Where Is The Trust Boundary?

Threat modeling is becoming more and more common for both application development and system analysis. However, most threat modeling approaches remain to be highly manual. Meaning, you must figure out what the system you are analyzing looks like and what types of threats that need mitigation. For smaller applications under development this can be a useful activity, but for larger systems it doesn’t scale.
Share on facebook
Facebook
Share on twitter
Twitter
Mathias Ekstedt

Mathias Ekstedt

Co-founder of Foreseeti and Professor in cyber security at KTH Royal Institute of Technology

A key ingredient in the threat modeling cocktail is the trust boundary. In general, the concept of the trust boundary helps to sort out where to look for vulnerabilities in system designs. The concept does not have a precise or strict definition (as far as we know), rather it is a convenient concept for supporting secure design. Generally, the idea is that within a boundary .or a zone, there is some form of a common level of security. Within such zone, the components trust each other and do not have to question each other’s integrity and there is some sort of common control or regime. Looking at a system model we would commonly find trust boundaries. For instance, where we have different accounts with different privileges, at network interfaces and organizational interfaces. A trust boundary is similar to the concept of the attack surface and can also be seen as a kind of a local attack surface where threats often seem to cluster.

Another way where one can use trust boundaries is as the central idea in different design principles. Perhaps most clearly so within the idea of zero trust architectures were making the trust boundaries very explicit and carefully managed is the key idea. But we also find it in standards and reference models such as the IEC 62443/ISA99/Purdue model for OT environments that outlines a structure for how to group different types of systems into clearly separated zones roughly depending on “how far” they are from the physical process being controlled. From sensors and actuators through local control, central control, and further into general business support systems. In both these domains, the trust boundary is used as a normative requirement guiding good design.

However, the trust boundary can also be used from an analysis point of view. This is not uncommon in threat modeling of some existing (or hypothetical) design. Given a system design, with all its networks, accounts, and privileges, where do we de facto find the trust boundaries? If you have been following Foreseeti, you realize that this is the angle that interests us. We don’t believe in generally appropriate designs, but that every system is unique and that its security posture needs to be individually assessed. Currently, we don’t have trust boundaries explicitly described or assessed in our securiCAD tool. But we do have an opinion about how to consider them in our attack graphs. Our take on the trust boundary is that you find it where you find a big change in Time-To-Compromise (TTC) values. As you may know, securiCAD simulations estimate TTC as a metric for the security/resilience of system architecture. So where the TTC value is the same for different (interconnected) attack steps, we estimate that it wouldn’t take an attacker any effort to propagate. But when TTC increases the attacker would have to work to move on. A boundary of effort. With attack simulations, we can then find TTC increase and compare it with where we would expect it to be a boundary. For instance, the attackers would need to work to bypass a firewall as well as to escalate privileges. However, we perhaps also find (the lack of) trust boundaries in unexpected places. For instance, where the system design per se expects to have an application belonging to a trust zone, but due to an expected software vulnerability, we may not find a corresponding TTC increase for attacking the application and come to the conclusion that the trust boundary de facto is located elsewhere. So, comparing attack simulations with expected trust boundaries may spare you from unpleasant surprises.

Now, our backlog of fantastic securiCAD features is long. A “de facto trust boundary visualizer” has not yet bubbled up to the top. With this blog post, we wanted to raise your awareness about this type of analysis, but maybe it is more valuable than what we understand deep down in the R&D mine… What do you think, should this feature bubble up the backlog? Let us know what you think – holler down the mine!

About Foreseeti

Foreseeti is a leading provider of Automated Cyber Threat Modeling and Attack Simulation Solutions.
Our flagship products, the securiCAD solutions, empower IT decision makers with insight to the cyber risk exposure and resilience of their IT architectures, uncovering critical paths to high value assets and weak spots in the architecture so that proactive actions can be taken where they really matter.
Our solutions are used around the globe by a broad audience, including national and multi-national companies and organizations, critical infrastructure operators, leading consulting firms, and other companies for whom cyber security is truly important. We have certified partners around the globe and are proud to be an AWS Select Partner.

Let Foreseeti show you how the Security Organization can lead transformation, schedule a demo.

Capability PROFESSIONAL VANGUARD ENTERPRISE
Automated model generation

SDK/APIs

Manual model creation & editing

Attack Simulations

Risk levels, Attack Paths & Chokepoints

Threat Summary & Suggested Mitigations

Multiple attack scenarios & comparisons

Advanced Analysis, Reporting & Progress tracking

Multiple projects and models

Multiple Environments (On-prem, cloud, custom)

Multi-user collaboration

Capability VANGUARD ENTERPRISE
Automated model generation

SDK/APIs

Manual model creation & editing

Attack Simulations

Risk levels, Attack Paths & Chokepoints

Threat Summary & Suggested Mitigations

Multiple attack scenarios & comparisons

Advanced Analysis, Reporting & Progress tracking

Multiple projects and models

Multiple Environments (On-prem, cloud, custom)

Multi-user collaboration

WEBINAR NOVEMBER 19TH 17:00-18:30 CET

Automate Cyber Security in Cloud and DevOps Environments

We warmly welcome You to this webinar where our experts present leading security trends in using open-source software, hacker-powered knowledge, and attack simulations – automated in your pipelines!

detectify_outlined_logo_RBG
cropped-Debricked_LogoTransparentwhite (1)