Threat Modeling Basics

Threat Modeling is the process of using models to identify and document potential threats to a system. This is the first post in a series, in which I am I document the process of threat modeling common information systems using commonly used threat modeling methodologies / frameworks.

Threat modeling frameworks complement the 5 Functions of NIST Cyber Security Framework 1.1 which are Identify, Protect, Detect, Respond, and Recover.

Identify: Find and inventory information systems and data assets
Protect: Develop and implement safeguards for information systems and data assets
Detect: Detect the occurrence of a cyber security event
Respond: Take action against a cyber security event
Recover: Restore service after a cyber security event

These 5 Functions also complement the Threat Modeling Process.

Threat Modeling is a 5 step process.

Aim / Set objectives: The application or system must follow the CIA Triad
- Confidentiality: Data must be protected from unauthorized access.
- Integrity: Unauthorized information changes must be prevented.
- Availability: Even if under attack, the application or system must provide the required services.
Visualize: What are we building?
Identify Threats: What can go wrong?
Mitigate Threats: What are we going to do to prevent what we identified from going wrong?
Validate / Improve

Two of the most commonly used threat modeling diagramming techniques are Data Flow Diagrams (DFD) and Attack Trees.

Data Flow Diagram (DFD): A schematic that maps out the flow of data through an information system.

Attack Tree: A branch and hierarchical tree like diagram depicting possible paths that a malicious actor my use to compromise or disrupt an information system. They consist of multiple levels and have one root node, leaves, and child nodes. Conditions flow from bottom to top, with the child nodes being the conditions that need to be satisfied in order to satisfy their direct parent node. The malicious action, or attack, is completed when all of the root node’s children nodes conditions have been satisfied.

Common threat modelling methodologies include STRIDE, DREAD and Attack Trees.

STRIDE
- S – Spoofing: A malicious actor assuming the false identity of a valid identity in an information system
- T – Tampering: The malicious modification of data in a system
- R – Repudiation: The ability of a malicious actor to deny preforming an action
- I – Information Disclosure: The unauthorized exposure of protected data
- D – Denial of Service: A malicious actor denies legitimate actors access to a system
- E – Elevation of Privilege: The process in which a malicious actor starts with a low level of permissions gains higher level permissions as they move throughout the information system.
DREAD
- D – Damage Potential: The ranking of the extent of damage that could result if the identified vulnerability is exploited.
- R – Reproducibility: The ranking of the difficulty of the reproduction of an attack to exploit a vulnerability.
- E – Exploitability: The ranking of the difficulty or amount of effort required to perform an attack.
- A – Affected Users: Assigns a value representing the number of affected users that would be impacted if the vulnerability is exploited.
- D – Discoverability: The measure of the difficulty of a threat being discovered.

A common Framework for threat modeling is Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK, which is collection of approaches malicious actors have used in various common stages of counterattacks. The ATT&CK framework is broken down into 14 common categories or stages. Immersive Labs has a free online training course covering ATT&CK as part of their Cyber Million program.

Reconnaissance
Resource Deployment
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact

Sources and references:

Comments

Leave a Reply Cancel reply