We took one of our best selling card games to play at Leeds Digital Festival - an open platform technology event billed as the largest digital festival in the North. The game was Elevation of Privilege - a card deck of cyber security anti-patterns which supports players as they attempt to find validated security flaws in a system.
Helping us were Gwen Diagram of Monzo, an international speaker and testing leader, and her colleague security expert Paul Pinder of Sky. Gwen was an excellent facilitator and Paul a passionate, and knowledgeable teacher. We'd like to thank Gwen for the key role she played in designing and delivering the content of the event.
We would also like to thank the members of the Leeds digital community who turned out to learn about the game from us. Thank you for trusting us to help you learn this game.
We can provide any number of EoP card-decks - we make them - but Elevation of Privilege needs to be played in front of a system architecture diagram. Gwen selected the OWASP Juice Shop application which is a deliberately insecure example application. It is designed to be the perfect target-practice for cyber-security training.
The application was introduced by pointing the audience to the demo front-end provided by OWASP. There was a silent moment as they pulled out phones and had a poke about.
Once satisfied, we called out the features we had found:
- a reviews system
- up and down voting
- registration / login
- a contact form
These were to be the attackable features of the application we would be invited to consider.
The Juice Shop application ships with this architecture diagram, and we each got a copy of this to mull over.
To help people get a grip on threat modelling we were introduced to the concepts of
- Spoofing - sending a message claiming a fake identity
- Tampering - changing application state or configuration
- Information Disclosure - obtaining information without authorisation
- Denial of Service - stopping real users enjoying the Juice Shop
- Elevation of Privilege - getting new rights within the system
– or STRIDE for short.
Dividing threats into this model instantly simplifies the task of considering how an application can be attacked. By ensuring all kinds of attack will be considered you have helped that person come up with ideas.
To help us further, Gwen presented a range of stereotypical attacker personas: the terrorist, defector, disgruntled employee, Government Spy etc. These personas are described in Threat Modelling by Adam Shostack.
The architecture diagram was transposed to the whiteboard and we collectively plotted the data flows that each feature required. This showed us the routes through which the system might be attacked and ensured we understood our target.
We spent a while focusing on these flows and the attacker personas and identifying what these personas might try on the app. What might they steal? What methods might they use? What would they be after? A few plausible threats were identified but this only took us so far.
To really start to identify threats we needed the support on offer from the game. So we dived into the game play.
The advantages and disadvantages of Elevation of Privilege have been the subject of some study, and we have regularly spoken to facilitators to get their perspectives. We knew that the points system and score recording was a source of stress for facilitators.
There is an official score sheet but it had received poor reviews, and is not greatly admired by the game's inventor. We left this at home, deliberately leaving a gap for new systems to arise spontaneously. The ones which arise did were quite smart and we'll examine these systems in more detail in another post.
The game itself was a great success. Each table had access to personalities who, between them, knew both the game rules and some cyber security lore. Otherwise the level of expertise varied considerably, but no one was observed to be stuck or stressed out by the process and we could see large numbers of threats being recorded.
To some extent the Juice Shop is an easy target, prompting some skipping of the threat validation step in the game play. We are confident this is arose from the use of a training system in which there is little incentive to argue against the validity of a threat. However, we would still like to help make it easier to perform more validation of possible Juice Shop threats through improved materials.
Most encouraging was how security novices received help comfortably from experts. There were also interesting conversations in which people of differing skill levels agreed passionately. From these conversations it was clear that everyone had successfully shifted to the attacker perspective and were in a mental zone where they could threat model.
So, in conclusion, we managed to familiarise ourselves with an unfamiliar target system, understand how and why it might be attacked, and get ourselves into mental state where we could find validated threats.
We're really pleased with this result and look forward to a repeated success in London with Bill Matthews this June. See you there.