Main assignment description - project
Preliminaries
The purpose of the course assignment is to develop skills in, and understanding of, the area of security analysis of large-scale computer systems. More specifically to learn a methodology, threat modeling, to assess cybersecurity risk of a (large-scale) IT system. The assignment, your project, is designed to be as realistic as possible. This means that not all information needed to solve the assignment is provided in the description. It is therefore necessary for you to make assumptions that are realistic as well as seek new information in order to pass the assignment. (Realistic here does not necessarily mean real.)
Introduction
You have just been hired as the chief security architect at an enterprise (see below on suggestions). The enterprise’s Chief Information Security Officer (CISO), who is also quite new in office, is giving you the assignment to do the annual risk analysis. Today the enterprise has a large number of information systems that provide services to various parts of the business. During the recent years, the systems have been integrated with each other using different integration mechanisms to support various processes (perhaps sales, marketing, accounting and IT-support).
Unfortunately, the company has lost control over the complete picture of this system-of-systems since it has been, and still is, under constant change. In fact, the company has never really had the complete picture. Every year, new systems are developed and introduced, old systems are extended, modified, integrated with each other, and retired. These changes are the result of many different stakeholders’ requirements and many developers’ actions and not of a grand master plan.
The CISO, however, has realized that it is difficult to do a good (quantitative) risk analysis of the company IT infrastructure without knowing what systems they have, how these depend on each other, what data that is flowing, what roles that have access to different parts, what network technologies that are being used, et cetera.
The Chief Executive Officer (CEO) and the board of directors have during the last years experienced that it has been hard to make good decisions based on the qualitative and ad-hoc risk analyses they get. Also, the pressure from new laws, increasing digitization, and an increasing number of malicious attack attempts have made them prioritize these questions. And this is where you as the chief security architect come in. You are assigned to do a more thorough risk analysis, one that is quantitative and data-driven, that reflects the business, the IT environment, and the current threats, so that the CISO and people responsible for making strategic decisions have an up-to-date understanding of the current situation. The risk analysis should be created in order to support the CISO.
The Main Assignment
Individual work - Mandatory
Prelude
For the assignment, the first thing you need to do is decide what enterprise you have been hired at. We encourage you to pick a known cyber attack incident and read up on it as it has been publicly reported. Your task is NOT to describe the particular incident per se, but to use it as inspiration for a larger risk assessment. From a described incident you know (approximately) what happened. But chronologically the risk assessment that you are now supposed to do happened before that incident. So you must also speculate about what other types of attacks could have been likely to happen and what other consequences could that have lead to. So, from the material about the studied incident you need deduct/reverse engineer how the organization works as well as make additional assumptions about the organization and its system environment. There are many sources that could serve as inspiration. A list of classic cyber incidents Links to an external site. (from the course DD2303) is available, but just looking at the latest news flow and some general search on the web will also give you many incidents. A local Swedish report is available from MSB Links to an external site.. It is not mandatory use a historical incident, this is just a tip to get inspiration. Another option could be to choose an organization you are already comfortable with, maybe you have work experience you can have use of, or an organization that you want to learn more about and thus have a motivation to dig deeper into. Yet another approach could be to dive into a number of attack vectors or weaknesses (cf. OWASP top10 Links to an external site. and MITRE ATT&CK Links to an external site.) and build a case around these.
Description
You have learned that threat modeling is appropriate to assess the cybersecurity risk level of the enterprise and its applications. Further, it allows identifying weaknesses within the architecture. With this approach you can visualize and concretize what the risks are and how these could be mitigated.
Fortunately, you have heard about a method called Yacraf that that seems to fit your needs perfectly.
As the main delivery, the CISO is expecting a report consisting of five main parts;
0) scope & delimitations,
1) business analysis,
2) system definition & decomposition,
3) threat analysis,
4) attack & resilience analysis, and
5) risk assessment & recommendations.
You are free to use any tools you like to support the work in the different phases of the assignment.
Much of the actual documentation and analysis are done in graphical models, diagrams, tables, spread sheets, etc. However, these cannot stand by themselves, and need to be complemented with text explaining the figures and your analysis to the CISO and the CEO. Thus you need to write a report that is self contained and easy to read and understand from beginning to end. So in addition to describing the analysis and result per se the report need to guide the readers so they understand background, assumptions, scoping, the analysis and the concluding recommendations. Your task is to convince the reader to act on your recommendation. Also finding the appropriate balance for the abstraction level is key. The report must not be too big and complicated nor too small and trivial.
Tool support
You are free to use any tools you like to support your work throughout the different phases of the assignment. However, we require full transparency about which tools were used and how they were applied.
Since ChatGPT and other large language models (LLMs) have become an integral part of our daily lives, it's likely you'll encounter them at some point in your exercises. Whether or not you choose to use these tools is entirely up to you. We have also shared lessons learned on using LLMs in threat modeling, which you can find here.
For this course, we recommend using YACRAF, a metamodel for risk-based threat modeling that provide a risk calculation framework. More information about this tool can be found here Links to an external site..
So, as part of the main delivery, the CISO is also expecting an appendix in the report giving account of what tools were used during the project, for what purposes, and how.
Assignment assessment and grading criteria
The assignment will be evaluated according to the criteria listed in on the grading page. (This means that understanding these criteria a soon as possible is essential for succeeding with the assignment. As your work progresses, carefully cross-examine your work with respect to the criteria.)
Mapping to intended learning outcomes
Phase 1: Business value of system
- Loss events (breach impact) based on business architecture (use cases) and business goals
***Model threats in large-scale computer systems***
Phase 2: System definition and decomposition
- Data flow diagrams based on system assets, actors, accounts, and authorization
***Model threats in large-scale computer systems***
Phase 3: Threat analysis
- Abuse cases based on attacker profiles
***Simulate attacks in large-scale computer systems***
Phase 4: Attack and resilience analysis
- Attack trees based on vulnerabilities
***Simulate attacks in large-scale computer systems / Describe which defense mechanisms computer system can have***
Phase 5: Risk assessment and recommendations
***Carry out risk analysis based on a model and simulation / Describe which defense mechanisms computer system can have***