Offensive Threat Models Against the Supply Chain

Tony UcedaVelez, CEO, VerSprite twitter, linkedin
abstract slides video

Tony is the author of Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis, Wiley, 2015.

2017 saw a dramatic rise in supply chain attacks, a 200% increase over previous years. Typical attacks costs a business $1.1 million.

General Motives and Probabilistic Analysis

When you’re constructing a threat model, it’s important to consider the threat motives of the attacker: their intent, the reward they’ll get from a successful attack, and if they can repudiate the attack.

You can then do a probabilistic analysis based on the access required to do the attack, the risk aversion of the attacker, and their capabilities.

Impact Considerations

The impact of a supply chain attack can include:

• Financial loss - lost sales, charges run up by criminals using enterprise resources billed to the company, increased insurance premiums, fines/penalties for unreported breaches, costs of upgrading security, etc.

• Time loss - Businesses estimate it takes over 60 hours to respond to a software supply chain attack.

• Cargo loss - oftentimes 3-5 times the value of the cargo, all told, because of opportunity cost of replacement, disruption to schedules, etc.

• Associated losses (corporate) - Loss of customer trust/reputational harm Loss of market share/market cap.

• National security - Threats when the targets are strategic assets (mail service, power grids, trains/roads).

• Human life / societal loss - Could result in deaths if people can’t reach 911 or other vital resources can’t be dispatched to emergencies.

Supply Chain Threat Library & Motives

A “threat library” consists of threats to a business, including: disruption​, framing a person or company, sabotage​, extortion​, espionage​, data exfiltration, stealing Intellectual Property​, acessing sensitive data​.

An attacker’s “threat motives” can include: lulz, practicing for another target​, misdirection (blame an adversary​), reduce target’s credibility, revenge, financial, obtain intel​, leverage data for its value​, shorten product development cycles, leverage PII for impersonation, and OSINT​.

How to Threat Model Your Supply Chain

1. Look at risks with for your company that have high likelihood, based on your company and industry (what attacks has your and similar companies faced?).

2. Determine which parts of your attack surface are relevant to the threat(s).

3. Identify vulnerabilities/weaknesses that live within this attack surface.

4. Build a threat library based upon attackers’ likely motives.

5. Build an attack library that realizes the motives in your threat library.

6. Determine the success of these attack patterns via security research or manual pen testing.

Threat Modelling USPS

Tony walks through threat modelling the U.S. Postal Service (USPS), including several of the large sorting devices they use. See slides 13 - 18 for more details.

Given these attack trees, you can then do a probabilistic analysis of the viability of each path. For example, if many of the vulns relate to denial-of-service, and the attacker’s goal is to cost the company money, then these paths could enable an attacker to realize that goal.

Attack Surface as a Service

Similar to aggregating compromised PII into a marketplace, there are already marketplaces for companies’ vulnerabilities and attack surfaces - the people they employ and their roles, the software the company uses, their domains/IPs/etc. Government groups and private hacker syndicates for hire are the most mature in this area.