Supply Chain & Threat Modeling

Supply Chain Risks

Modern service delivery often involves a chain of multiple entities. Even companies that aim to control as much production in-house as possible, such as Apple, rely on components from a diverse range of suppliers. For example, Apple uses screens manufactured by Samsung, one of its major competitors. The supply chain isn't limited to manufacturing; it also includes transport, managed by multiple companies.

Ensuring the security, reliability, and reputation of all vendors in this supply chain is crucial to maintain overall operational integrity.

Supply Chain Evaluation

Evaluating the vendors in your supply chain involves several methodologies, such as:

Onsite Assessment: This includes visiting the organization, interviewing people, and observing their operating habits to ensure they meet safety and security standards.
Document Exchange and Review: Analyze how an organization manages information exchange and conducts assessments and reviews.
Process/Policy Review: Request and review the vendor's security policies, processes, and procedures to ensure they align with your organization's standards.
Third-party Audit: Enlist an independent auditor to provide an unbiased review of the vendor's security infrastructure.

Threat Modeling

Threat modeling is a security process where potential threats are identified, categorized, and analyzed. The aim is to eliminate or reduce these threats, either proactively or reactively. This approach can be based on:

Assets: Uses asset valuation results to identify threats to the most valuable assets.
Attackers: Identify potential attackers and threats based on the attackers' goals.
Software: Considers potential threats against the software the organization develops.

Understanding these concepts and being able to apply them to real-world scenarios is key to mastering supply chain and risk management for your CISSP exam.

Vulnerability Discovery Components

Used to DISCOVER.

Component	Description
CVE	Common Vulnerabilities and Exposures: A naming system for security vulnerabilities.
CVSS	Common Vulnerability Scoring System: Standardized method to determine the severity of vulnerabilities.
CCE	Common Configuration Enumeration: A naming system for system configuration issues.
CPE	Common Platform Enumeration: A naming system for operating systems, applications, and devices.
XCCDF	Extensible Configuration Checklist Description Format: A language for defining security checklists.
OVAL	Open Vulnerability and Assessment Language: A language to describe security testing processes.

Risk Management Frameworks (RMF)

NIST 800-37

NIST 800-37: By the National Institute of Standards and Technology, a non-regulatory US agency.

Categorize Info Systems: Understand and label systems based on their security needs.
Selecting Security Controls: Choose necessary controls to mitigate identified risks.
Implement Security Controls: Put the selected controls into action within the systems.
Assess Security Controls: Regularly check and validate the effectiveness of the controls.
Authorize Security Controls: Ensure the controls adhere to organizational policies.
Monitor Security Controls: Continuously oversee and report on the performance of security controls.

Image Source: Video https://www.youtube.com/watch?v=mLuLtIsDjK8&list=PL7XJSuT7Dq_XPK_qmYMqfiBjbtHJRWigD&index=9

Some references include a 1st step: "Prepare to execute the RMF". However, this isn't part of the CISSP syllabus.

STRIDE

Developed by Microsoft, STRIDE primarily focuses on software. It aims to identify and ~~address~~classify the ~~following~~type ~~areas~~ of ~~threat:~~threats:

Spoofing: This involves falsifying identity, such as presenting as another user or system.
Tampering: This involves data manipulation or unauthorized changes in the system.
Repudiation: This is staging an attack in such a way that the attacker can deny their involvement.
Information Disclosure: This involves unauthorized access to information.
Denial of Service (DoS): This refers to attacks aimed at making a system unavailable or inaccessible.
Elevation of Privilege: This involves unauthorized increases in privilege or access within the system.

Spoofing is about false identity, while repudiation is the denial of actions post-attack.

PASTA

The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling approach focused on developing countermeasures based on asset value. It involves seven stages:

Definition of Objectives: Establishing clear objectives for threat modeling.
Definition of Technical Scope: Identifying the systems, applications, and data to be protected.
Application Decomposition & Analysis: Breaking down the application into its components and analyzing each for potential vulnerabilities.
Threat Analysis: Identifying potential threats to the system.
Weakness & Vulnerability Analysis: Identifying and analyzing the weaknesses and vulnerabilities that can be exploited by the threats.
Attack Modeling & Simulation: Modeling potential attack vectors and simulating their impacts.
Risk Analysis & Management: Evaluating the risks posed by the identified threats and developing strategies to manage them.

VAST

Visual, Agile, Simple, Threat (VAST) is a threat modeling approach that integrates threat management into an agile programming environment. It's ideal for organizations that heavily use agile methodologies in their operations.

CVSS

~~Common Vulnerability Scoring System (CVSS): provides a standardized scoring system~~
~~for describing the severity of security vulnerabilities~~

ATT&CK

The MITRE ATT&CK Matrix is different from kill chain models (e.g., Cyber Kill Chain) as it's not an ordered set of attacks but rather a matrix of TTPs. It is used to rate the severity of a vulnerability.

Reconnaissance	Resource development
Initial access	Execution
Persistence	Privilege escalation
Defense evasion	Credential access
Discovery	Lateral movement
Collection	Command and control
Exfiltration	Impact

Each tactic in the matrix has associated techniques.

Techniques often have sub-techniques that dive deeper into specifics.

Clicking a tactic or technique leads to a detailed page with mitigation and detection methods.

Example: Under Reconnaissance, there's a technique named Active Scanning. Within this, there's a sub-technique called Vulnerability Scanning detailing how to spot unauthorized scans.

Remember: The matrix helps in understanding how attackers operate and how to counteract their methods!

DREAD

DREAD is a risk assessment model designed to answer five critical questions:

Damage Potential: How severe could the damage be if the threat is realized?
Reproducibility: How easy is it for attackers to reproduce the exploit?
Exploitability: How difficult is it to perform the attack?
Affected Users: What percentage of users (internal or external) are likely to be affected by the attack?
Discoverability: How difficult is it for an attacker to discover this weakness? A significant weakness 7-8 layers deep with defense in depth may not be as big of a deal

A major weakness 7-8 layers deep with defense might not be as concerning.

TRIKE

TRIKE is an open-source threat modeling process focused on acceptable risk. It implements a requirements model, ensuring that the assigned level of risk for each asset is acceptable to stakeholders.

COBIT

Control Objectives for Information and Related Technology (COBIT) is an IT management and governance framework, based on five principles:

Meeting Stakeholder Needs: Ensuring the organization meets the needs of stakeholders.
Covering the Enterprise End-to-End: Considering the full scope of the enterprise.
Applying a Single, Integrated Framework: Implementing a centralized, coordinated approach.
Enabling a Holistic Approach: Taking into account all aspects of the organization.
Separating Governance from Management: Differentiate oversight from daily operations.

For COBIT, this is all we need to know. CISSP does not go too far into depth with this topic.