Threat Modeling Fundamentals

Goal: The goal of the treat modeling is to redure the risk as can be applied as a repeatable process. It has numerous benefits. In this post, we will learn to answer following questions:

• What is Threat Modeling?
• Why you should Threat Model?
• Who should Threat Model?
• When to Threat Model?

 
What is Threat Modelling?
You have build a Web App which allows visitors to subscribers to a mailing list and a sign-up for the account. When you list down systematically all the potential ways one can attack your application. That is Threat Modelling in a Nut Shell. Remember Two Key Terms - "Systematic Approach". Threat modelling should be a repeatable process in the SDLC. Second Important key term is "Abuse". You are constantly looking at the Attacks in order to find vulnerability. Another apporach is to develop a probable threat scenarios and list of threats. It's an holistic approach to reduce the risk of an application.

Bug - Software Defects
Vulnerability - Weakness that can be exploited
Attack/Incident - Needs a Target, Need a Threat Vector (Path an attacker can take to exploit the vulnerability) and a Threat Actor.
Threat Surface- Anything that can be obtainer, user or attacked by a threat actor
Risk - Risk = Impact * Liklihood

Why you should do Threat Modelling?
Remember the goal is to Risk Reduction. There are other methodology to serve the same purpose as well for example Penetration Testing, Source Code Analysis, Architectural Risk Analysis, Vulnerability Scanning. Lets discuss about the reasons to use Threat Modelling

• Pro-active Approach (Security Upfront)
• Efficient - It's a cost effecttive method. This apprach can save a lot of $$.
• Prioritize Bugs
• Better understanding

 Outputs of Threat Modeling

• Over all Diagrams
• Clear Security Requirements
• List of Threat and Vulnerabilities

* Allows security to be injected in the SDLC

Who Should Theat Model?

• System Architect - Knows the design of the application and data flows
• Developer - Details of the application build
• Tester - Knows the requirements and what it's suppose to do.
• Security Professional​ - Know the attack vectors and think like an attacker

When to perform Theat modelling?

• As early as possible - Earlier is better
• Requirement Phase &  Design Phase
• In Agile - It should be done in each sprint and generate seperate security stories

Threat Modeling Approachs 
We will discuss about the following approaches of Threat Modeling. The End goal will be to Generate a list of Threats.
Example Scenario - A simple webapplication. Anonomayos users can visit the website. Sites runs a Content Management System and only authorized users can access it. Mailing Componenet to send out web mails

Asset-Centric/Risk Approach: In this approach we focus on the things you want to protect for example: Example : Databases, Email accounts, Account Credentials, Servers

• Step -1  Create a list of asset
• Step -2  Draw assets, Components and data flows
• Step -3  For each element, check for threats

​Advantages: 

1. Centered around assets
2. Forcused towards on the business impact 
3. Best suited when doing Risk assement for auditers
4. Exmaple - PASTA, TRIKE

Disadvantages: 

1. Not Centered around the application
2. Mapping assets to therats is difficult 

Attacker-Centric/Security Approach:This apporach is preferred by Pentesters. You'll need a team of highly qualified Security Engineers to succeed in the approach.

1. ​Create a list of theat actors
   1. ​Threat Actor - Competitor
   2. Motive - Example: Getting your business
   3. Means - Example:Financial and Technical means: Limited/Unlimited
   4. Opportunity - Example: Exploting a vulnerability 
2. Create a list of threats

​Advantage: 

• Make threats and attack are visible

Disadvantage:

• Easy to miss technical Threats
• Unrealistic Threat
• Biased results

​
​Application-Centric Approach: Think about the Application and get famalier with the application. User Step 1: Draw a diagram of the application. For example: Data Flow Diagram
Step 2: List threts for each eleements. STRIDE (Threat Classification Model), OWASP Top 10
Step 3: Rank Threat using classification model

Advantages:

• Common understanding of the application
• Spread of the knowledge

Disadvanatge: 

• Documentation is necessary 
• Difficul to see 'own' vulnerability 
• Threats may sound abstracy

Threat Modeling Methodologies

In this section, we will discuss about the approaches for threat modeling focused towards the asset centric and application centric approach.

PASTA - Process for Attack Simulation and Threat Analysis
This is a threat modeling and threat analysis process. It's an asset centric approach with 7 Stages

• Define Business Objectives
• Define Technical Scope
• Decompose Application - Data Flow Diagram
• Analyze Threats - Threat Intelligence
• Indentify Vulnerabilities
• Enumerate Attacks
• Perform Impact Analysis

Key Element

• Useful for Medium to Large Size Companies
• Mature Companies
• Having Security Knowledge

Advantages:

• Great for business Integration
• Mature and well document Process
• Lots of documentation
• Tooling Available 

Disvantages 

• Sepecialized Input necessary for example threat intelligence needs to obtain or acquired
• Time Consuming Procerss
• Each step generates output
  
• Output depends on Dynamic Input

Microsoft Threat Modeling

It's a Threat Modeling Framework. Focuses on Technical risk, It's a developer driven approach.

• Identify Assets
• Create Architecture Overview
• Decompose Application
• Indetify Threats
• Document Threats
• Rate Threats - Use Risk Classification System like DREAD, OWASP, CVSS

Advantage:

• Output is a document
• Targeted towerds development. teams
• Practical apporach
• Plain language
• Integrated in SDLC

Disadvantage:

• More Practical than academic
• STRIDE Classification is redundant

Octave - Operationally Critical Threat, Asset and Vulnerability Evaluation

• Risk Analysis Framework
• Evaluated at Organization Level
  
• Longest and Complicate
  
• Focus on security practices
• Flexible, Self Direction

Advantage

• Improves risk-aware corporate culture
• In-depth
• Flexible​
  

Disadvantage 

• Large and complex
• Lots of paperwork
• Require 'Investment'
  

Trike

• Methodology as well as tool
• High Level of Automation is possible
• Asset-centric approach
• Focus on defensive side

Process

• Model System - System Analysis
• Identifying Threats
• Investigate Trreats
• Identify Mitigations

Advantage:

• Automatically generates threats
• Consistent Results
• Build-in Tool

Disadavantage

• Does not Scale
• Not maintained anymore

VAST

Visual Agile Simple Threat Modeling
Two Threat Model Types

• Application Threat model
• Operational Threat Model

User process flow diagram
Good for companies following Agile

Advantages:

• Flexible
• Scalable
• Process flow diagram is easy 

Disadvantage:

• Not an Open Methodology
• No Documentation of Guidance

What is the best methodology?
​
Choose a methodology based on team, organization and objective.
Recommendations
Asset Centric - PASTA
Application Centric - Microsoft Threat Modeling