Threat Modeling Gameplay with EoP E-Book

Threat Modeling Gameplay with EoP

A reference manual for spotting threats in software architecture

Brett Crawley

Threat Modeling Gameplay with EoP

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Dhruv J. Kataria

Publishing Product Manager: Prachi Sawant

Book Project Manager: Srinidhi Ram

Senior Editor: Adrija Mitra

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Proofreader: Adrija Mitra

Indexer: Tejal Soni

Production Designer: Jyoti Kadam

Senior DevRel Marketing Executive: Marylou De Mello

DevRel Marketing Coordinator: Shruthi Shetty

First published: August 2024

Production reference: 1110724

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-80461-897-4

www.packtpub.com

To all those trying to make us all a little safer by writing secure software, thanks and I hope this work helps to some extent.

– Brett Crawley

Foreword

Let me start by inviting you to join me in a little game. Please complete the sentence: “It was Colonel Mustard…” Anyone who’s lived in an English-speaking country and has played Clue will respond with a variant of “in the library with the lead pipe.” Answers spring to mind even 10 or 20 years after last playing the game.

Games teach. They teach because while we’re having fun, we’re open to learning. We’re engaged with what’s in front of us, and learning about it helps us both have fun and win!

That was the inspiration that led me to create Elevation of Privilege in 2010. I had created software to help people threat model, and it was tedious to use—the exact opposite of the fun that security experts have while threat modeling. I wanted to bring that fun to those less experienced in security. So, long story short, I created the game, and hundreds of thousands of copies have been produced and used by people all around the world to learn and encourage threat modeling.

Play-testing showed how powerful it could be. People were unable to be “wallflowers,” sometimes to their temporary regret as it was their turn and they didn’t know what to do. But the game framing gives permission to be playful, and with the hints on the cards, that is a powerful combination. And there’s just something cool about going into a business meeting with a game. It’s going to be different, and if you suspend your skepticism, what happens can be magical.

Or not? Sometimes people get caught up in not knowing what a card means. And that’s why I’m so excited about the book you’re holding. Brett has stepped up to create a manual and open the world of security to a whole new audience.

The design of the game involved some lucky choices, and luck favors the prepared mind. So, while a lifetime of playing games helped, there’s an entire field of study of “games with a purpose” or “serious games.” And Elevation of Privilege helped show that games can help us learn about or even deliver security. I encourage you to use the game, and this book, to empower those around you to deliver more secure systems.

Adam Shostack

Creator of EoP

Seattle, WA

March 2024

Contributors

About the author

Brett Crawley is a principal application security engineer, (ISC2) CISSP, CSSLP, and CCSP certified, the project lead on the OWASP Application Security Awareness Campaigns project, and the author of the OSTERING blog on security. He has published a Miro template for threat modeling with the Elevation of Privilege card game and also published the CAPEC S.T.R.I.D.E. mapping mind maps and other resources.

With over 10 years of application security experience and over 25 years of software engineering experience, he works with teams to define their security best practices and introduce security by design into their existing SDLC, and as part of this initiative, he trains teams in threat modeling because good design is of key importance.

He is also an advocate for using a data-driven approach to AppSec, to help identify the business-critical components, thereby optimizing the reduction of risk to the organization.

I’d like to thank my wife, Sabrina, for her help with the illustrations in the book, as well as putting up with me; my friend, Victoria, for her feedback on the first draft of the book; and my employer, Mimecast, for enabling our team to build a threat modeling program and train our engineering teams to threat model using Elevation of Privilege, which made me realize that a book like this one would be a helpful resource for people new to threat modeling.

I’d obviously like to thank Adam Shostack for inventing the Elevation of Privilege game (© 2010 Microsoft Corporation, licensed under the Creative Commons Attribution 3.0 United States license), which this book is written to support; Mark Vinkovits for his Privacy Extension (© 2018 LogMeIn, Inc. licensed under the Creative Commons Attribution 3.0 United States License); and Marko Hämäläinen, Laura Noukka, Hiski Ruhanen, Ilona Varis, and Antti Vähä-Sipilä of F-Secure Corporation for their Elevation of Privacy (© 2018 F-Secure Corporation licensed under the Creative Commons Attribution 4.0 International license), which covers T.R.I.M. (Transport, Retention/Removal, Inference, and Minimization). Without their efforts, I wouldn’t have anything to write about.

I’d also like to thank the MITRE Corporation for their CAPEC and CWE resources, which I refer to throughout the book (© 2006–2024 The MITRE Corporation), and OWASP for the Application Security Verification Standard ASVS whose section numbers I reference.

About the reviewers

Zoe Braiterman is an entrepreneur, IT security consultant/researcher, and open source contributor. She is also an enthusiastic volunteer with organizations such as OWASP and AFCEA.

Michael Bernhardt is a seasoned security strategist and believes that a solid security culture is the essential glue for technological innovation and strong security. Throughout his more than 15 years in the profession, he has advised dozens of Fortune-500 SAP ERP customers and is currently helping Germany’s second-largest telecommunication provider in their secure cloud transformation as head of product security. He is leading the Corporate Security Program Evolution Model (CSPEM) initiative, which brings along tools and concepts for the organizational transformation of security programs. Additionally, he is a founder of the OWASP Security Champions Manifesto and Threat Modeling Connect, and regularly shares his perspective at conferences and on blogs.

Security depends on the diverse background of its workforce to assure broad acceptance. Failure in doing so would be fatal considering the magnitude of digital transformation.

Starting Threat Modeling more than 15 years ago, I very quickly understood its power to establish a collaborative exchange with diverse teams and raise security awareness. However, getting the first workshop done is one of the biggest challenges for new joiners. This is where “Threat Modeling Gameplay with EoP” steps in and brings structured real-world examples for guidance. I’m confident it will also aid you as you begin your own threat modeling journey!

Table of Contents

Preface

1

Game Play

What you’ll need to play the EoP game

Remote threat modeling

The cards

Alternative games

Who should participate?

How to play EoP

Preparation

Aim

To start

Don’t forget!

Points

Who goes next?

Who’s won?

Variations of gameplay

Obstacles

Scaling your threat modeling program

Performance metrics and reporting

Coming up

Summary

2

Spoofing

2. of Spoofing

3. of Spoofing

4. of Spoofing

5. of Spoofing

6. of Spoofing

7. of Spoofing I

7. of Spoofing II

8. of Spoofing

9. of Spoofing I

9. of Spoofing II

10. of Spoofing

Jack of Spoofing

Queen of Spoofing I

Queen of Spoofing II

King of Spoofing I

King of Spoofing II

Ace of Spoofing I

Ace of Spoofing II

Ace of Spoofing III

Ace of Spoofing IV

E. of Spoofing

Summary

References

3

Tampering

2. of Tampering (2022 deck) I

2. of Tampering (2022 deck) II

2. of Tampering (2022 deck) III

2. of Tampering (2022 deck) IV

3. of Tampering

4. of Tampering I

4. of Tampering II

5. of Tampering I

5. of Tampering II

6. of Tampering

7. of Tampering I

7. of Tampering II

8. of Tampering

9. of Tampering I

9. of Tampering II

10. of Tampering I

10. of Tampering II

Jack of Tampering

Queen of Tampering

King of Tampering I

King of Tampering II

Ace of Tampering I

Ace of Tampering II

E of Tampering I

E of Tampering II

Summary

4

Repudiation

The importance of repudiation and its role in security

2. of Repudiation

3. of Repudiation

4. of Repudiation

5. of Repudiation

6. of Repudiation I

6. of Repudiation II

7. of Repudiation

8. of Repudiation

9. of Repudiation

10. of Repudiation

Jack of Repudiation

Queen of Repudiation I

Queen of Repudiation II

King of Repudiation I

King of Repudiation II

King of Repudiation III

Ace of Repudiation

E. of Repudiation

F. of Repudiation

G. of Repudiation

H. of Repudiation I

H. of Repudiation II

Summary

5

Information Disclosure

Understanding password management, key management, and cryptography

Password management

Key management

Cryptography

2. of Information Disclosure

3. of Information Disclosure I

3. of Information Disclosure II

4. of Information Disclosure

5. of Information Disclosure

6. of Information Disclosure

7. of Information Disclosure

8. of Information Disclosure I

8. of Information Disclosure II

9. of Information Disclosure I

9. of Information Disclosure II

10. of Information Disclosure

Jack of Information Disclosure

Queen of Information Disclosure

King of Information Disclosure

Ace of Information Disclosure I

Ace of Information Disclosure II

E of Information Disclosure

F of Information Disclosure

Summary

6

Denial of Service

2. of Denial of Service I

2. of Denial of Service II

3. of Denial of Service I

3. of Denial of Service II

3. of Denial of Service (alternative 2022 deck)

4. of Denial of Service

4. of Denial of Service (alternative 2022 deck)

5. of Denial of Service I

5. of Denial of Service II

5. of Denial of Service (alternative 2022 deck)

6. of Denial of Service I

6. of Denial of Service II

7. of Denial of Service

8. of Denial of Service

9. of Denial of Service

10. of Denial of Service

Jack of Denial of Service I

Jack of Denial of Service II

Queen of Denial of Service I

Queen of Denial of Service II

King of Denial of Service

Ace of Denial of Service

E of Denial of Service

Summary

7

Elevation of Privilege

Some important concepts

2. of Elevation of Privilege (2022 deck)

3. of Elevation of Privilege (2022 deck) I

3. of Elevation of Privilege (2022 deck) II

4. of Elevation of Privilege (2022 deck)

5. of Elevation of Privilege I

5. of Elevation of Privilege II

6. of Elevation of Privilege

7. of Elevation of Privilege

8. of Elevation of Privilege

9. of Elevation of Privilege

10. of Elevation of Privilege

Jack of Elevation of Privilege

Queen of Elevation of Privilege I

Queen of Elevation of Privilege II

King of Elevation of Privilege I

King of Elevation of Privilege II

Ace of Elevation of Privilege

Summary

8

Privacy

References used in the chapter

2 of Privacy

3 of Privacy

4. of Privacy

5. of Privacy

6. of Privacy

7. of Privacy

8. of Privacy

9. of Privacy

10. of Privacy

Jack of Privacy

Queen of Privacy

King of Privacy

Ace of Privacy

Summary

9

Transfer

References used in the chapter

2. of Transfer I

2. of Transfer II

3. of Transfer

4. of Transfer

5. of Transfer

6. of Transfer

7. of Transfer

8. of Transfer I

8. of Transfer II

8. of Transfer III

9. of Transfer

Ace of Transfer

Summary

10

Retention/Removal

2. of Retention/Removal

3. of Retention/Removal I

3. of Retention/Removal II

4. of Retention/Removal

5. of Retention/Removal

6. of Retention/Removal

7. of Retention/Removal

8. of Retention/Removal

9. of Retention/Removal

10. of Retention/Removal

Jack of Retention/Removal

Ace of Retention/Removal

Summary

11

Inference

2. of Inference

3. of Inference

4. of Inference

5. of Inference

6. of Inference

7. of Inference

8. of Inference

9. of Inference

10. of Inference

Ace of Inference

Summary

12

Minimization

2. of minimization

3. of minimization

4. of minimization

5. of minimization

6. of minimization

Ace of minimization

Summary

Glossary

Further Reading

Books and papers

Games

Licenses for third party content

CAPEC:

LICENSE

DISCLAIMERS

CWE:

Terms of Use

DISCLAIMERS

Index

Other Books You May Enjoy

Preface

I guess you could call this book the missing manual for Elevation of Privilege (EoP). It explains how to play the game and is a reference guide, with example threats for the cards in the EoP card game, enabling threat modeling beginners to better understand what they might look for in their design.

Using Elevation of Privilege cards with the example threats in this book, you will discover the threats that could affect your software design through gameplay.

Each chapter covers a suit in the Elevation of Privilege card deck (a threat category), and for each card, example threats, references, and suggested mitigations are given. You’ll cover the STRIDE with Privacy deck and the TRIM extension pack. STRIDE is a methodology for threat modeling and stands for Spoofing, Tampering, Repudiation, Information Disclosure andElevation of Privilege, while TRIM is a framework for privacy and stands for Transfer, Retention/Removal, Inference, and Minimization. You’ll learn what these terms refer to and how they should be applied.

You’ll be able to recognize threats, understand privacy regulations, use the in-line references provided in the chapters to find out more, and learn what techniques you can use to protect against these threats and minimize your risk. Each threat is not necessarily one you will find in your design but is included to help you understand and consider what similar threats there could be in your design.

Who this book is for

The book is for the different participants involved in threat modeling:

What this book covers

Chapter 1, Game Play, explores how the game is played, who should play, what you’ll need, and resources that you may find useful (in addition to this book, obviously).

Chapter 2, Spoofing, covers example spoofing threats, suggested mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Chapter 3, Tampering, discusses example tampering threats, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations. (You should start to see a theme here.)

Chapter 4, Repudiation, dives into example repudiation threats, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Chapter 5, Information Disclosure, examines example information disclosure threats, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Chapter 6, Denial of Service, explores example privacy threats from elevation of privilege with privacy, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Chapter 7, Elevation of Privilege, covers example elevations of privilege threats from the Elevation of Privilege suit, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Chapter 8, Privacy, discusses example denial-of-service threats, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Chapter 9, Transfer, dives into example transfer threats from the TRIM extension, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Chapter 10, Retention/Removal, examines example retention/removal threats from the TRIM extension, suggests mitigations for each of those threats, as well as references, where you can get additional background for a threat and its potential mitigations.

Chapter 11, Inference, explores example inference threats from the TRIM extension, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Chapter 12, Minimization, covers example minimization threats from the TRIM extension, suggests mitigations for each of those threats, as well as references, where you can get additional background on a threat and its potential mitigations.

Glossary offers a glossary of terms.

Appendix offers references for further reading.

To get the most out of this book

You’ll need a solid understanding of the system or feature you are designing.

You’ll need to have an architecture diagram of the system.

You should have an open mind and shouldn’t see finding threats as a failure but as a learning opportunity to improve the security of your products.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Threat Modeling Gameplay with EoP, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/978-1-80461-897-4

1

Game Play

In this chapter, I’m going to walk you through what you need to play Elevation of Privilege (EoP) to threat model your software design. We are going to talk about how the participants should be selected to get the best results from threat modeling and why participants should have different roles in the project. Last but not least, we will see how to play the game and understand what’s the end goal of playing the game – finding out as many threats as possible. However, before we get started with all these, I would like to begin with a couple of words on what threat modeling is, as well as when you should threat model and why.

Threat modeling is a process to identify threats to and design flaws in the system you are designing. A threat is something that could go wrong in the system you are designing; it may be open to attack, it may be subject to some failure, or it may be open to human error. A mitigation is a safeguard or protection you can put in place to protect against a threat or at least reduce the risk a threat poses. So, when we threat model, we are looking for what could go wrong, how we can improve the system to stop that from happening, and finally, deciding whether we’re happy that even if the worst happened, it wouldn’t be all that bad because we’ve done a pretty good job.

When should we start? You should be able to begin threat modeling from the moment you are able to draw what your system will do and what parts it is made up of. Threat modeling is not a one-off exercise; it should be performed continually as your system evolves and it should be performed during the design phase of each version, and if the design changes during development, the process should be repeated to reflect those changes. Now, let’s look at why it should be performed so early in the software development life cycle (SDLC).

When you build a house, it’s built on foundations, and it could be extremely complicated if you need to change those foundations halfway through construction. Design flaws are usually very difficult and costly to remediate once a project is underway.

Implementation flaws, on the other hand, are not necessarily difficult to fix after the fact. Using the housing analogy again, fixing an error in the foundations may mean tearing down parts of a construction and starting again from the foundations, whereas using a faulty or weak lock in a door is simple to fix because doors are designed to support standard lock fittings, you can just change the component.

So, we can conclude that it is always a wise choice to threat model early as it’s an upfront investment that pays dividends.

Threat modeling can be used as a process for finding or eliciting security flaws in the design of a software system, although you could threat model any system. EoP is a category of threat and it is from this that the EoP card game for threat modeling takes its name. The EoP game was invented to facilitate threat modeling in teams as it prompts the participants with types of threats too.

As such, we will be covering the following main topics in the chapter:

By the end of the chapter, you will be familiar with the EoP card game, you will know where you can find useful resources to facilitate threat modeling with the game both remotely and in a single location, and you’ll know who to invite.

What you’ll need to play the EoP game

To get started, you’re going to need a couple of things, depending on how you intend to play the game. Firstly, you are going to need a detailed architecture diagram showing the data flows and preferably the trust boundaries.

Figure 1.1: Diagram showing data flows and trust boundaries

What are the trust boundaries? They are the boundaries where data passes from one level of trust to another, for example, user input, which is untrusted data and data that has then been sanitized (had any invalid characters or commands removed), or data coming from the internet through the firewall and onto your network. In both cases, the second example is something you should be more willing to trust.

If you’re going to be playing remotely, read the next section.

Having the cards either digitally or physically is going to be a help, so reading the section entitled The cards will point you to where you can download them digitally or purchase them online.

Remote threat modeling

If you’re doing remote threat modeling exercises and you have a Miro account, you might find my Threat Modeling with EoP Miro templatehandy: https://miro.com/miroverse/threat-modeling-with-eop/.

The board contains instructions on how to get set up and a working example showing how the Miro board was intended to be used.

To deal with the cards for the remote exercise, Agile Stationery has kindly created a card-dealing web application:

https://croupier.agilestationery.co.uk/

Here, you can download TNG Technology Consulting GmbH’s online multiplayer version of the threat modeling card games that you can host on-premises, such as EoP, OWASP Cornucopia, and Cumulus:

https://github.com/tng/elevation-of-privilege

The cards

The following resources are where you can get your hands on a copy of the EoP cards or those of one of its extensions required to play the game, either virtually or physically:

Alternative games

Two other threat modeling games that are quite similar to EoP in how you use them are Cornucopia from OWASP and Cumulus from TNG Technology. Many of the examples from this book will be applicable to cards in these games. Cornucopia is specifically designed for e-commerce applications and there are more threat categories, however, it doesn’t map directly to STRIDE (which stands for the following threat categories: spoofing, tampering, repudiation, information disclosure, and EoP) if you have chosen to use this methodology. Cumulus, as the name suggests, is aimed at threat modeling cloud solutions. You can download these two games at the following links:

Now that we have the resources we need to play the game, let’s see who you should invite to play this game

Who should participate?

Preferably, you want between four and