From the batch crawling of competing products at station B to the information leakage of Huazhu group; from the massive malicious occupation of seats by Donghai airlines to the Ma cellular tourism website incident; from the daily earning of million yuan by the access platform to the outbreak of e-commerce risks on November 11,… According to the business risk monitoring data of Dingxiang in the third quarter of 2018, malicious crawling accounted for the highest proportion of all business risks in Q3, and the second was false note Book, followed by account theft, promotion of cheating and other, collecting wool, etc.
Various businesses, such as collecting wool, using illegal numbers, false registration, malicious crawling, promoting cheating and so on, not only bring huge economic losses to the business platform, but also damage the legitimate rights and interests of users, and destroy the business order.
In fact, these risks can be prevented and controlled through models. For example, in our daily life, we will pay attention to the change of weather and temperature every day. If the temperature drops suddenly, we will make the decision to add clothes. If the probability of rain the next day is very high, we will make the decision to take an umbrella out, so as to reduce the possibility of catching a cold. What gives us this subconsciousness is the threat model.
The so-called threat modeling is the process of using abstract concepts to analyze the possible risks and reduce or reduce the risks. Through threat modeling, we can prevent the above-mentioned Internet business risks; through threat modeling, we can prevent credit fraud, false registration, phishing fraud, credit deterioration, loan overdue and other financial fraud.
The necessity and core value of threat modeling
The vast majority of development teams use system requirements analysis documents, software system design documents and functional module detailed design documents to standardize the system development and testing process; in the whole development cycle, only penetration testing or security code audit is introduced in the test phase to improve the security of the delivered system. However, due to the lack of security analysis and design work in the design phase, penetration testing and security code audit work often lead to half the effort and little effect. Testers can not estimate the coverage of security test cases according to the lack of design documents of security design, and R & D personnel can not provide rapid and efficient development and repair approaches and security product procurement requirements to solve the threats.
Better risk detection
Security code audit and penetration testing are two of the most common ways to detect threats to improve system security. However, both of them have similar disadvantages: it is difficult to systematize and quantify the security of the system. The threat model pays more attention to which aspects may have security problems. It abstracts and structurizes threats by modeling, helps to determine the scope of threats with charts, and uses tables and lists to track and update threats, so as to identify and manage threats in the development process or operation and maintenance process.
Provide guidance for testing
We use software testing to inspect the quality of software products and phased development results, strive to find various defects, and urge the defects to be repaired, so as to control the quality of software products. As a part of software testing, the focus of security testing is security defects, which ensures the safety and quality of software products.
Software testing can use software requirements analysis and definition, software system design, module detailed function design and even specific coding implementation to guide the design and implementation of the test. Similarly, through threat modeling, the following guidance can be obtained in the design and implementation of security testing: what aspects of security threats may the software system face; what aspects of threats the system is encountering; and what aspects of threats the system can resist.
Threat modeling is to deliver more secure software, services or technologies. Therefore, after finding and locating threats, how to deal with and manage threats is an indispensable part of threat modeling. Threat modeling can balance the strategies to solve the threats, and guide the developers of the system to use what technologies and system configuration methods to deal with all kinds of threats found. Similar to the functional test report, tables and lists can also be used to track the vulnerability of overall threat modeling.
How to do threat modeling
Threat modeling was first proposed by Microsoft, and the construction process is mainly divided into three steps.
First of all, we should consider the specific business characteristics, real use cases and the products used in the scenarios in the preset scenarios. Diagramming can help us understand the business scenarios and systems, and locate the attack surface of threats. Then, with the help of specific models and methods, the threats are detected and graded, and the threats with high difficulty and harmfulness are given priority. Finally, it is necessary to test whether the related threats have been effectively handled to achieve the convergence of threat modeling results and effectively improve the security of the system.
Three angles of modeling
Threat modeling is usually built from three dimensions: assets as the core, attackers as the core, and business as the core. Which modeling method is used in practice is often decided by the concerns of the system builder. For example, risk control or business departments may pay more attention to assets or valuable things; security departments may pay more attention to attackers to find system threats by using attack library list; while R & D departments are more concerned about software or deployed systems under construction, and threat model is used as a supplement to commonly used software development models to improve software system Security of the system.
Diagram is the most convenient weapon to understand the system. Data flow diagram, UML and state diagram are used to understand the system under construction. Therefore, we will apply the diagram to the following three steps to understand the system: confirm the system data flow model, confirm the trust boundary, and confirm the attack surface.
Data flow model is the best model for threat modeling, because security problems often occur in data flow rather than control flow. Process, data flow, data storage and external entities are the four basic elements of data flow graph. The following figure shows a typical data flow diagram model.
Process: running code, such as services and components; represented by rounded matrix or circular graph.
Data flow: interaction between external entities and processes, processes and processes, or processes and data stores; indicated by arrows.
Data storage: the internal entity that stores data, such as database, message queue, file, etc.; it is represented by two parallel lines with labels in the middle.
External entity: the user, software system or equipment beyond the control range of the system; represented by a right angle matrix.
After the validation of data flow graph, trust boundary should be introduced to improve the data flow graph. Trust boundary is the location where different subjects converge, that is, where entities interact with other entities with different permissions. Trust boundary is the best location to identify threats, because most threats often have behavior across boundaries. The data flow dividing trust boundaries is an element instance that needs threat analysis.
After confirming the trust boundary of the data flow graph, it is easy to get the attack surface exposed by the current scenario. The attack surface is often a trust boundary where attackers can launch attacks.
Identify potential threats
With the help of business scenario data flow diagram and the division of trust boundary, we have a certain concept of where threats are most likely to occur. What we need to do next is to find out what specific threats may appear in these threat points.
The stride method is a tool developed and promoted by Microsoft for threat modeling. It divides the threat into six dimensions to evaluate, and can cover almost most of the current security problems. Stride is an abbreviation for six words, namely:
Spoofing: fake, camouflage, impersonate other people’s identity;
Tampering: tampering, illegally modifying data or code content;
Repudiation: to deny one’s behavior, to declare that he has not done something;
Information disclosure: information disclosure, obtaining information that cannot be obtained by one’s own authority;
Denial of service: denial of service attacks consume system resources and affect system availability;
Elevation of privilege: raise the right to obtain higher system authority;
Combined with the basic elements of the data flow diagram, this paper uses the stride method as the threat dimension to analyze the threat of each basic element, and the following table can be obtained:
The table describes which dimensions are threatened as basic elements. For example, external entities can be faked and deny their own actions. Data storage can hardly be forged, but it is often faced with the threat of data tampering, confidential data disclosure and denial of service attacks. At the same time, whether the data storage will face the threat of denial depends on the purpose of the data storage. When the data storage is used for audit, it may face the threat of forgery.
Next, we can use this form to analyze the business risks of specific business scenarios. For example, we can locate the potential threats of various elements in a certain business scenario of the above-mentioned air travel, and we can get the following table:
After using the stride method to analyze the potential threats of all the element examples in the data flow graph in a specific business scenario, we have obtained an abstract threat location chart. Next, we need to enumerate the threats according to the attack library, construct the threat description and attack methods for each potential threat, and output a threat list to describe each threat item.
Top image technology has accumulated rich business risk experience in finance, Internet, aviation and tourism. Taking threat numbers T1 and T4 as examples, the description of threat items is as follows:
Rating and handling of potential threats
After analyzing the data flow diagram of the business scenario using the stride method, we have obtained the potential threats faced by the current system in the business scenario. Then we need to deal with these threats one by one.
Before we confirm the threat handling method, we have to recognize some reality with the idea of “compromise”: first, some threats can not be eradicated, so we can only reduce the chance of these threats or raise the threshold of threat occurrence; secondly, although some threats exist, the probability of occurrence is very low, and once it happens, the harm will be very small. We need to find some mechanisms to determine if we really need to invest in fixing these vulnerabilities.
Because of this, we need to use the threat rating method to score the threat items we have identified, and then weigh the way to deal with the threat according to the actual situation of the system and the scoring results, which is to solve the threat, mitigate the threat or accept the threat.
There are many ways of threat rating, such as dream and CVss (common vulnerability scoring system) methods. Different rating methods have slightly different dimensions for threat rating and calculation methods for risk level, but generally speaking, the threat level is equal to the probability of threat occurrence multiplied by the potential loss caused by the threat. In the actual event, we can choose the appropriate rating method according to the characteristics of the system or business scenario, and even adjust it to adapt to the actual situation.
The calculation method of dream risk model is as follows:
Threat level [ignored (0), severe (10)] = (harmfulness [0, 4] + recurrence difficulty [0, 4] + utilization difficulty [0, 4] + affected users [0, 4] + discovery difficulty [0, 4]) / 2
Taking threat number T4 as an example, the calculation process of threat level is as follows:
Damage: 3 points: divulging confidential data, or causing great loss of funds;
Reproduction difficulty: 1 point: it is difficult to reproduce, the success rate of reproduction is low, it needs many factors to limit and has higher requirements for technology;
Exploitability: 2 points: skilled attackers can attack, need custom script or advanced attack tools;
Affected users: 1 point: a small number of users of general edge services;
Discoverability: 1 point: it is difficult to find vulnerabilities, which can be found by guessing or monitoring network activities;
Therefore, the threat level of threat number T4 = (3 + 1 + 2 + 1 + 1) / 2 = 4, medium risk level. The threat processing method is to use the HTTPS protocol instead of HTTP protocol for data transmission, or use the top image technology equipment fingerprint and risk control engine products to obtain real-time security protection for user login events. The threat level and threat handling method in the output threat item are as follows:
Similar processes can output threat number T1, and the threat level and threat handling method are as follows:
After the threat rating and threat handling methods are given for all potential threat instances, appropriate methods can be selected to deal with potential threats according to the business characteristics of the system.
We need to carefully evaluate and implement the threat handling methods for 2C business risks such as e-commerce and air travel, especially when the threat instance (the target being attacked) belongs to the external entity or the data flow / trust boundary category connected with the external entity. This is because 2C business needs to consider the friendliness and ease of use of user experience while considering the business security. For example, in the processing scheme of threat number T1, although it can reduce the risk of ticket climbing quickly and effectively by requiring users to log in status to query flight information, it improves the threshold of normal users to use the system, and brings obvious “side effects”, which is unfavorable to the long-term development.
Top image technology is based on the accumulation of practical experience of business risk control, and uses threat modeling methodology to abstract and analyze business risk, so as to help business better identify risk. According to different business risks in various industries, a large number of risk indicators, strategies and models are preset. Through real-time analysis model, the risk control system can better adapt to business risk in the way of machine learning Change.
For the threat number T1 in the above case, a comprehensive data anti climbing system is established with the help of the top image dinsight risk control engine and end security.
At the same time, hierarchical anti climbing strategy configuration is adopted to realize different strategies for different scenarios of the same business, different regions and time periods of the same scene. The following is the threat model built by the top image xintel intelligent platform.
For threat number T4 in the above case, with the help of dinsight risk control engine and end security of top image technology, it collects multi-dimensional behavior data from user requests, submits equipment dimension information, user behavior dimension information and environment dimension information to real-time risk control engine, calls account security policy for comprehensive calculation and evaluation, and identifies the risk of account embezzlement.
Threat modeling is not only a methodology, but also an analysis model, which can help system builders find the most suitable risk solution for the system and business scenarios.
Threat modeling provides a set of standardized tools and methods to help us deal with potential security risks in the system and deliver more secure systems. The most ideal situation is that when we start to build the business system, we will introduce the security requirements analysis into the system requirements analysis step, and introduce the threat modeling analysis part in the system outline design and detailed reference phase, and use it as the guidance of the security test work in the test phase, and output the security report at the same time.
This paper introduces the basic principle, modeling process and mainstream modeling methods of threat modeling. At the same time, when using threat modeling to analyze the business system abstractly, we need to consider the differences between (2C) business security and traditional information security. In the stage of dealing with threats, we need to weigh the repair cost, and also need to consider the impact of threat repair scheme on user experience friendliness and ease of use.
Based on the accumulated data and experience in the attack and defense of real business such as finance and Internet, top image technology has the following advantages in terms of business security:
1. Rich experience in threat modeling in vertical business field, covering credit, payment, transaction, interaction and other scenarios.
2. Rich business risk attack database and corresponding protection measures, output full link, multi link in-depth risk control system around the threat modeling process, which can effectively guarantee the healthy operation of the business.
3. With years of experience in actual combat, hundreds of risk indicators, risk strategies and risk models are preset to realize the instant empowerment of business security.
4. The powerful dinsight risk control engine can respond at millisecond level, identify risks synchronously by using strategy and real-time calculation, directly block malicious risks, or confirm suspected risks through secondary verification.
5. Xintel intelligent platform integrates a wealth of risk prevention and control models to help enterprises use data to build a safer ecological environment. It provides one-stop data processing, AI modeling, operation and maintenance management services.
6. The deep portrait technology of graph neural network algorithm based on association network can apply semi supervised learning and unsupervised learning representation, which can directly reflect the results and prediction of the target network.
Credit card overdue, increased 11 times in 8 years; new judicial interpretation of “two high”: malicious overdraft of 50000 will be punished
Five business risks faced by e-commerce platform of “double 11” shopping
The common means of credit anti fraud: List base, expert strategy, machine learning