# Threat Modeling

## What is Threat Modeling

Threat modeling is a systematic approach to **identifying, assessing, and addressing** security threats to applications or systems. It helps in understanding potential threats, their impact, and how to mitigate them effectively.

**When?** It should ideally be done in the **Planning Phase** of SDLC.

## **Process:**

1. **Assemble Threat Modeling Team:** Include diverse stakeholders from development, security, and operations.
2. **Decompose the Application:** Use Data Flow Diagrams (DFD) and UML to understand the application flow.
3. **Determine Threats:** Identify potential threats using the STRIDE model.
4. **Rank Threats:** Assess risks and prioritize threats based on their impact and likelihood.
5. **Mitigation:** Choose and implement appropriate countermeasures.

**Tools**: Microsoft Threat Modeling Tool

## Key Threat Modeling Frameworks

### STRIDE

**STRIDE** is a threat categorization model developed by Microsoft. It identifies potential threats by categorizing them into six different types:

1. **Spoofing: (Authentication)** Impersonating a legitimate user or system.
2. **Tampering:** **(Integrity)** Unauthorized modification of data.
3. **Repudiation: (Non-Repudiation)** Denial of performing an action without any way to prove otherwise.
4. **Information Disclosure: (Confidentiality)** Unauthorized access to confidential data.
5. **Denial of Service (DoS): (Availability)** Disrupting service availability.
6. **Elevation of Privilege: (Authorization)** Gaining unauthorized access levels.

#### Steps

* **Diagramming**

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FKu84CKhycFFBsjFecuDq%2Fimage.png?alt=media&#x26;token=8c9c351c-aae6-4470-b49e-ed6e8df407b3" alt=""><figcaption><p>DFD Elements</p></figcaption></figure>

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FnFLfona9OztgBvqy5UAH%2Fimage.png?alt=media&#x26;token=0b24f77f-62b8-49cf-947a-a4ba561346f1" alt=""><figcaption><p>Example from wallarm.com</p></figcaption></figure>

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FvndBPCw8dka8YoY2oevP%2Fimage.png?alt=media&#x26;token=ca733d09-7b20-4c11-9fd1-9f18650e76bc" alt=""><figcaption><p>Example from secodis.com</p></figcaption></figure>

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FHR3pfysYp8CJ0OjDbiYo%2Ftmodel_diagram.png?alt=media&#x26;token=4c026798-d2f3-4f2a-88b3-4d14ca872310" alt=""><figcaption><p>Example from Practical  DevSecOps</p></figcaption></figure>

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2F806TkwP8AvJIsoPl8Enx%2Fimage.png?alt=media&#x26;token=f1685e17-77a2-4240-bb3c-2afb13925b68" alt=""><figcaption><p>Example from Netsec Explained Youtube</p></figcaption></figure>

* **Threat Enumeration**
  * **Spoofing**
    * Impersonation of a legitimate user.
    * Using stolen credentials to access the system.
    * Spoofing an identity to gain unauthorized access.
  * **Tampering**
    * Modifying data in transit between systems.
    * Altering stored data to gain an advantage.
    * Tampering with configuration files or application code.
  * **Repudiation**
    * Denying actions taken within the system.
    * Lack of evidence for performed actions.
    * Disputing transaction occurrences.
  * **Information Disclosure**
    * Unauthorized access to sensitive data.
    * Data leaks due to insufficient encryption.
    * Exposure of confidential information via error messages or logs.
  * **Denial of Service**
    * Flooding the system with excessive requests to disrupt services.
    * Consuming all available resources, making the system unavailable.
    * Targeting specific vulnerabilities to cause service outages.
  * **Escalation of Privileges**
    * Gaining higher-level permissions than authorized.
    * Exploiting vulnerabilities to execute code with elevated privileges.
    * Using misconfigurations to perform unauthorized actions.

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2F7bJIKjCm0RttNAuB8N4c%2Ft_enum.png?alt=media&#x26;token=9f7bc0a4-4321-434f-831b-a7906cbe8161" alt=""><figcaption><p>Threat Enumeration matrix</p></figcaption></figure>

* **Mitigations**
  * **Spoofing**
    * **Multi-Factor Authentication (MFA):** Require multiple forms of verification before granting access.
    * **Strong Password Policies:** Enforce complex passwords and regular password changes.
    * **Certificate-Based Authentication:** Use certificates to validate identities.
    * **Biometric Authentication:** Implement biometric checks (e.g., fingerprint, facial recognition).
    * **IP Whitelisting:** Restrict access to trusted IP addresses.
  * **Tampering**
    * **Data Integrity Checks:** Use checksums or hash functions to verify data integrity.
    * **Digital Signatures:** Sign data to ensure it hasn’t been altered.
    * **Encryption:** Encrypt data at rest and in transit to prevent unauthorized modifications.
    * **Secure Software Development Lifecycle (SDLC):** Implement secure coding practices and code reviews.
    * **Access Controls:** Restrict permissions to modify data or configurations to authorized users only.
  * **Repudiation**
    * **Logging and Monitoring:** Implement comprehensive logging of user actions.
    * **Digital Signatures:** Use digital signatures to provide proof of data origin and actions.
    * **Non-Repudiation Services:** Implement services that provide proof of data integrity and origin.
    * **Audit Trails:** Maintain detailed audit trails of all critical operations.
    * **Time Stamps:** Include time stamps in logs to accurately track actions.
  * **Information Disclosure**
    * **Encryption:** Use strong encryption for data at rest and in transit.
    * **Access Controls:** Implement strict access controls based on the principle of least privilege.
    * **Data Masking:** Mask sensitive information in non-production environments.
    * **Secure Error Handling:** Ensure error messages do not reveal sensitive information.
    * **Regular Audits:** Perform regular security audits to identify potential data leaks.
  * **Denial of Service**
    * **Rate Limiting:** Implement rate limiting to prevent excessive requests from a single source.
    * **Load Balancing:** Use load balancers to distribute traffic evenly.
    * **Resource Allocation:** Ensure sufficient resources (CPU, memory) are allocated and can be scaled.
    * **DDoS Protection Services:** Use services designed to detect and mitigate DDoS attacks.
    * **Redundancy:** Implement redundancy in critical systems to ensure availability.
  * **Escalation of Privileges**
    * **Least Privilege:** Ensure users and processes operate with the minimum privileges necessary.
    * **Patch Management:** Regularly update and patch systems to fix known vulnerabilities.
    * **Role-Based Access Control (RBAC):** Implement RBAC to manage permissions based on roles.
    * **Security Testing:** Conduct regular security testing, including penetration testing and vulnerability assessments.
    * **Code Reviews:** Perform code reviews to identify and fix potential privilege escalation vulnerabilities.
* **Validation**
  * Validate that the model accurately represents the system/application being modelled.
  * Ensure mitigations are in line with policies and risk management.

### DREAD

**DREAD** is a threat ranking model used to assess the risk associated with identified threats. It evaluates threats based on five criteria:

1. **Damage Potential:** The potential impact of the threat.
2. **Reproducibility:** The ease of reproducing the threat.
3. **Exploitability:** The ease of exploiting the threat.
4. **Affected Users:** The number of users affected.
5. **Discoverability:** The likelihood of the threat being discovered.

### PASTA

**PASTA** (Process for Attack Simulation and Threat Analysis) is a comprehensive threat modeling methodology with seven distinct stages. Each stage builds upon the previous one, providing a thorough understanding of the system, its threats, and risks.

## Comparing STRIDE, DREAD, and PASTA

| Aspect         | STRIDE                   | DREAD               | PASTA                                    |
| -------------- | ------------------------ | ------------------- | ---------------------------------------- |
| Focus          | Identifying threat types | Ranking threats     | Comprehensive threat modeling process    |
| Key Components | Six threat categories    | Five risk criteria  | Seven stages                             |
| Output         | Identified threats       | Risk-ranked threats | End-to-end threat and risk understanding |
| Ease of Use    | Easy                     | Moderate            | Complex                                  |
| Suitable for   | Quick assessments        | Risk prioritization | Detailed threat and risk analysis        |

## Detailed Stages of Each Framework

### STRIDE

**Input, Activities, Output for STRIDE**

| Stage                     | Input                                     | Activities                                       | Output                                        |
| ------------------------- | ----------------------------------------- | ------------------------------------------------ | --------------------------------------------- |
| Decompose the Application | System architecture, DFDs, use cases      | Analyze components, data flows, and trust levels | Identified threat categories (STRIDE)         |
| Determine Threats         | Identified assets, threat categories      | Apply STRIDE to each component and data flow     | List of potential threats                     |
| Mitigation                | Identified threats, security requirements | Design and implement countermeasures             | Mitigation strategies and implementation plan |

### DREAD

**Input, Activities, Output for DREAD**

| Stage                 | Input                                     | Activities                               | Output                               |
| --------------------- | ----------------------------------------- | ---------------------------------------- | ------------------------------------ |
| Assess Risks          | Identified threats, system information    | Evaluate threats using DREAD criteria    | Ranked threats based on DREAD scores |
| Prioritize Mitigation | Ranked threats, available resources       | Determine priority of mitigation efforts | Prioritized mitigation plan          |
| Implement Mitigation  | Mitigation plan, technical specifications | Execute mitigation strategies            | Reduced risk profile                 |

### PASTA

**Input, Activities, Output for PASTA**

| Stage                      | Input                                    | Activities                                       | Output                                        |
| -------------------------- | ---------------------------------------- | ------------------------------------------------ | --------------------------------------------- |
| Define the Objectives      | Business requirements, security policies | Define business, security, compliance objectives | Business impact analysis, security objectives |
| Define the Technical Scope | Design documents, network diagrams       | Determine scope and boundaries                   | Technical scope and attack surface            |
| Decompose the Application  | Use cases, architectural diagrams        | Create data flow diagrams, identify assets       | DFDs, asset list, trust boundaries            |
| Analyze the Threats        | Threat intelligence, application logs    | Identify and analyze threats                     | Threat landscape, threat agents               |
| Vulnerability Analysis     | Vulnerability reports, threat trees      | Map vulnerabilities to threats                   | Vulnerability overview, CVE/CWE mapping       |
| Attack Analysis            | Technical scope, attack patterns         | Develop attack trees, map attack vectors         | Attack trees, attack paths                    |
| Risk and Impact Analysis   | Previous outputs, control standards      | Identify risks, gaps, and mitigation strategies  | Risk profile, mitigation strategy             |

## **Mitigation Techniques:**

* **Authentication and Authorization:** Ensure proper identity verification and access control.
* **Data Validation and Sanitization:** Validate and sanitize inputs to prevent injection attacks.
* **Logging and Monitoring:** Implement comprehensive logging and monitoring to detect and respond to security incidents.
* **Patch Management:** Regularly update and patch software to fix vulnerabilities.

## Conclusion

Each threat modeling framework has its strengths and is suitable for different scenarios. STRIDE is great for quick threat identification, DREAD helps prioritize risks, and PASTA provides a thorough, end-to-end threat and risk analysis. By understanding and applying these frameworks, security engineers can effectively manage and mitigate threats to their systems.