Intelligence: Attack Models (AM)
The overall goal for the Attack Models practice is the creation of customized knowledge on attacks relevant to the organization. Customized knowledge must guide decisions about both code and controls.
AM Level 1: Create attack (attackers, possible attacks, and attack stories) and data asset knowledge base. The SSG must identify potential attackers and document both the attacks that cause the greatest organizational concern and any important attacks that have already occurred. Managers must create a data classification scheme that the SSG uses to inventory and prioritize applications.
AM1.1
Build and maintain a top N possible attacks list. The SSG helps the organization understand attack basics by maintaining a list of the most important attacks. This list combines input from multiple sources: observed attacks, hacker forums, industry trends, etc. The list does not need to be updated with great frequency, and the attacks can be sorted in a coarse fashion. For example, the SSG might brainstorm twice per year to create lists of attacks the organization should be prepared to counter "now," "soon," and "someday."
AM1.2
Create data classification scheme and inventory. The organization agrees upon a data classification scheme and uses the scheme to inventory its software according to the kinds of data the software handles. This allows applications to be prioritized by their data classification. Many classification schemes are possible—one approach is to focus on PII. Depending upon the scheme and the software involved, it could be easiest to first classify data repositories, then derive classifications for applications according to the repositories they use.
AM1.3
Identify potential attackers. The SSG identifies potential attackers in order to understand their motivations and capabilities. The outcome of this exercise could be a set of attacker profiles including generic sketches for broad categories of attackers and more detailed descriptions for noteworthy individuals.
AM1.4
Collect and publish attack stories. In order to maximize the benefit from lessons that do not always come cheap, the SSG collects and publishes stories about attacks against the organization. Over time, this collection helps the organization understand its history. Both successful and unsuccessful attacks can be noteworthy.
AM Level 2: Provide outreach on attackers and relevant attacks. The SSG must gather attack intelligence and expand its attack knowledge to include both higher-level attack patterns and lower-level abuse cases. Attack patterns must include technology-specific information relevant to the organization. The SSG must communicate attacker information to all interested parties.
AM2.1
Build attack patterns and abuse cases tied to potential attackers. The SSG prepares for security testing and architecture analysis by building attack patterns and abuse cases tied to potential attackers. These resources do not have to be built from scratch for every application in order to be useful. Instead, there could be standard sets for applications with similar profiles. The SSG will add to the pile based on attack stories. For example, a story about an attack against poorly managed entitlements could lead to an entitlements attack pattern that drives a new type of testing.
AM2.2
Create technology-specific attack patterns. The SSG creates technology-specific attack patterns to capture knowledge about technology-driven attacks. For example, if the organization's Web software relies on cutting-edge browser capabilities, the SSG could catalogue the quirks of all the popular browsers and how they might be exploited.
AM2.3
Gather attack intelligence. The SSG stays ahead of the curve by learning about new types of attacks and vulnerabilities. The information comes from attending conferences and workshops, monitoring attacker forums, and reading relevant publications, mailing lists, and blogs. Keep your enemies close by engaging security researchers.
AM2.4
Build internal forum to discuss attacks. The organization has an internal forum where the SSG and the satellite can discuss attacks. The forum serves to communicate the attacker perspective. The SSG could maintain a security interest mailing list where subscribers share the latest information on publicly known incidents. Vigilance means never getting too comfortable. (See [SR1.2]: Create Security Portal.)
AM Level 3: Research and mitigate new attack patterns. The SSG must conduct attack research on corporate software to get ahead of attacker activity. The SSG must provide knowledge and automation to auditors and testers to ensure their activities reflect actual and potential attacks perpetrated the organization's software.
AM3.1
Have a science team that develops new attack methods. The SSG has a science team that develops new attack methods. The team works to identify and defang new classes of attacks before real attackers even know they exist. This is not a penetration testing team finding new instances of known types of weaknesses—it is a research group finding new types of attacks or new ways to exploit known weaknesses.
AM3.2
Create and use automation to do what the attackers will do. The SSG arms testers and auditors with automation to do what the attackers are going to do. For example, a new attack method identified by the science team could require a new tool. The SSG packages the new tool and distributes it to testers.