Comments

Latest Posts

Security Modeling and Threat Modeling Resources

Threat modeling is a process for thinking through, identifying, and documenting known threats and mitigations to a system before that system is deployed. Threat modeling acknowledges that all systems face various threats before, during, and after deployment, and it helps security experts identify and mitigate those threats before they occur.

This post is used to collect some Internet resources regarding security modeling and threat modeling.


Security Modeling

A security model precisely describes important aspects of security and their relationship to system behavior. The primary purpose of a security model is to provide the necessary level of understanding for a successful implementation of key security requirements. The security policy plays a primary role in determining the content of the security model. Therefore, the successful development of a good security model requires a clear, well-rounded security policy. In the case of a formal model, the development of the model also must rely on appropriate mathematical techniques of description and analysis for its form.

A security model specifically defines essential aspects of security and their relationship with the operating system performance. No organization can secure their sensitive information or data without having effective and efficient security models. We can say that the primary aim of a security model is to provide the required level of understanding for a successful and effectual implementation of key protection requirements. Information security models are the procedures used to validate security policies as they are projected to deliver a precise set of directions that a computer can follow to implement the vital security processes, procedures and, concepts contained in a security program. These models can be intuitive or abstractive. Security models run the directions of the road for security in operating systems.

There are some security models that are most currently using for to explain the guidelines and rules that direct confidentiality, protection, and integrity of the information. The key reason and focus on the security model implementation are confidentiality over and done with access controls and Information integrity. With the help of these security models that are the main components that should be given attention to when developing information security policies and systems. These models talk about the access rules required to instantiate the defined policy and highlight the objects that are directed by the company’s policy.

Here some of the important models we are discussing below to understand the functions and importance of Information Security models in the current business world. Five popular and valuable models are as follows;
  • Bell-LaPadula Model
  • Biba Model
  • Clark Wilson Model
  • Brewer and Nash Model
  • Harrison Ruzzo Ullman Model
These models are used for maintaining goals of security, i.e. Confidentiality, Integrity, and Availability. In simple words, it deals with CIA Triad maintenance.

Security Modeling Process

Step 1: Identify Requirements on the External Interface
Step 2: Identify Internal Requirements
Step 3: Design Rules of Operation for Policy Enforcement
Step 4: Determine What is Already Known
Step 5: Demonstrate Consistency and Correctness
Step 6: Demonstrate Relevance

Threat Modeling Methodologies

Conceptually a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Based on volume of published online content, the four methodologies discussed below are the most well known.

STRIDE Methodology

The STRIDE approach to threat modeling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products' . STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to "the" Microsoft methodology commonly mean STRIDE.


P.A.S.T.A.

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.[10] It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.


Trike

The focus of the Trike methodology[11] is using threat models as a risk-management tool. Within this framework, threat models are used to satisfy the security auditing process. Threat models are based on a “requirements model.” The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.

VAST

VAST is an acronym for Visual, Agile, and Simple Threat modeling.[12] The underlying principle of this methodology is the necessity of scaling the threat modeling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.

More threat modeling methods can be found from: Threat Modeling: 12 Available Methods

Linddun

CVSS

Attack Trees

Persona non Grata

Security Cards

hTMM

Quantitative Threat Modeling Method: This hybrid method consists of attack trees, STRIDE, and CVSS methods applied in synergy.


Summarize for 10 threat modeling methedologies: 
noModelFocus/perspective and implementation postability points
1STRIDEis specifically designed to focus on IT related threat
2PASTAis a widely used & adaptable applicable model, with threat simulation, focusing on Risks Centric methodology.
Reference: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
3LINDDUNis focused more on Data and Privacy related model
4OCTAVEis focused on Risk Management and organization related impact
5VASTscales threat modeling process across infrastructure & is focused on attacker
6TRIKEis a unified conceptual framework for security auditing from a risk management perspective, required a steady repeatable assessment model, is focused on Risks Measurement on calculating its stakeholders components (assets, roles, actions, risk exposure)
Reference: 8) Trike v.1 Methodology Document [Draft]
7hTMMhybrid type threat model which is focused on Attacker/Defender models, melds features of: Security Cards, Persona non Grata, and STRIDE
8qTMMquantitative type threat model which is focused on Attacker/Defender models, melds features of Attack Trees, STRIDE, and CVSS
9(Attack) Treesis focused on Attacker’s scheme, works in any steady implemented production/business/process scheme, that is developed further to become the killchain nowadays
10PnG(Persona non Grata) has focused on attacks that represent archetypal personnels who behave in unwanted behaviors. Works perfectly to measure insider threat assessments

Threat Modeling Process Steps

Typically, organizations conduct threat modeling during the design stage (but it can occur at other stages) of a new application to help developers find vulnerabilities and become aware of the security implications of their design, code, and configuration decisions. Generally, developers perform threat modeling in major four steps:

  • Diagram. What are we building/Working on?
  • Identify threats. What could go wrong?
  • Mitigate. What are we doing to defend against threats?
  • Validate. Have we acted on each of the previous steps?

The following four question framework can help to organize threat modeling:
  • What are we working on?  -Assess Scope
  • What can go wrong? - This can be as simple as a brainstorm, or as structured as using STRIDE, Kill Chains, or Attack Trees.
  • What are we going to do about it? - Decide what you’re going to do about each threat. That might be to implement a mitigation, or to apply the accept/transfer/eliminate approaches of risk management.
  • Did we do a good job? - Did you do a good enough job for the system at hand?

A threat modeling session typically consists of the following steps:
  • Pick a use case of your application
  • Draw a Data Flow Diagram of this use case, which shows how data flows through your system and which applications or databases are involved.
  • For each asset passing through your data flow, go through a checklist and discuss potential security risks. Rate each risk (e.g. by likelihood and impact)
  • Discuss and decide what you will do about each risk


Threat Modeling Approaches

The process of threat modeling is simple, but it needs to be approached with discipline and care. Since the attack surface of any given system changes as technology changes, and since new threats are constantly emerging, we must understand and acknowledge what we know vs. what we don’t or can’t know about any modern system.

In general, there are three basic approaches to threat modeling: software centric, attacker centric, and asset centric.

Software-Centric Approach

A risk mitigation focusing on software:

  • Evaluates the application being modeled
  • Determines the risk
  • Identifies controls to mitigate
  • Requires a good understand of the application and the system it is running on

Attacker-Centric Approach

An approach that highlights the attacker:

  • Puts the user into the mindset of an attacker
  • Determines what is most at risk
  • Needs to understand the concept of hacking
  • Must have the skill set of a hacker

Asset-Centric Approach

Focusing on assets, this approach:

  • Identifies assets to be protected
  • Classifies assets based on data sensitivity and value potential
  • Determines an “acceptable risk” level
  • Takes a cyber risk–management perspective in satisfying the security auditing process

Note: https://www.windriver.com/solutions/learning/threat-modeling

Threat Modeling Tools

There are currently five tools available for organizational threat modeling:

  • Microsoft’s free threat modeling tool – the Threat Modeling Tool (formerly SDL Threat Modeling Tool). This tool also utilizes the Microsoft threat modeling methodology, is DFD-based, and identifies threats based on the STRIDE threat classification scheme. It is intended primarily for general use.
  • MyAppSecurity offers the first commercially available threat modeling tool - ThreatModeler It utilizes the VAST methodology, is PFD-based, and identifies threats based on a customizable comprehensive threat library.It is intended for collaborative use across all organizational stakeholders.
  • IriusRisk offers both a community and a commercial version of the tool. This tool focus on the creation and maintenance of a live Threat Model through the entire SDLC. It drives the process by using fully customizable questionnaires and Risk Pattern Libraries, and connects with other several different tools (OWASP ZAP, BDD-Security, Threadfix...) to empower automation.
  • securiCAD is a threat modelling and risk management tool by the Scandinavian company foreseeti. It is intended for company cyber security management, from CISO, to security engineer, to technician. securiCAD conducts automated attack simulations to current and future IT architectures, identifies and quantifies risks holistically including structural vulnerabilities, and provides decision support based on the findings. securiCAD is offered in both commercial and community editions. 
  • SD Elements by Security Compass is a software security requirements management platform that includes automated threat modeling capabilities. A set of threats is generated by completing a short questionnaire about the technical details and compliance drivers of the application. Countermeasures are included in the form of actionable tasks for developers that can be tracked and managed throughout the entire SDLC.
  • OWASP Application Threat Modeling
  • owasp.org/index.php/OWASP_Threat_Dragon

Several commercial packages and open source products are available.

Open Source

Commercial






Threat Modeling vs Others

Threat Modeling vs Risk Modeling:

The terms cyber risk modeling and cyber threat modeling are often used synonymously, but they are different ideas. Cyber risk modeling involves creating multiple risk scenarios and assessing the severity of each.

Risk modeling provides a data-driven approach to understand cyber exposure and to quantify the possible outcome if a risk does indeed strike. This information is documented and disseminated in a language that makes sense to business users and decision-makers. A cyber risk model – particularly one that uses the same tools available to the cyber insurance sector – provides an efficient and repeatable way to quantify the probability of a cyberattack in financial terms.

On the other hand, a threat model helps to identify cyber threats and vulnerabilities. It also informs the company’s response and mitigation efforts.

Threat Modeling vs Threat Intelligence:

A cyber threat intelligence tool helps you collect and analyze threat information from multiple external sources to protect your enterprise from existing vulnerabilities and prepare for future ones. Next-gen cyber threat intelligence tools are essential to improve enterprise resilience and protect against external (in addition to internal) attacks.

Threat intelligence enables organizations to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors. It transforms raw data into useful interpretable intelligence for analysis. 

While ideally, threat modelling can be driven right from the LEFT (DevSecOps), using a framework to identify threats for your application development (Dev) stage, the enterprise might not have such luxury to go into that level of maturity. Having said that, it is better to have Threat Modelling capabilities at least on the Operations (Ops) stage, correlating Cyber Threat Intelligence (external information) of the adversary, with the internal cyber security events from SOC / SIEM.

One of the tools capable of mapping the Threat Model is Anomaly Threat Stream. A threat intelligence platform that could model any threat tailored to your specific organization.

With Anomaly Threat Stream, the analyst can build a Threat Model based on a specific adversary relevant to your organization's industry. For example, a bank would have a specific adversary of a state-sponsored attacker such as Lazarus or Cobalt Strike. By mapping all the IOCs, Tools-Technique-Procedures (TTP) along with MITRE ATT&CK Framework, an organization can have a specifically tailored cybersecurity defence that is much stronger and more impactful for its operations.


Threat Modeling vs Vulnerability Assessment

  • Their primary focus: Threats vs vulnerabilities
  • Proactive vs reactive processes
  • Threat intelligence-driven anaysis - Both threat modeling and vulnerability assessment use threat intelligence-driven data to fuel their processes.
    • Threat modeling uses CVSS and MITRE TTPs to identify vulnerabilities and threats and goes a step further to quantify threats and prioritize ways to remediate them.

Threat Modeling vs Pen Test

Differences are between Threat Modeling and penetration testing:

  • Timing: Threat Modeling is preferably performed during the design phase of the system (although it is never too late to do it). Penetration testing is done during development or at least just prior to release (please don’t release first and then test on production).
  • Objectives: Threat Modeling prevents or manages design flaws from a ‘white box’ perspective. Pentesting tests the actual application’s resilience – usually from a black box perspective
  • Outcome: Threat Modeling leads to a list of design changes to consider, pentesting generates a list of bug fixes. Both expose risk which begs for risk management measures.

Design flaws are errors in design. They arise from a lack of security requirements (bad design), a lack of secure design knowledge (bad designer). To understand these flaws, you need contextual knowledge. That’s what you learn during a Threat Modeling workshop. Bugs are coding errors. The design might be good, but accidental errors (bad code) or a lack of secure coding practices (bad coders) can lead to vulnerabilities. 

Threat Modeling won’t expose coding errors. Pentesting won’t show design flaws. We need both tools in our toolbox.


Glossary

Some Other Terms:

  • Tactics, Techniques and Procedures (TTPs) : TTPs are the “patterns of activities or methods associated with a specific threat actor or group of threat actors,”
  • Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).
  • Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models.

The Glossary of the known and agreed Threat Models’ abbreviations:

noModelAbbreviation Description
1STRIDESpoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and Associated Derivations
2PASTAThe Process for Attack Simulation and Threat Analysis
3LINDDUNLinkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information, Unawareness, Noncompliance) method
4OCTAVEOperationally Critical Threat, Asset, and Vulnerability Evaluation
5VASTVisual, Agile, and Simple Threat Modeling
6hTMMHybrid Threat Modeling Method
7qTMMQuantitative Threat Modeling Method
8TRIKEAbbreviation is unknown, unified conceptual framework for security auditing automated concept from a risk management perspective
9TreesAttack Trees
10PnGPersona non Grata

References


No comments