"Threat and Risk Analysis With (PASTA) Process of Attack Simulation and Threat Analysis", presented at AthCON 2013

by Marco M. Morana,

Tags: Security

Summary : "Threat and risk analysis are critical factors for the assessment of cyber risks affecting critical infrastructure, applications and software and for the identification of measures and controls to protect critical assets such as data and transactions. But despite threats abound very little effort has been devoted so far to the specific analysis of cyber threats by extracting information from threat intelligence leading to the identification of attack vectors and simulation of these against targeted assets to determine the impacts and the risks. For example, we all know that passwords today are the keys of the kingdom, however, do companies know which threats and threat actors target them and the impact of their compromise? Do companies know the attack vectors used by the threat agents? How companies catch up with emerging threats to change their risk profile? How the analysis of threats and attacks can be dynamic enough to evolve into new attack vectors and tools used by threat actors? Which type of threat analysis and tools help us to walk the issues on how password compromises have taken place and are taking place? For threats against authentication for example, how we construe a threat analysis that is inclusive of the threat intelligence and identification of the actors, assets, services, attack vectors, surfaces, trust boundaries that match up against today's most common countermeasures to protect passwords (salting, multi-facto, etc.) ? The author believe that these goals can be achieved by following a methodology known as (PASTA) Process for Attack Simulation and Threat Analysis and a new threat modelling tool.The goal of this presentation is to walkthrough the steps of the threat analysis of threats against authentication to depict how passwords have been broken, captured, and intercepted across multiple different platforms and attack surfaces. Through the supported evidence of this threat analysis it is also shown how it is possible to characterise the risk factors of likelihood and impacts and to manage the risk of possible password compromises."