Skip to content

SEAS-8414 – HW5

GCK Service Architecture Diagram

GCK Application Threat Model Architecture Diagram

Threat Modeling

The Kimchi King is now looking over his application and assessing threats. As part of his threat modeling effort, he has modeled his KimchiMeNow web application where there are potential threats. He looked at the OWASP Treat Modeling framework. Threat modeling is a process for capturing, organizing, and analyzing all the information that affects the security of an application. He has determined that the KimchiMeNow web application will need to be protected and has devised some controls centric to domain, content, and insider intelligence. AWS provides services within Route 53, Macie, and GuardDuty and this is what will be covered with regards to providing controls for domain, content, and insider threats. What is vulnerable in the GCK application framework are points where various boundaries (dotted orange lines in GCK Application Threat Model Architecture Diagram) are crossed in the KimchiMeNow web application. The application database, user data within the registration, and banking servers are all areas where threats can introduce themselves.

Threat Modeling Four Questions

  1. What are we working on? KimchiMeNow Web Application running on AWS.
  2. What can go wrong? There could be potential application users’ kimchi sellers and buyers both being affected while using the system during the registration process or the banking process for payments.
  3. What are we going to do about it? Look at domain, content, and insider intelligence controls to determine controls that would make sense to address Kimchi King’s threat model.
  4. Did we do a good job? Probably not perfect, but perfect is the enemy of good. This will be a start and the threat modeling process should be addressed continually and iteratively. This will be done when a new feature is released, security incident occurs, and when there are architectural or infrastructure changes.

Domain Intelligence Controls

There are many tools to look at domains that we can use to get a sense of domains and their level of safety. One such tool is VirusTotal and we can enter a URL to perform various checks to make sure this is not a malicious domain. There’s nothing wrong with spicy.kimchimenow.com and flags no security issues with a community score showing 0/90 meaning everything came back clean.

Another such tool is ThreatLab Zscaler and this tool seems to evaluate some level of content and the profile of where the web application is hosted. This tool flags how anonymous the website is given spicy.kimchimenow.com is hosted on AWS and the flutter code is pointing to other sites. Since Flutter is a google related web app framework the tool flagged things as benign and not threatening.

Another tool is from Cisco Talos Intelligence most of the information from the report is network centric. It provides details such as network owner (Amazon.com) and then if there is any sort of reputation details reported of the website such as email or block lists for the URL. This is a good way to determine intelligence about sites that are malicious.

Now it is great that the Kimchi King can manually get all this domain intelligence to see safe or malicious domains. But how does he integrate this with his AWS setup or where would it make sense to live to protect his own domain? Turns out that Amazon Route 53 offers threat intelligence sourced from Recorded Future. There is a set of AWS Managed Domain Lists that has over 100,000 domains with dynamic risk scores to identify threats which are continually added to DNS Firewall. The AWS managed aggregate threat list will identify domains related to malware, ransomware, botnet, spyware, and DNS tunneling.

Content Intelligence Controls

With regards to content intelligence there are a lot of data loss prevention options available, but with AWS there is Amazon Macie. This is a machine learning framework that will continually inventory content in S3 buckets to provide security and access controls of content. Macie will discover sensitive data and map it to automate remediation to secure the content. The Kimchi King can apply this to his account and even train Macie with custom parameters to have the process create a model that will learn what is important to protect.

Amazon Macie - Demonstration Video

Insider Intelligence Controls

The Center for Development of Security Excellence (CDSE) as part of the Defense Counterintelligence and Security Agency has a CDSE Case Study Library that evaluates various violators that have exhibited negative cybersecurity behaviors. There is a list of indicators with descriptions of what to look for and details on their website. These have been listed below and what the Kimchi King will be keeping an eye out for within his system and working environment.

  • Access Attributes - Security clearance and information access (Confidential, Secret, TS, SCI, SAP, etc.), access to physical facilities (secret-cleared spaces, SCIF, SAP, etc.), access to systems and applications (SIPR and other Secret, JWICS or other SCI, SAP, etc.), DOD system(s) privileged user, explosives access or training, CBRN access or training.
  • Criminal, Violent, or Abusive Conduct - Criminal violent behavior, to include sexual assault and domestic violence or other criminal behavior (voluntary admission, included during polygraph examination or investigation, substantiated report or arrest, criminal proceedings), exhibiting violence at work (directed against property or persons), threatening violence, possessing unauthorized weapon, authorized weapon at an unauthorized time or location, weapon mishandling, criminal behavior involving weapons, failure to follow court order, parole or probation or violation thereof, criminal affiliations, delf-harm, suicidal ideation, or attempting suicide.
  • Financial Considerations - Financial crime (voluntary admission, including during polygraph or investigation, substantiated report or arrest, criminal proceeding), filing for bankruptcy (adverse changes to financial status, foreclosure or repossession, loan default, involuntary lien or unfavorable judgement), delinquent debts, high debt-to-income ratio, failure to file tax returns, pay garnishment, displaying signs of unexplained affluence, experienced gambling problem.
  • Foreign Considerations - Citizenship (threat or non-threat country – past/present), foreign travel to countries of concern (official or non-official), frequent foreign travel (excluding official travel), other foreign travel, service in foreign military or government, possessing foreign passport, voting in foreign election, possession of foreign assets, foreign residency, foreign business or political interest, receiving benefits from a foreign nation, foreign citizenship - spouse or cohabitant, foreign citizenship - immediate family member, living with foreign national, foreign national contact, unauthorized contact with an officer or agent of a foreign intelligence entity (FIE), enabling or facilitating an officer, agent, or member of a FIE.
  • Professional Lifecycle and Performance - Declining performance ratings, poor performance ratings, reprimand/non-judicial punishment, Human Resources (HR) complaints, demotion, separation status (pending voluntary separation, pending involuntary separation), suspension, involuntary administrative leave, leave of absence, unauthorized absence/AWOL, negative characterization of previous employment or service.
  • Judgement, Character, and Psychological Conditions - Falsifying hiring information, falsifying data at place of work, subject to judgement in civil litigation, Expressing ill-will towards USG or employing organization, communicating extremist views, associating with extremist or terrorist groups, enabling or facilitating an extremist or terrorist group, admission to inpatient mental health facility (voluntary, involuntary), insanity plea in a criminal case, anti-social or compulsive behavior, mental instability, past untruthfulness (including voluntary admission, including during polygraph or investigation), failure to successfully complete a polygraph, communicating endorsement of workplace violence, other psychiatric or psychological condition.
  • Security and Compliance Incidents - Compliance violation, security infraction, security violation, non-compliance with training requirements, delinquent Government Travel Charge Card (GTCC), misuse of DOD purchase card or expense violations, time entry violations, security clearance denial, suspension, or revocation.
  • Substance Abuse and Addictive Behaviors - Illegal substance use or trafficking (voluntary admission, including during polygraph or investigation, drug test failure, substantiated report or arrest, criminal proceeding, incident at work involving an illegal substance), legal substance abuse or trafficking—alcohol or prescription drugs (voluntary admission, including during a polygraph or investigation, substantiated report or arrest, criminal proceeding, incident at work involving alcohol abuse or legal substance abuse), voluntary or involuntary treatment for abuse of drugs, alcohol, or controlled substances.
  • Technical Activity - Violating acceptable user or other automated information system policies, suspicious or unauthorized email or browsing activity, attempting to introduce unapproved USB device, anomalous volume of data transferred to removable media inserted in USB port, attempting to burn discs without authorization, transfer data to personal or suspicious account, erasing, modifying, or tampering with any record-keeping data, introduction of unauthorized software, attempted modification to registry or system settings, disabling anti-virus or firewall settings, introducing malicious code, technical violations admitted during investigation or polygraph.
  • Violent Extremist Mobilization - Engaging in, or conspiring to engage in violent extremist activities, such as conducting an attack or traveling overseas to join a foreign terrorist organization.

There are manual steps to capture insider threats and consideration that are part of a typical insider threat implementation.

  1. Check the background of employees periodically
  2. Make employees sign intellectual property agreement
  3. Train employees regularly on security awareness
  4. Monitor technical and behavioral actions
  5. Increase monitoring of upcoming departures
  6. Reconfirm employee agreement on departure
  7. Process employee termination through identity and access management
  8. Monitor suspicious actions of terminated accounts

There are many indicators, and these can span all sorts of security incidents that put an organization at risk. Incidents such as sabotage, theft, fraud, or even espionage. Indicators can be classified as personal, behavioral, background, network, endpoint, and log based.

  • Personal indicators look at depression, financial obligations, address changes, death among family or friends, feelings of inadequacy, break-up or divorce, impending termination of contract.
  • Behavioral indicators look at unwillingness to comply with established rules and procedures, repeated breach of procedures, excessive or unexplained use of data copy equipment, excessive volunteering with would elevate access to sensitive data, excessive overtime work, bringing personal equipment to high-security areas, carelessness, concerning statements, jokes, or bragging, impulsiveness, poor social interaction, and aggression.
  • Background indicators look at involvement with individuals or groups who oppose core beliefs of organization, criminal record, addictions, history of mental or emotional disorder, indebtedness, sexual behavior with indicates lack of judgement, engagement in activities which can cause a conflict of interests, business dealings, active presence in social media, number of previous employers and average time of employment, and spending exceeds income.
  • Network indicators look at correspondence with competitors, email messages with abnormally large amount of data, DNS queries which indicate involvement with internet underground, use of suspicious protocols, use of suspicious services, execution of offensive tools, execution of malware, anomalous peaks in outgoing connection count, an unauthorized device is connected to the network, download of blacklisted software, and connections initiated from a workstation outside working hours.
  • Endpoint indicators look at anti-malware alerts, blacklisted files detected, disabling anti-malware tools, attempted escalation of privileges, user attempts to print or copy confidential documents, abnormally large number of software errors, unidentified device is attached, failed logging attempts, different user login from the same workstation, user logs into a desktop workstation outside working hours, and lack of log messages or monitoring data.
  • Log-based indicators look at modification of centrally stored log files, user copies of large number of documents to a local disk, authentication failures, configuration file changes, permission changes, database content changes, employee attempts to access resources not associated with his role, user account is used from multiple devices, user account is set to expire in 30 days or less, and multiple accounts per user.

So given all this information, what is there that can be implemented in AWS that will help to protect the KimchiMeKnow application? The Kimchi King stumbled upon Amazon GuardDuty which is another machine learning service that exposes threats using anomaly detection, ML, behavioral modeling, and threat intelligence feeds.

References

Unless otherwise indicated, the content and opinions expressed on this web site are those of the author(s). They are not endorsed by and do not necessarily reflect the views of the George Washington University.
Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.