Threat Modeling
What is Threat Modeling
Threat modeling is a systematic approach to identifying, assessing, and addressing security threats to applications or systems. It helps in understanding potential threats, their impact, and how to mitigate them effectively.
When? It should ideally be done in the Planning Phase of SDLC.
Process:
Assemble Threat Modeling Team: Include diverse stakeholders from development, security, and operations.
Decompose the Application: Use Data Flow Diagrams (DFD) and UML to understand the application flow.
Determine Threats: Identify potential threats using the STRIDE model.
Rank Threats: Assess risks and prioritize threats based on their impact and likelihood.
Mitigation: Choose and implement appropriate countermeasures.
Tools: Microsoft Threat Modeling Tool
Key Threat Modeling Frameworks
STRIDE
STRIDE is a threat categorization model developed by Microsoft. It identifies potential threats by categorizing them into six different types:
Spoofing: (Authentication) Impersonating a legitimate user or system.
Tampering: (Integrity) Unauthorized modification of data.
Repudiation: (Non-Repudiation) Denial of performing an action without any way to prove otherwise.
Information Disclosure: (Confidentiality) Unauthorized access to confidential data.
Denial of Service (DoS): (Availability) Disrupting service availability.
Elevation of Privilege: (Authorization) Gaining unauthorized access levels.
Steps
Diagramming
Threat Enumeration
Spoofing
Impersonation of a legitimate user.
Using stolen credentials to access the system.
Spoofing an identity to gain unauthorized access.
Tampering
Modifying data in transit between systems.
Altering stored data to gain an advantage.
Tampering with configuration files or application code.
Repudiation
Denying actions taken within the system.
Lack of evidence for performed actions.
Disputing transaction occurrences.
Information Disclosure
Unauthorized access to sensitive data.
Data leaks due to insufficient encryption.
Exposure of confidential information via error messages or logs.
Denial of Service
Flooding the system with excessive requests to disrupt services.
Consuming all available resources, making the system unavailable.
Targeting specific vulnerabilities to cause service outages.
Escalation of Privileges
Gaining higher-level permissions than authorized.
Exploiting vulnerabilities to execute code with elevated privileges.
Using misconfigurations to perform unauthorized actions.
Mitigations
Spoofing
Multi-Factor Authentication (MFA): Require multiple forms of verification before granting access.
Strong Password Policies: Enforce complex passwords and regular password changes.
Certificate-Based Authentication: Use certificates to validate identities.
Biometric Authentication: Implement biometric checks (e.g., fingerprint, facial recognition).
IP Whitelisting: Restrict access to trusted IP addresses.
Tampering
Data Integrity Checks: Use checksums or hash functions to verify data integrity.
Digital Signatures: Sign data to ensure it hasn’t been altered.
Encryption: Encrypt data at rest and in transit to prevent unauthorized modifications.
Secure Software Development Lifecycle (SDLC): Implement secure coding practices and code reviews.
Access Controls: Restrict permissions to modify data or configurations to authorized users only.
Repudiation
Logging and Monitoring: Implement comprehensive logging of user actions.
Digital Signatures: Use digital signatures to provide proof of data origin and actions.
Non-Repudiation Services: Implement services that provide proof of data integrity and origin.
Audit Trails: Maintain detailed audit trails of all critical operations.
Time Stamps: Include time stamps in logs to accurately track actions.
Information Disclosure
Encryption: Use strong encryption for data at rest and in transit.
Access Controls: Implement strict access controls based on the principle of least privilege.
Data Masking: Mask sensitive information in non-production environments.
Secure Error Handling: Ensure error messages do not reveal sensitive information.
Regular Audits: Perform regular security audits to identify potential data leaks.
Denial of Service
Rate Limiting: Implement rate limiting to prevent excessive requests from a single source.
Load Balancing: Use load balancers to distribute traffic evenly.
Resource Allocation: Ensure sufficient resources (CPU, memory) are allocated and can be scaled.
DDoS Protection Services: Use services designed to detect and mitigate DDoS attacks.
Redundancy: Implement redundancy in critical systems to ensure availability.
Escalation of Privileges
Least Privilege: Ensure users and processes operate with the minimum privileges necessary.
Patch Management: Regularly update and patch systems to fix known vulnerabilities.
Role-Based Access Control (RBAC): Implement RBAC to manage permissions based on roles.
Security Testing: Conduct regular security testing, including penetration testing and vulnerability assessments.
Code Reviews: Perform code reviews to identify and fix potential privilege escalation vulnerabilities.
Validation
Validate that the model accurately represents the system/application being modelled.
Ensure mitigations are in line with policies and risk management.
DREAD
DREAD is a threat ranking model used to assess the risk associated with identified threats. It evaluates threats based on five criteria:
Damage Potential: The potential impact of the threat.
Reproducibility: The ease of reproducing the threat.
Exploitability: The ease of exploiting the threat.
Affected Users: The number of users affected.
Discoverability: The likelihood of the threat being discovered.
PASTA
PASTA (Process for Attack Simulation and Threat Analysis) is a comprehensive threat modeling methodology with seven distinct stages. Each stage builds upon the previous one, providing a thorough understanding of the system, its threats, and risks.
Comparing STRIDE, DREAD, and PASTA
| Aspect | STRIDE | DREAD | PASTA |
|---|---|---|---|
Focus | Identifying threat types | Ranking threats | Comprehensive threat modeling process |
Key Components | Six threat categories | Five risk criteria | Seven stages |
Output | Identified threats | Risk-ranked threats | End-to-end threat and risk understanding |
Ease of Use | Easy | Moderate | Complex |
Suitable for | Quick assessments | Risk prioritization | Detailed threat and risk analysis |
Detailed Stages of Each Framework
STRIDE
Input, Activities, Output for STRIDE
| Stage | Input | Activities | Output |
|---|---|---|---|
Decompose the Application | System architecture, DFDs, use cases | Analyze components, data flows, and trust levels | Identified threat categories (STRIDE) |
Determine Threats | Identified assets, threat categories | Apply STRIDE to each component and data flow | List of potential threats |
Mitigation | Identified threats, security requirements | Design and implement countermeasures | Mitigation strategies and implementation plan |
DREAD
Input, Activities, Output for DREAD
| Stage | Input | Activities | Output |
|---|---|---|---|
Assess Risks | Identified threats, system information | Evaluate threats using DREAD criteria | Ranked threats based on DREAD scores |
Prioritize Mitigation | Ranked threats, available resources | Determine priority of mitigation efforts | Prioritized mitigation plan |
Implement Mitigation | Mitigation plan, technical specifications | Execute mitigation strategies | Reduced risk profile |
PASTA
Input, Activities, Output for PASTA
| Stage | Input | Activities | Output |
|---|---|---|---|
Define the Objectives | Business requirements, security policies | Define business, security, compliance objectives | Business impact analysis, security objectives |
Define the Technical Scope | Design documents, network diagrams | Determine scope and boundaries | Technical scope and attack surface |
Decompose the Application | Use cases, architectural diagrams | Create data flow diagrams, identify assets | DFDs, asset list, trust boundaries |
Analyze the Threats | Threat intelligence, application logs | Identify and analyze threats | Threat landscape, threat agents |
Vulnerability Analysis | Vulnerability reports, threat trees | Map vulnerabilities to threats | Vulnerability overview, CVE/CWE mapping |
Attack Analysis | Technical scope, attack patterns | Develop attack trees, map attack vectors | Attack trees, attack paths |
Risk and Impact Analysis | Previous outputs, control standards | Identify risks, gaps, and mitigation strategies | Risk profile, mitigation strategy |
Mitigation Techniques:
Authentication and Authorization: Ensure proper identity verification and access control.
Data Validation and Sanitization: Validate and sanitize inputs to prevent injection attacks.
Logging and Monitoring: Implement comprehensive logging and monitoring to detect and respond to security incidents.
Patch Management: Regularly update and patch software to fix vulnerabilities.
Conclusion
Each threat modeling framework has its strengths and is suitable for different scenarios. STRIDE is great for quick threat identification, DREAD helps prioritize risks, and PASTA provides a thorough, end-to-end threat and risk analysis. By understanding and applying these frameworks, security engineers can effectively manage and mitigate threats to their systems.
Last updated
