• tl;dr sec
  • Posts
  • Offensive Threat Models Against the Supply Chain

Offensive Threat Models Against the Supply Chain

In this talk, Tony discusses the economic and geopolitical impacts of supply chain attacks, a walkthrough of supply chain threat modeling from a manufacturer’s perspective, and tips and best practices in threat modeling your supply chain.

Tony UcedaVelez, CEO, VerSprite twitter, linkedin
abstract slides video

In this talk, Tony discusses the economic and geopolitical impacts of supply chain attacks, a walkthrough of supply chain threat modeling from a manufacturer’s perspective, and tips and best practices in threat modeling your supply chain.

A Holistic View of Threat Modeling Supply Chains
To me, the most unique and valuable aspect of this talk is its holistic view of threat modeling a company and ecosystem.

This includes all of the potential threat actors and their motivations, the geopolitical risks that may be involved, physical and network risks as well as software risks, leveraging threat intel (what types of attacks are other companies in my industry facing?), other breaches (if I’m a provider for a government agency and there was a breach of another government agency or provider, how does that leaked info, PII, and IP affect my company and my customers?), CVEs in your products and your dependencies, and more.

In this talk, Tony focuses on manufacturing: companies who assemble products using components from various sources. (Click to enlarge)

2017 saw a dramatic rise in supply chain attacks, a 200% increase over previous years. Typical attacks costs a business $1.1 million.

General Motives and Probabilistic Analysis

When you’re constructing a threat model, it’s important to consider the threat motives of the attacker: their intent, the reward they’ll get from a successful attack, and if they can repudiate the attack.

You can then do a probabilistic analysis based on the access required to do the attack, the risk aversion of the attacker, and their capabilities.

Impact Considerations

The impact of a supply chain attack can include:

  • Financial loss - lost sales, charges run up by criminals using enterprise resources billed to the company, increased insurance premiums, fines/penalties for unreported breaches, costs of upgrading security, etc.

  • Time loss - Businesses estimate it takes over 60 hours to respond to a software supply chain attack.

  • Cargo loss - oftentimes 3-5 times the value of the cargo, all told, because of opportunity cost of replacement, disruption to schedules, etc.

  • Associated losses (corporate) - Loss of customer trust/reputational harm Loss of market share/market cap.

  • National security - Threats when the targets are strategic assets (mail service, power grids, trains/roads).

  • Human life / societal loss - Could result in deaths if people can’t reach 911 or other vital resources can’t be dispatched to emergencies.

Clarifying Expectations
It’s important to clarify points of view and priorities with your stakeholders, the people who are sponsoring the threat modeling. This helps you communicate your results at the end of it in language and terms that are meaningful to them.

Supply Chain Threat Library & Motives

A “threat library” consists of threats to a business, including: disruption​, framing a person or company, sabotage​, extortion​, espionage​, data exfiltration, stealing Intellectual Property​, acessing sensitive data​.

An attacker’s “threat motives” can include: lulz, practicing for another target​, misdirection (blame an adversary​), reduce target’s credibility, revenge, financial, obtain intel​, leverage data for its value​, shorten product development cycles, leverage PII for impersonation, and OSINT​.

Note that due to the interrelated nature of supply chains and society, supply chain attacks can result in socioeconomic instability (e.g. attacking food production, payment systems, etc.)Also, if you can interrupt supply of a good or service, you can affect pricing through a supply chain hack, so there are certainly incentives for orchestrated attacks. (Click to enlarge)

How to Threat Model Your Supply Chain

  1. Look at risks with for your company that have high likelihood, based on your company and industry (what attacks has your and similar companies faced?).

  2. Determine which parts of your attack surface are relevant to the threat(s).

  3. Identify vulnerabilities/weaknesses that live within this attack surface.

  4. Build a threat library based upon attackers’ likely motives.

  5. Build an attack library that realizes the motives in your threat library.

  6. Determine the success of these attack patterns via security research or manual pen testing.

Threat Modelling USPS

Tony walks through threat modelling the U.S. Postal Service (USPS), including several of the large sorting devices they use. See slides 13 - 18 for more details.

You can’t cover every attack, focus on the ones that are most likely based on evidence and data.

Tony believes attack trees are more useful than data flow diagrams (DFDs) for threat modeling, as they make potential attack paths concrete.

Given these attack trees, you can then do a probabilistic analysis of the viability of each path. For example, if many of the vulns relate to denial-of-service, and the attacker’s goal is to cost the company money, then these paths could enable an attacker to realize that goal.

The Danger of Testimonials
One clever OSINT vector Tony points out is testimonials, the brief blurbs busineses have on their sites in which customers promote a product.

If you have developed exploits for a given hardware or software provider, you can use testimonials to determine who uses the vulnerable product. If you’re targeting a specific company, you can review the websites of product companies who tend to serve the target’s vertical to see which vendors and potentially even the specific products the target company uses.

Job postings can similarly reveal the technologies and products a company uses.

Examining the trust boundaries between layers, components, and supply chain providers. Getting in to the control level is great for repudiation. (Click to enlarge)

Probability = event / outcome

What events have actually occurred in the threat model you’re building, and what were their outcomes?

Attack Surface as a Service

Similar to aggregating compromised PII into a marketplace, there are already marketplaces for companies’ vulnerabilities and attack surfaces - the people they employ and their roles, the software the company uses, their domains/IPs/etc. Government groups and private hacker syndicates for hire are the most mature in this area.

The overall process from end to end (Click to enlarge)