VALUELABS

Security Assessment Report

Threat Modelling Report

Prepared for: Submitted On:

17 Sep 2021

Doing the right thing. Always. WWW.VALUELABS.COM

 Security Assessment Report

Contents
EXECUTIVE SUMMARY .................................................................................................................................. 3
PURPOSE ............................................................................................................................................... 3
INTENDED AUDIENCE ............................................................................................................................ 3
ARCHITECTURE .............................................................................................................................................. 4
PROPOSED ARCHITECTURE ................................................................................................................... 4
DATA FLOW DIAGRAMS ................................................................................................................................ 5
DATA FLOW DIAGRAM – LEVEL 0.......................................................................................................... 5
DATA FLOW DIAGRAM – LEVEL 1.......................................................................................................... 6
THREATS AND COUNTERMEASURES ............................................................................................................. 7
STRIDE Methodology ............................................................................................................................ 7
Security Monitoring & Threat Hunting - The MITRE ATT&CK Retail Matrix ............................................... 10
Threat Actor profile................................................................................................................................. 10
FIN6 ..................................................................................................................................................... 10
FIN7 ..................................................................................................................................................... 10
FIN8 ..................................................................................................................................................... 11
Security Monitoring & Threat Hunting - The MITRE ATT&CK UK Matrix .................................................... 12
Threat Actor profile................................................................................................................................. 12
APT29 .................................................................................................................................................. 12
Gamaredon Group .............................................................................................................................. 13
Kimsuky ............................................................................................................................................... 13
Sandworm Team ................................................................................................................................. 14
Silence ................................................................................................................................................. 14
Wizard Spider ...................................................................................................................................... 15

CONFIDENTIAL 2 of 15
 Security Assessment Report

EXECUTIVE SUMMARY
Purpose Intended Audience

ValueLabs would like to thank Krispy Kreme for giving us an opportunity to perform Security Assessment
of their environment.

This document describes threat modelling identified during the course of security assessment that was
conducted for the Krispy Kreme by the ValueLabs team.

PURPOSE
This document outlines the threats and countermeasures of ValueLabs assessment of the Krispy Kreme
environment.

INTENDED AUDIENCE
Krispy Kreme Team

CONFIDENTIAL 3 of 15
 Security Assessment Report

ARCHITECTURE
PROPOSED ARCHITECTURE

CONFIDENTIAL 4 of 15
 Security Assessment Report

DATA FLOW DIAGRAMS

A data flow diagram is a depiction of how information flows through your system. It shows each place
that data is input into or output from each process or subsystem. It includes anywhere that data is
stored in the system, either temporarily or long-term.

Components of DFD

Notation Symbol
External Entity

Process

Data Storage

Data Flow

DATA FLOW DIAGRAM – LEVEL 0

It is also known as a context diagram. It’s designed to be an abstraction view, showing the
system as a single process with its relationship to external entities. It represents the entire
system as a single process with input and output data indicated by incoming/outgoing arrows.

CONFIDENTIAL 5 of 15
 Security Assessment Report

DATA FLOW DIAGRAM – LEVEL 1

In 1-level DFD, the context diagram is decomposed into multiple processes. In this level, we
highlight the main functions of the system and breakdown the high-level process of 0-level DFD
into subprocesses.

CONFIDENTIAL 6 of 15
 Security Assessment Report

THREATS AND COUNTERMEASURES

STRIDE Methodology

Based on the current architecture, we analyzed the threats to the proposed architecture utilizing the
STRIDE methodology. Here is a list of threats we identified:

 Represents no threats

 Represents threat

Threat Category Entity Threat Description Countermeasures

Weak authentication on Ensure that ‘send alerts to’ is
database lead to attack set to every database.
Ensure that all accounts have
Not monitoring the expiration
an expiration date that is
BI Database date of accounts may leads to
monitored and
6.0 leakage to lot of data
Enforced.
Ensure that local logging and
Attacker may steal all the
KeyVault is enabled on all
database audit logs and secret
systems and networking
keys
devices.
Weak Authentication allows to
download list of phishing emails Two-factor Authentication
and passwords
Attacker can brute force
Email Server Ensure the no of attempts to
passwords and try to login again
2.0 login to some value
and again
Attacker can inject the SQL Ensure that ‘Require
query and can bypass the login Password’ value is true and
into server length of password to be given

CONFIDENTIAL 7 of 15
 Security Assessment Report

Server Hardening like periodic

Weak User or password, lack of
updates, backups, configuring
proper firewall on server may
firewall make entire sftp server
lead to attack
more secure
SFTP Server If Files on the SFTP server are
4.0 Files should be encrypted on
not encrypted leads to leak of
SFTP server
data
Azure Backup is disabled on Azure Backup should be
SFTP server enabled for SFTP Server
Fake Payment gateway
Spoofing by setting phishing site Two-factor Authentication
External Gateway and stealing info
1.0 Ensure there is a proper
Lack of Encryption on payment
encryption done on the
gateway may leads to attack
payment gateway
Protect all information stored
Unauthorized Person can have on systems with file system,
access to the remote shell and network share, claims,
can gain access to database. application, or database
specific access control lists
Default Passwords may leads to
Ensure that password resets is
BI Database access to server and tampering
Tampering set to 'Yes'
6.0 the database
Lack of Azure Defender inside Ensure that Azure Defender
Azure databases may lead to for Azure SQL Database
lack of vulnerability assessment servers should be enabled
Public network access on
Public access is enabled in the
Azure SQL Database should
database server
be disabled
Ensure that all systems that
store logs have adequate
storage space for the logs
generated on a regular basis,
BI Database Database logs must be
Repudiation so that log files will not fill up
6.0 protected from loss
between log rotation intervals.
The logs must be archived and
digitally signed on a periodic
basis
Exceptions when occurs can be
used by malicious clients and Audit retention for SQL
used to guess sensitive info servers should be set to at
about the location, connection least 90 days
details, data source
Attacker can login and disclosed
BI Database Encrypt all the information of
the sensitive information of
Information 6.0 users in transit and rest
users
Disclosure Lack of encryption of temp Virtual machines should
disks, caches, and data flows encrypt temp disks, caches,
between Compute and Storage and data flows between
resources Compute and Storage
lead to information disclosure resources
Email Server Unencrypted data may leads to
Encrypt data at rest and transit
2.0 information disclosure

CONFIDENTIAL 8 of 15
 Security Assessment Report

Full permission to access the

directory should not be given to Limited Permissions need to
the customers which may lead provide to the customers
to information disclosure
SFTP Server Enabling IP forwarding on a
4.0 virtual machine's network
Ensure that IP Forwarding on
interface (NIC) allows the
your virtual machine is
machine to act as a router and
disabled
receive traffic addressed to
other destinations
Lack of encryption of temp Virtual machines should
disks, caches, and data flows encrypt temp disks, caches,
Alteryx Server
between Compute and Storage and data flows between
10.0
resources Compute and Storage
lead to information disclosure resources
Virtual machines should
Lack of encryption of temp encrypt temp disks, caches,
Reflex Server
disks, caches, and data flows and data flows between
8.0
between Compute and Storage Compute and Storage
resources resources
Virtual machines should
Lack of encryption of temp encrypt temp disks, caches,
RDC Server
disks, caches, and data flows and data flows between
5.2
between Compute and Storage Compute and Storage
resources resources
Programming the FTP server
or SFTP server to blacklist
SFTP Server Can flood the server with traffic malicious IP addresses is
Denial of Service
4.0 and can cause it to crash tedious, but remains one of
the best countermeasure to
these attacks
Configure systems to issue a
Attacker may escalate the
log entry and alert on
Elevation of Privilege BI Database 6.0 privilege and try to login into
unsuccessful logins to an
admin account
administrative account

CONFIDENTIAL 9 of 15
 Security Assessment Report

Security Monitoring & Threat Hunting - The MITRE

ATT&CK Retail Matrix
Threat Actor profile
FIN6
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on
underground marketplaces. This group has aggressively targeted and compromised point of
sale (PoS) systems in the hospitality and retail sectors.

Initial Execution Privilege Defense Credential Discovery Lateral Collection Command Impact
Access Escalation Evasion Access Movement and
Control
Valid Command Access Token Access Token Credentials Network Obfuscated Archive Ingress Screen
Accounts and Manipulation Manipulation from Service Files or Collected Tool Capture
Scripting Password Scanning Information Data Transfer
Interpreter Stores
Exploitation Windows Valid Valid Valid Automated Non- Video
for Privilege Management Accounts Accounts Accounts Collection Application Capture
Escalation Instrumentation Layer
Protocol
Data from Remote
Information System
Repositories Discovery
Data from Non-
Local Standard
System Port
Protocol
Tunneling
Web
Service

FIN7
FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail,
restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A
portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes
referred to as Carbanak Group, but these appear to be two groups using the
same Carbanak malware and are therefore tracked separately.
Execution Defense Evasion Collection Command and Control
Command and Scripting Obfuscated Files or Information Screen Capture Ingress Tool Transfer
Interpreter
Video Capture Non-Standard Port

CONFIDENTIAL 10 of 15
 Security Assessment Report

FIN8
FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns
targeting the retail, restaurant, and hospitality industries.

Initial Access Privilege Defense Evasion Credential Discovery Collection Command and
Escalation Access Control
Valid Accounts Exploitation for Valid Accounts Valid Accounts Modify Registry Remote System Ingress Tool
Privilege Discovery Transfer
Escalation
Windows Obfuscated Files
Management or Information
Instrumentation
Valid Accounts

CONFIDENTIAL 11 of 15
 Security Assessment Report

Security Monitoring & Threat Hunting - The MITRE

ATT&CK UK Matrix
Threat Actor profile
APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).
They have operated since at least 2008, often targeting government networks in Europe and
NATO member countries, research institutes, and think tanks. APT29 reportedly compromised
the Democratic National Committee starting in the summer of 2015.
In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise
cyber operation to the SVR; public statements included citations to APT29, Cozy Bear, and The
Dukes. Victims of this campaign included government, consulting, technology, telecom, and
other organizations in North America, Europe, Asia, and the Middle East. Industry reporting
referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and
Dark Halo.

Initial Access Execution Persistence Privilege Defense Credential Discovery Lateral Collection Command
Escalation Evasion Access Movement and
Control
Exploit Public- Exploitation for External Valid Deobfuscate/D Credentials Account Use Data from Dynamic
Facing Client Execution Remote Accounts ecode Files or from Discovery Alternate Local Resolution
Application Services Information Password Authenticat System
Stores ion
Material
External Windows Valid Indicator Domain Ingress
Remote Management Accounts Removal on Trust Tool
Services Instrumentation Host Discovery Transfer
Valid Masquerading File and Non-
Accounts Directory Application
Discovery Layer
Protocol
Obfuscated Permissio
Files or n Groups
Information Discovery
Use Alternate Process
Authentication Discovery
Material
Valid Accounts Remote
System
Discovery
System
Informati
on
Discovery

CONFIDENTIAL 12 of 15
 Security Assessment Report

Gamaredon Group
Gamaredon Group is a threat group that has been active since at least 2013 and has targeted
individuals likely involved in the Ukrainian government. The name Gamaredon Group comes
from a misspelling of the word "Armageddon", which was detected in the adversary's early
campaigns.

Execution Persistence Defense Evasion Discovery Lateral Collection Command Exfiltration

Movement and Control
Native API Office Deobfuscate/Decode File and Internal Automated Ingress Tool Automated
Application Files or Information Directory Spearphishing Collection Transfer Exfiltration
Startup Discovery
Modify Registry Peripheral Taint Shared Data from Web Service Exfiltration
Device Content Local System Over C2
Discovery Channel
Obfuscated Files or System Data from
Information Information Network
Discovery Shared Drive
Template Injection System Data from
Owner/User Removable
Discovery Media
Screen
Capture

Kimsuky
Kimsuky is a North Korean-based threat group that has been active since at least September
2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related
targets, expanding recently to the United States, Russia, and Europe. The group was attributed
as the actor behind the Korea Hydro & Nuclear Power Co. compromise.

Resource Initial Persistence Privilege Defense Credential Discovery Collection Command Exfiltration
Development Access Escalation Evasion Access and
Control
Develop External Browser Process Modify Man-in- File and Data from Ingress Exfiltration
Capabilities Remote Extensions Injection Registry the- Directory Local Tool Over C2
Services Middle Discovery System Transfer Channel
External Obfuscated Network Network Man-in- Remote
Remote Files or Sniffing Sniffing the- Access
Services Information Middle Software
Process System
Injection Information
Discovery

CONFIDENTIAL 13 of 15
 Security Assessment Report

Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff
Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit
74455. This group has been active since at least 2009.

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm
Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical
companies and government organizations, the 2017 worldwide NotPetya attack, targeting of
the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter
Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical
Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these were
conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.

Discovery Collection Command and Control Exfiltration Impact

File and Directory Discovery Data from Local System Ingress Tool Transfer Exfiltration Over C2 Data Destruction
Channel
Network Sniffing Non-Standard Port Endpoint Denial of
Service
Remote System Discovery Proxy
System Information Discovery Remote Access
Software
System Network
Configuration Discovery
System Network Connections
Discovery
System Owner/User
Discovery

Silence
Silence is a financially motivated threat actor targeting financial institutions in different
countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine,
Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems,
including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.

CONFIDENTIAL 14 of 15
 Security Assessment Report

Initial Execution Persistence Privilege Defense Discovery Lateral Collection Command

Access Escalation Evasion Movement and Control
Valid Native API Valid Process Modify Remote Software Screen Ingress Tool
Accounts Accounts Injection Registry System Deployment Capture Transfer
Discovery Tools
Software Valid Obfuscated Video Non-
Deployment Accounts Files or Capture Standard
Tools Information Port
Process
Injection
Valid
Accounts

Wizard Spider
Wizard Spider is a financially motivated criminal group that has been conducting ransomware
campaigns since at least August 2018 against a variety of organizations, ranging from major
corporations to hospitals.

Initial Execution Persistence Privilege Defense Discovery Lateral Collection Exfiltration Impact
Access Escalation Evasion Movement
External Windows External Valid Modify Network Exploitation Data Exfiltration Service
Remote Management Remote Accounts Registry Share of Remote Staged Over C2 Stop
Services Instrumentation Services Discovery Services Channel
Valid Valid Obfuscated Remote Lateral Tool
Accounts Accounts Files or System Transfer
Information Discovery
Valid System
Accounts Information
Discovery
System
Network
Configuration
Discovery
System
Owner/User
Discovery

CONFIDENTIAL 15 of 15