Attack Vector Concept — Phishing — Security analysis with Threat Modeling
Phishing — Description
In the previous section, we were looking at an attack coming from Internet, via a firewall with an unknown rule set. When looking at the Phishing attack scenario, it is also coming from an external/foreign network zone, but makes use of the fact that the attacker has managed to trick an internal user to initiate a dataflow from a work station on the inside of the internet gateway to a malicious host and service, owned and managed by the attacker.
Model
Phising is sometimes a wide definition but in our case, we think of an internal user that has been tricked into connecting to a malicious service owned by the attacker. How this has happened and if the user is even aware of it, is something that we will address when looking at the attenuation.
The model involves the internet gateway, the internal network zone with an internal work station, the external network zone with the malicious host and service owned and run by the attacker.
Attack Vector Attenuation
With the above setup, we can analyze the attack’s impact on our model considering the situation that the phishing attempt (dataflow to the malicious service) has already succeeded/been established.
If we wish to detail this a bit more, we may want to introduce an estimate on how probable this type of attack is. The figure we want to use might be a pure estimate from the customer’s staff or it might be based on previously connected statistics. Such statistics can be log reviews looking at the amount of incoming phishing emails that arrive at the end users (“Your Netflix account has been temporarily disabled, please click here to unlock it.”) or in some cases surveys/drills have been made using phishing emails being sent out from the company’s IT staff to see what response rate they get. If such serious data is available, it is possible to set a probability to this type of attack.
Setting a probability to a dataflow is done by selecting it on the canvas and then looking in the ObjectView area to the lower left end of securiCAD where a setting called “Existence” is available.
In the above example, we have (based on data/estimate found together with the customer/system owner) set the probability to this type of attack being present to 3%.
Conclusions
In the above scenario, we have the same network setup as with the Internet attack scenario. However, the difference is that previously the attacker made use of the imperfect “KnownRuleSet” defense of the firewall to find a useful entry point while now the attack is entering via a dataflow which is already allowed to pass through the firewall (the horizontal connection between the dataflow and the router). The essence of the attack here is that a dataflow is initiated from a work station to a malicious service on the outside, also known as a client-side-attack.
If we let the dataflow of the phishing traffic be present and allowed to pass through the gateway firewall and router all the time, we can analyze the impact when a phishing attack is really taking place. If we want to also take into consideration our estimated probability that it actually happens, we use the “Existence” parameter of that defense.
