public
/
website
5
0
Fork 0
Code Issues 6 Pull Requests 3 Packages Projects Releases Wiki Activity

feat: simplify content

This commit is contained in:
Anton Livaja 2025-04-26 13:38:18 -07:00
parent e13092693c
commit cacf399736
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
1 changed files with 26 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
_layouts/threatmodel.html
View File

@ -3,30 +3,18 @@
{%- include head.html -%} {%- include head.html -%}
<body> <body>
{%- include header.html -%} {%- include header.html -%}
<div class="container"> <div class="container threat-model">
<main> <main>
<!-- Executive Summary and Scope -->
<section class="flex-container"> <section class="flex-container">
<div class="flex-container-inner"> <div class="flex-container-inner">
<h2>Distrust Threat Model</h2> <h3>Distrust Threat Model</h3>
<br> <p>Unlike conventional frameworks (e.g., STRIDE, PASTA) that focus on identifying and mitigating specific risks, the Distrust Threat Model, rather than modeling threats as potential risks, assumes that systems are already compromised. This pessimistic, assumption-driven approach focuses on building systems that can survive and remain secure even when critical components fail or are actively under attack by sophisticated threat actors at all levels.</p>
<h3>Executive Summary</h3>
<p>This document outlines a high-assurance threat model for mission-critical systems. We assume that adversaries are highly sophisticated, well funded, and patient, with access to an extensive arsenal of attack techniques—from zero-day vulnerabilities (often combined into complex exploit chains) to physical breaches, supply chain compromises, and advanced side-channel attacks. Real-world incidents, such as the <a href="https://www.cisa.gov/solarwinds" target="_blank">SolarWinds attack</a> and tactics reminiscent of the <a href="https://en.wikipedia.org/wiki/Stuxnet" target="_blank">Stuxnet</a> incident, illustrate the threat environment we plan for.</p>
<p>This model is designed to guide organizations in implementing layered defenses that align with their specific risk profiles. It is structured into four levels, ranging from basic protections to defenses capable of withstanding state-level adversaries.</p>
</div> </div>
</section> </section>
<section class="flex-container"> <section class="flex-container">
<div class="flex-container-inner"> <div class="flex-container-inner">
<h3>Scope and Context</h3> <h3 id="assumptions">Assumptions</h3>
<p><strong>Scope:</strong> This threat model applies to systems handling sensitive operations and critical infrastructure, covering both digital and physical attack vectors.</p>
<p><strong>Assets Protected:</strong> Sensitive data, cryptographic keys, operational control systems, and key hardware/firmware components.</p>
</div>
</section>
<section class="flex-container">
<div class="flex-container-inner">
<h3>General Threat Model Assumptions</h3>
<ul> <ul>
<li>All screens and displays are assumed to be observable by adversaries.</li> <li>All screens and displays are assumed to be observable by adversaries.</li>
<li>Input devices, such as keyboards, are assumed to be monitored or logged by potential attackers.</li> <li>Input devices, such as keyboards, are assumed to be monitored or logged by potential attackers.</li>
@ -41,14 +29,9 @@
<section class="flex-container"> <section class="flex-container">
<div class="flex-container-inner"> <div class="flex-container-inner">
<h3>Threat Model Levels</h3> <h3>Levels</h3>
<p>The threat model is structured into four levels, each corresponding to increasingly sophisticated adversary capabilities and controls. Organizations can choose the appropriate level based on their risk tolerance and operational needs.</p> <p>While the end-goal is to adequately address the risks which stem from the <a href="#assumptions">assumptions</a>, organizations are at varying levels of maturity and often need a path towards mitigating threats in a phased approach. To this end, the threat model defines 4 levels, each corresponding to increasingly more sophisticated threat actors as the levels increase. Each threat actor is assumed to have access to specific methods of attack limited by factors such as cost to execute, sophistication, time required etc.</p>
<ul> <p>It is a reasonable approach to apply different threat model levels to different parts of systems. It's also worth noting that essentially no companies, to our knowledge meet adequate controls for Level 4 adversaries except for select nation states organizations and militaries.</p>
<li><a href="#level-1">Level 1</a></li>
<li><a href="#level-2">Level 2</a></li>
<li><a href="#level-3">Level 3</a></li>
<li><a href="#level-4">Level 4</a></li>
</ul>
</div> </div>
</section> </section>
@ -56,24 +39,12 @@
<div class="flex-container-inner"> <div class="flex-container-inner">
<h3 id="level-1">Level 1</h3> <h3 id="level-1">Level 1</h3>
<h5>Adversary</h5> <h5>Adversary</h5>
<p>A low-skilled individual targeting many organizations. This adversary relies on broad, unsophisticated tactics—such as phishing—to steal credentials or sensitive data.</p> <p>An unskilled or lightly skilled individual leveraging widely available tools and publicly known vulnerabilities. Their attacks are largely opportunistic and automated, rather than targeted.</p>
<h5>Attacks</h5> <h5>Attacks</h5>
<ul> <ul>
<li>Phishing campaigns to steal credentials or sensitive data.</li> <li>Scanning for and exploiting known vulnerabilities with public exploits.</li>
<li>Injecting malware into systems via remote attacks.</li> <li>Phishing attempts using off-the-shelf kits.</li>
</ul> <li>Basic malware deployment (e.g., ransomware-as-a-service).</li>
<h5>Requirements</h5>
<ul>
<li><strong>MUST</strong> enforce hardware-anchored authentication for critical actions.</li>
<li><strong>MUST</strong> require hardware-anchored authorization for sensitive operations.</li>
<li><strong>MUST</strong> validate operations using a threshold-based policy to prevent single-point compromises.</li>
</ul>
<h5>Reference Design</h5>
<ul>
<li>Ensure that all users performing critical operations use robust, hardware-based authentication methods (e.g., FIDO2, smart cards).</li>
<li>Implement backend systems that require cryptographic signatures from known, secure devices before approving sensitive actions.</li>
<li>Store audit logs and critical keys in tamper-evident, append-only databases.</li>
<li>Employ cryptographic challenges (e.g., hashing operation requests) that must be signed by hardware tokens.</li>
</ul> </ul>
</div> </div>
</section> </section>
@ -82,37 +53,13 @@
<div class="flex-container-inner"> <div class="flex-container-inner">
<h3 id="level-2">Level 2</h3> <h3 id="level-2">Level 2</h3>
<h5>Adversary</h5> <h5>Adversary</h5>
<p>A skilled and resourceful individual targeting a single organization. This adversary employs focused social engineering, vulnerability exploitation, and man-in-the-middle attacks—similar to tactics observed during the <a href="https://en.wikipedia.org/wiki/WannaCry_ransomware_attack" target="_blank">WannaCry outbreak</a>.</p> <p>A skilled and resourceful individual specifically targeting a single organization. This adversary employs focused efforts to breach systems, including sophisticated social engineering and exploitation of newly disclosed vulnerabilities.</p>
<h5>Attacks</h5> <h5>Attacks</h5>
<ul> <ul>
<li>Compromising a team member with privileged access.</li> <li>Focused spear-phishing campaigns against key personnel.<li>
<li>Injecting malicious code into software components.</li> <li>Rapid exploitation of vulnerabilities shortly after public disclosure ("N-day" exploitation).</li>
<li>Exploiting vulnerabilities shortly after public disclosure.</li> <li>Man-in-the-middle (MitM) attacks against poorly secured communications.</li>
</ul> <li>Injection of malicious code into development pipelines.</li>
<h5>Requirements</h5>
<ul>
<li>
<strong>Production Access:</strong>
<ul>
<li><strong>MUST NOT</strong> be possible by any single individual—use multi-factor, multi-party authorization.</li>
<li><strong>MUST</strong> be conducted via dedicated, tamper-evident workstations.</li>
<li><strong>MUST</strong> utilize hardware security modules (HSMs) for critical key management.</li>
</ul>
</li>
<li>
<strong>Software Integrity:</strong>
<ul>
<li><strong>MUST</strong> be built deterministically with reproducible builds.</li>
<li><strong>MUST</strong> undergo extensive security review and be signed by trusted keys.</li>
<li><strong>MUST</strong> be kept up-to-date with all known security patches.</li>
</ul>
</li>
</ul>
<h5>Reference Design &amp; Key Management</h5>
<ul>
<li>Create offline certificate authority (CA) keys and store them securely.</li>
<li>Use air-gapped systems to generate keys and transfer them to hardware tokens.</li>
<li>Implement immutable, attested environments (e.g., TPM-based, cloud enclaves) to manage critical keys.</li>
</ul> </ul>
</div> </div>
</section> </section>
@ -121,17 +68,13 @@
<div class="flex-container-inner"> <div class="flex-container-inner">
<h3 id="level-3">Level 3</h3> <h3 id="level-3">Level 3</h3>
<h5>Adversary</h5> <h5>Adversary</h5>
<p>An organized group with significant funding and diverse expertise. Such adversaries can coordinate multi-faceted attacks and may have already compromised parts of the environment, representing coordinated internal and external threats.</p> <p>An organized, well-funded group possessing diverse expertise across multiple domains (malware, supply chain, network exploitation, physical access, insider recruitment). Capable of sustained campaigns combining internal and external compromise.</p>
<h5>Attacks</h5> <h5>Attacks</h5>
<ul> <ul>
<li>Coercing or compromising internal personnel to tamper with systems.</li> <li>Coercion or recruitment of internal personnel ("insider threats").</li>
<li>Exploiting sophisticated zero-day vulnerabilities against internet-connected components.</li> <li>Exploiting sophisticated zero-day vulnerabilities against internet-connected components.</li>
</ul> <li>Persistence and lateral movement after initial breach.</li>
<h5>Requirements</h5> <li>Coordinated, multi-stage attacks across digital and physical realms.</li>
<ul>
<li><strong>MUST</strong> require multi-key signatures stored in geographically separate locations.</li>
<li><strong>MUST</strong> enforce independent validations at each signing location.</li>
<li><strong>MUST</strong> maintain strict segregation of duties among different teams.</li>
</ul> </ul>
</div> </div>
</section> </section>
@ -140,51 +83,15 @@
<div class="flex-container-inner"> <div class="flex-container-inner">
<h3 id="level-4">Level 4</h3> <h3 id="level-4">Level 4</h3>
<h5>Adversary</h5> <h5>Adversary</h5>
<p>A state actor or similarly well-resourced entity capable of executing advanced attacks—including supply chain subversion, side-channel exploitation, and insider manipulation. Techniques seen in operations by groups like the <a href="https://en.wikipedia.org/wiki/Equation_Group" target="_blank">Equation Group</a> underscore the sophistication at this level.</p> <p>A state-backed or similarly resourced entity capable of executing the most advanced forms of cyber and physical attacks, including full-spectrum operations across the supply chain, hardware, firmware, and human factors..</p>
<h5>Attacks</h5> <h5>Attacks</h5>
<ul> <ul>
<li>Compromising the supply chain of any hardware or firmware component.</li> <li>Supply chain compromise of hardware, firmware, or software prior to deployment.</li>
<li>Relocating devices for rapid, covert attacks followed by restoration to the original environment.</li> <li>Physical relocation of assets for tampering (e.g., interdiction of shipments).</li>
<li>Utilizing advanced side-channel attacks (e.g., Differential Fault Analysis) and non-deterministic operations.</li> <li>Advanced side-channel attacks (e.g., Differential Fault Analysis, TEMPEST attacks).</li>
<li>Data remanence attacks that extract sensitive information even after deletion.</li> <li>Data remanence extraction techniques targeting decommissioned or wiped systems.</li>
<li>Sophisticated deception and counter-forensics to evade detection.</li>
</ul> </ul>
<h5>Requirements</h5>
<ul>
<li>
<strong>All Signing Systems:</strong>
<ul>
<li><strong>MUST</strong> have dual implementations of all policy and signing logic.</li>
<li><strong>MUST</strong> use multiple, unrelated hardware supply chains for cryptographic material.</li>
<li><strong>MUST</strong> produce deterministic outputs verified independently.</li>
<li><strong>MUST</strong> store keys in facilities with high physical and environmental security (e.g., Class III vaults, per NSA TEMPEST guidelines).</li>
<li><strong>MUST</strong> continuously monitor environmental conditions and enforce destruction protocols upon significant deviations.</li>
<li><strong>MUST</strong> employ robust, multi-factor physical access controls.</li>
</ul>
</li>
</ul>
</div>
</section>
<section class="flex-container">
<div class="flex-container-inner">
<h3>Mitigation Principles</h3>
<ul>
<li><strong>Elimination of Single Points of Failure:</strong> The design ensures that no single component or individual can compromise the system. Multiple layers of control span software, firmware, hardware, and operational processes.</li>
<li><strong>Transparency and Verification:</strong> Fully open source software and firmware enable thorough security reviews.</li>
<li><strong>Minimized Supply Chain Dependencies:</strong> Custom, purpose-specific tooling reduces reliance on external components, thereby mitigating supply chain risks.</li>
<li><strong>Deterministic Builds:</strong> We strive for fully reproducible builds to ensure consistency and detect unauthorized modifications. Projects like <a href="https://codeberg.org/stagex/stagex" target="_blank">StageX</a> exemplify this approach.</li>
<li><strong>Secure Hardware &amp; Physical Controls:</strong> Hardware is selected for its ability to disable network access or for lacking wireless interfaces, and robust tamper-evident measures are implemented.</li>
<li><strong>Environmental and Side-Channel Mitigations:</strong> Techniques such as TEMPEST (refer to <a href="https://www.nsa.gov/" target="_blank">NSA TEMPEST</a>) and soundproofing help block unauthorized emanations and physical attacks.</li>
</ul>
</div>
</section>
<section class="flex-container">
<div class="flex-container-inner">
<h3>Summary</h3>
<p>This threat model is designed to ensure the resilience and integrity of mission-critical systems by preparing for a wide range of potential attacks—from common remote threats to highly sophisticated state-level adversaries. It is especially important for organizations handling sensitive operations, managing critical infrastructure, or storing highly confidential information.</p>
<p>Importantly, the models four-tier structure allows organizations to select the appropriate level of defense based on their risk profile. For many, the robust controls of Level 1 or Level 2 may be sufficient, while only those facing exceptionally high risks need to implement the extensive measures of Level 3 or Level 4.</p>
<p><em>References: NIST SP 800-30, ISO 27005, and OWASP Threat Modeling Framework</em></p>
</div> </div>
</section> </section>
</main> </main>