure and environment affect the points of attack. Other tools such as Guard Duty can then be used to monitor the environment for threats.
“Automated threat modeling understands the connections, which is a big difference,” says Mark Strande. “When we run our simulations on the models, we find out which deficiencies are most significant. We’re able to identify exactly which systems are most vulnerable, which application on which machine we should prioritize patching first to keep the systems as secure as possible.
Attacks often happen due to a combination of vulnerabilities, which makes it difficult to see which systems are most vulnerable with traditional methods, but our models find the weak links. It's a cost-effective vulnerability assessment method, and the workload is extremely low, but above all we get a consistent assessment, which is almost impossible with manual threat modeling on a larger scale. Automated threat modeling is like running Sim City on fast-forward,” says Mark Strande.
Welcome to cloud-based threat modeling
AWS, too, welcomes automated threat modeling in the cloud. Johan Broman works at AWS Nordics as Solution Architect Manager. “We think it is great that third parties come up with this type of risk analysis tool. It is easy for customers to see their resources with AWS, and our APIs enable customers to quickly and easily obtain the information they need to develop their threat models.“
AWS does not have its own automated threat modeling tool, but customers can use the Security Hub, which gathers security information from all parts of the system, such as Amazon Guard Duty, and provides customers with an overview of their system.
“We manage the security of the cloud, but the customers are responsible for the security of the content in the cloud, and that’s where threat modeling comes into the picture. We cannot see what customers are using the AWS infrastructure for, so it is very positive that customers do what they can to increase their security, and threat modeling is a powerful tool in this regard,” says Johan Broman.
On the next level of automated threat modeling, Klarna will be able to glimpse into the future with risk analyzes and see how changes in different areas affect each other. A major advantage would be to involve DevOps teams to simulate assumptions about future changes.
“How could a modification in a system or a configuration change affect the entire environment?” Mark Strande wonders. “If we could simulate assumptions, we could model a future we don't even have yet. How does that affect the risk? We’re on our way there. I want to be able to simulate solutions and see how they affect the big picture before we implement them, thus further optimizing safety,” says Mark Strande.
Article written by: Lars Dobos, Editor at Technology & Safety, https://computersweden.idg.se