A computer giant has been hit by a ransomware attack where the threat actors demand a large ransom of millions of dollars. After investigation, it is confirmed that the attackers exploited a mail server’s vulnerability in the DMZ as the foothold and conducted lateral movements to other servers and internal networks. Which of the following is the best solution to prevent the ransomware attack from recurring?
A. Threat modeling
B. Awareness training
C. Risk-based access control
D. Discretionary Access Control (DAC)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is __.

This question is written to encourage thinking more about “what is threat modeling?” I won’t directly provide my suggested answer. You can read my explanation and find out my preference.

“Conceptually, most people incorporate some form of threat modeling in their daily life and don’t even realize it.” (Wikipedia) The ransomware attack happened not because the company didn’t conduct threat modeling. Instead, the company has to improve the threat modeling process.

Moreover, as the company in question has completed the investigation, it implies that threat modeling is in place and in progress. The ransomware attack has been identified, analyzed, and confirmed. It’s about time to evaluate a specific solution to eradicate the problem or a countermeasure to mitigate the risk. So, there is no need to propose threat modeling as an initiative or solution.

In this question, the attackers move around networks without user interaction. As a result, technical security controls are more effective than administrative ones like awareness training.

Fine-Grained vs. Coarse-Grained Access Control

Access control may not be the ultimate solution to prevent the ransomware attack from recurring. However, it’s the best among the four options.

• Discretionary Access Control (DAC) is a coarse-grained access control mechanism while risk-based access control, either criteria-based or score-based, is a fine-grained one that typically relies on attribute-based access control (ABAC).
• Risk-based access control, a core element of Zero Trust, can effectively mitigate lateral movement and data exfiltration.

Ransomware

Ransomware can behave passively like a virus that needs user interaction (Trojan) or travel actively like a worm that can infect other computers without user interaction (WannaCry).

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.”

Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction.

Source: Wikipedia

Threat Modeling

This section introduces specific definitions and well-known threat modeling approaches.

• “Threat modeling is a form of risk assessment that models aspects of the attack and defense sides of a particular logical entity, such as a piece of data, an application, a host, a system, or an environment.” (NIST SP 800-154, draft)
• In systems and software engineering, threat modeling is a ”systematic exploration technique to expose any circumstance or event having the potential to cause harm to a system in the form of destruction, disclosure, modification of data, or denial of service.” (ISO 24765:2017)
• Threat modeling is a process for capturing, organizing, and analyzing all of the information that affects the security of an application. (OWASP)
• Threat modeling is “an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application’s design, meet your company’s security objectives, and reduce risk.” (Microsoft)

“A threat model is essentially a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through security glasses.” (OWASP)

From the perspective of ISO 3100, threat modeling is a form of “risk management” in the context of system and software engineering. Risk management comprises activities as the following diagram shows:

NIST Data-Centric System Threat Modeling

The data-centric system threat modeling approach presented in this publication has four major steps:

1. Identify and characterize the system and data of interest;
2. Identify and select the attack vectors to be included in the model;
3. Characterize the security controls for mitigating the attack vectors; and
4. Analyze the threat model.

Microsoft Threat Modeling

Threat modeling should be part of your routine development lifecycle, enabling you to progressively refine your threat model and further reduce risk. There are five major threat modeling steps:

1. Defining security requirements.
2. Creating an application diagram.
3. Identifying threats.
4. Mitigating threats.
5. Validating that threats have been mitigated.

Reference

• Ransomware
• NIST SP 800-154 (draft): Guide to Data-Centric System Threat Modeling
• Microsoft Threat Modeling
• OWASP Threat Modeling Cheat Sheet
• OWASP Threat Modeling
• Coarse-grained vs. fine-grained access control – part I
• Coarse-Grained and Fine-Grained Authorization
• Risk-Adaptable Access Control (RAdAC)

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

一家計算機巨頭遭到勒索軟件攻擊，威脅者要求數百萬美元的大筆贖金。 經過調查，可以確定攻擊者利用了DMZ中郵件服務器的漏洞作為立足點，並向其他服務器和內部網絡進行了橫向移動。 以下哪項是防止再次發生勒索軟件攻擊的最佳解決方案？
A. Threat modeling
B. Awareness training
C. Risk-based access control
D. Discretionary Access Control (DAC)