Goal: The goal of the treat modeling is to redure the risk as can be applied as a repeatable process. It has numerous benefits. In this post, we will learn to answer following questions:
What is Threat Modelling?
You have build a Web App which allows visitors to subscribers to a mailing list and a sign-up for the account. When you list down systematically all the potential ways one can attack your application. That is Threat Modelling in a Nut Shell. Remember Two Key Terms - "Systematic Approach". Threat modelling should be a repeatable process in the SDLC. Second Important key term is "Abuse". You are constantly looking at the Attacks in order to find vulnerability. Another apporach is to develop a probable threat scenarios and list of threats. It's an holistic approach to reduce the risk of an application.
Bug - Software Defects
Vulnerability - Weakness that can be exploited
Attack/Incident - Needs a Target, Need a Threat Vector (Path an attacker can take to exploit the vulnerability) and a Threat Actor.
Threat Surface- Anything that can be obtainer, user or attacked by a threat actor
Risk - Risk = Impact * Liklihood
Why you should do Threat Modelling?
Remember the goal is to Risk Reduction. There are other methodology to serve the same purpose as well for example Penetration Testing, Source Code Analysis, Architectural Risk Analysis, Vulnerability Scanning. Lets discuss about the reasons to use Threat Modelling
Who Should Theat Model?
When to perform Theat modelling?
Threat Modeling Approachs
We will discuss about the following approaches of Threat Modeling. The End goal will be to Generate a list of Threats.
Example Scenario - A simple webapplication. Anonomayos users can visit the website. Sites runs a Content Management System and only authorized users can access it. Mailing Componenet to send out web mails
Asset-Centric/Risk Approach: In this approach we focus on the things you want to protect for example: Example : Databases, Email accounts, Account Credentials, Servers
Advantages:
Attacker-Centric/Security Approach:This apporach is preferred by Pentesters. You'll need a team of highly qualified Security Engineers to succeed in the approach.
Advantage:
Application-Centric Approach: Think about the Application and get famalier with the application. User Step 1: Draw a diagram of the application. For example: Data Flow Diagram
Step 2: List threts for each eleements. STRIDE (Threat Classification Model), OWASP Top 10
Step 3: Rank Threat using classification model
Advantages:
- What is Threat Modeling?
- Why you should Threat Model?
- Who should Threat Model?
- When to Threat Model?
What is Threat Modelling?
You have build a Web App which allows visitors to subscribers to a mailing list and a sign-up for the account. When you list down systematically all the potential ways one can attack your application. That is Threat Modelling in a Nut Shell. Remember Two Key Terms - "Systematic Approach". Threat modelling should be a repeatable process in the SDLC. Second Important key term is "Abuse". You are constantly looking at the Attacks in order to find vulnerability. Another apporach is to develop a probable threat scenarios and list of threats. It's an holistic approach to reduce the risk of an application.
Bug - Software Defects
Vulnerability - Weakness that can be exploited
Attack/Incident - Needs a Target, Need a Threat Vector (Path an attacker can take to exploit the vulnerability) and a Threat Actor.
Threat Surface- Anything that can be obtainer, user or attacked by a threat actor
Risk - Risk = Impact * Liklihood
Why you should do Threat Modelling?
Remember the goal is to Risk Reduction. There are other methodology to serve the same purpose as well for example Penetration Testing, Source Code Analysis, Architectural Risk Analysis, Vulnerability Scanning. Lets discuss about the reasons to use Threat Modelling
- Pro-active Approach (Security Upfront)
- Efficient - It's a cost effecttive method. This apprach can save a lot of $$.
- Prioritize Bugs
- Better understanding
- Over all Diagrams
- Clear Security Requirements
- List of Threat and Vulnerabilities
Who Should Theat Model?
- System Architect - Knows the design of the application and data flows
- Developer - Details of the application build
- Tester - Knows the requirements and what it's suppose to do.
- Security Professional - Know the attack vectors and think like an attacker
When to perform Theat modelling?
- As early as possible - Earlier is better
- Requirement Phase & Design Phase
- In Agile - It should be done in each sprint and generate seperate security stories
Threat Modeling Approachs
We will discuss about the following approaches of Threat Modeling. The End goal will be to Generate a list of Threats.
Example Scenario - A simple webapplication. Anonomayos users can visit the website. Sites runs a Content Management System and only authorized users can access it. Mailing Componenet to send out web mails
Asset-Centric/Risk Approach: In this approach we focus on the things you want to protect for example: Example : Databases, Email accounts, Account Credentials, Servers
- Step -1 Create a list of asset
- Step -2 Draw assets, Components and data flows
- Step -3 For each element, check for threats
Advantages:
- Centered around assets
- Forcused towards on the business impact
- Best suited when doing Risk assement for auditers
- Exmaple - PASTA, TRIKE
- Not Centered around the application
- Mapping assets to therats is difficult
Attacker-Centric/Security Approach:This apporach is preferred by Pentesters. You'll need a team of highly qualified Security Engineers to succeed in the approach.
- Create a list of theat actors
- Threat Actor - Competitor
- Motive - Example: Getting your business
- Means - Example:Financial and Technical means: Limited/Unlimited
- Opportunity - Example: Exploting a vulnerability
- Create a list of threats
Advantage:
- Make threats and attack are visible
- Easy to miss technical Threats
- Unrealistic Threat
- Biased results
Application-Centric Approach: Think about the Application and get famalier with the application. User Step 1: Draw a diagram of the application. For example: Data Flow Diagram
Step 2: List threts for each eleements. STRIDE (Threat Classification Model), OWASP Top 10
Step 3: Rank Threat using classification model
Advantages:
- Common understanding of the application
- Spread of the knowledge
- Documentation is necessary
- Difficul to see 'own' vulnerability
- Threats may sound abstracy
Threat Modeling Methodologies
In this section, we will discuss about the approaches for threat modeling focused towards the asset centric and application centric approach.
PASTA - Process for Attack Simulation and Threat Analysis
This is a threat modeling and threat analysis process. It's an asset centric approach with 7 Stages
Advantages:
In this section, we will discuss about the approaches for threat modeling focused towards the asset centric and application centric approach.
PASTA - Process for Attack Simulation and Threat Analysis
This is a threat modeling and threat analysis process. It's an asset centric approach with 7 Stages
- Define Business Objectives
- Define Technical Scope
- Decompose Application - Data Flow Diagram
- Analyze Threats - Threat Intelligence
- Indentify Vulnerabilities
- Enumerate Attacks
- Perform Impact Analysis
- Useful for Medium to Large Size Companies
- Mature Companies
- Having Security Knowledge
Advantages:
- Great for business Integration
- Mature and well document Process
- Lots of documentation
- Tooling Available
- Sepecialized Input necessary for example threat intelligence needs to obtain or acquired
- Time Consuming Procerss
- Each step generates output
- Output depends on Dynamic Input
Microsoft Threat Modeling
It's a Threat Modeling Framework. Focuses on Technical risk, It's a developer driven approach.
Advantage:
It's a Threat Modeling Framework. Focuses on Technical risk, It's a developer driven approach.
- Identify Assets
- Create Architecture Overview
- Decompose Application
- Indetify Threats
- Document Threats
- Rate Threats - Use Risk Classification System like DREAD, OWASP, CVSS
Advantage:
- Output is a document
- Targeted towerds development. teams
- Practical apporach
- Plain language
- Integrated in SDLC
- More Practical than academic
- STRIDE Classification is redundant
Octave - Operationally Critical Threat, Asset and Vulnerability Evaluation
- Risk Analysis Framework
- Evaluated at Organization Level
- Longest and Complicate
- Focus on security practices
- Flexible, Self Direction
- Improves risk-aware corporate culture
- In-depth
- Flexible
- Large and complex
- Lots of paperwork
- Require 'Investment'
Trike
Process
Advantage:
Disadavantage
- Methodology as well as tool
- High Level of Automation is possible
- Asset-centric approach
- Focus on defensive side
Process
- Model System - System Analysis
- Identifying Threats
- Investigate Trreats
- Identify Mitigations
Advantage:
- Automatically generates threats
- Consistent Results
- Build-in Tool
Disadavantage
- Does not Scale
- Not maintained anymore
VAST
Visual Agile Simple Threat Modeling
Two Threat Model Types
Good for companies following Agile
Advantages:
Disadvantage:
Visual Agile Simple Threat Modeling
Two Threat Model Types
- Application Threat model
- Operational Threat Model
Good for companies following Agile
Advantages:
- Flexible
- Scalable
- Process flow diagram is easy
Disadvantage:
- Not an Open Methodology
- No Documentation of Guidance
What is the best methodology?
Choose a methodology based on team, organization and objective.
Recommendations
Asset Centric - PASTA
Application Centric - Microsoft Threat Modeling
Choose a methodology based on team, organization and objective.
Recommendations
Asset Centric - PASTA
Application Centric - Microsoft Threat Modeling