For the last 15 years or so, US telecoms giant Verizon has published their Data Breach Investigations Report (DBIR). It analyses data breaches in detail: what caused them; what factors contributed to the breach, the vulnerabilities that attackers exploited, and many other data points.
The 2022 DBIR analysed over 5,200 breaches, so the data pool is wide. Although many other data sources exist, the DBIR remains a useful indicator of trends and changes in what attackers are doing, whom they're targeting, and how defenders are adapting.
One of the stand-out items in this year's edition was the main cause of breaches. The DBIR lists the attack vectors resulting in a breach or other security incidents, including botnets, malware and so on. The biggest category by far is stolen credentials - which was a factor in more than 50% of security incidents.
How can threat modelling help protect against credential theft?
At the outset it’s worth reminding ourselves of the general benefits of threat models that apply, regardless of the attacks we’re looking at:
- We can model anything from back-of-the-envelope concept-stage designs to systems already in production
- We can easily keep our threat model up to date as the system changes.
- We can discover the most important variable in security decision-making: risk.
Threat modelling is also collaborative. This is a really important feature - a threat model created by one person in isolation will always be less beneficial than one created jointly by the team responsible for the system - no matter how experienced or knowledgeable that individual is.
Why? Credential theft takes two forms:
- Theft of "system" or "machine" credentials (used by a system, device or automated process of some sort)
- Theft of "user" credentials (used by a human user).
Fully fleshing out both forms in the context of a system requires the whole team. While engineers will know how systems interact with each other, and where system credentials are in use, a business user or product owner as part of the threat modelling team can provide insights into how user credentials may be used (for example where any form of single sign-on is used).
User credentials will generally pose a far bigger risk, and the context of the user is critical when considering credential theft threats. In 2022’s DBIR, Verizon found that 82% of all breaches researched were caused by human factors. [1]
There are a few things to consider when thinking about how your users can have their credentials stolen:
- How technical are the users?
Technical users are more likely to be aware of and use MFA, may use a password manager and will be more aware of dodgy links in emails. - What tools will they be using?
Are they logging in from home on a computer they share with their children, or from a business machine with corporate-configured endpoint protection installed? - Are they using the system while under stress or in a hurry?
Users' average stress levels will vary, depending on whether they’re paying their taxes just before the deadline, paying parking fines or tuning into Netflix for the evening. Users under stress will not take as many security precautions and may fall for social engineering ruses more easily.
The technical part of threat modelling also helps with credential-theft threats. Are you using suitable password hashing to avoid storing passwords in plain text? Have you also considered password length requirements, or coached your users on what constitutes a strong password? Can you enforce the use of a second factor when authenticating (a.k.a. MFA)?
This is where your engineering team's input is crucial, both in finding weaknesses and proposing solutions to strengthen security.
Threat Modelling is a must for any systems that could pose risks to your business, which is why leading tech businesses, from SaaS startups to cloud providers all use threat modelling as part of their development process. To find out more about threat modelling’s benefits, check out my blog on the subject here.
Not sure where to start? Click to access my AWS security scorecard to take the pulse on your cloud services before you get started.
