Threat Modeling

Threat Modeling, Zero to Hero

Introduction

This is a tutorial / course on "Threat Modeling from Zero to Hero" as requested by the We Hack Purple community. The goal of this is to provide the student with a sufficient background in Threat Modeling so that they can utilize the provided resources and continue their studies and practically apply the techniques described herein. Each section will consist of a series of relevant topics with examples and exercises for the student and hopefully by the end of consuming this site the student will be able to build a personal threat model.

Threat Model vs Risk Assessment

A Risk Assessment 🧐 integrates a Threat Model into the process however a Threat Model can stand on it's own.

Risk Assessments typically consist of the following areas, however they heavily overlap with Threat Modeling and often preceed a risk assessment. .

  1. System Characterization and Identifcation of Assets
  2. Threat Identification
  3. Vulnerability Identification
  4. Control Analysis
  5. Likelihood and Impact Determination
  6. Risk Determination and Recommendations

These are delivered in a Risk Assessment Report and utilize the Threat Modeling to determine individual risks, vulnerabilities, and threats, then qualifies them through understanding the risk determination.

Data Flow Diagrams

A Data Flow Diagram gives important insight into the behavior of information systems, their applications, and underlying architectural components. Note this is separate entirely from a network diagram, or system specification. The DFD is specifically focused on how data moves and is handled.

This is a unique way of representing the flow of data through a process or system. Most often your Data-flow diagram will include:

  1. Database
  2. Input
  3. System or Process
  4. Output
  5. External Entity (Customer)

There are numerous notations however the Yourdon/DeMarco notation is the most common.

Yourdon/DeMarco Notation

from Wikicommons

Threat Model as Code

Threat Model as Code Data Flow Diagrams can be generated with software that dramatically improves the reproducibility of the process and often will expose you to routes the data may take that you hadn't considered.

System Characterization and Identification of Assets

Assets are what are at risk things that need to be protected. This process is another way of asking:

This is typically in a spreadsheet for a small or medium sized organization or an asset database for larger enterprises and propagated as a part of log management.

Your input consists of:

  1. Network Diagrams,
  2. Hardware,
  3. Software,
  4. System interfaces,
  5. Data and information,
  6. Data Owners,
  7. Systems Administrators,
  8. System mission.

Through analyzing and organizing the data. You're able to identify IT System boundaries and scope. Produce a list of assets to be risk-managed, and a list of business processes related to the assets and their relevance.

Threat Identification

When Identifying Threat Sources interviewing the stake holders often will expedite the process, this phase typically consist of the Input of:

  1. Interview stake holders, data owners and identify supporting systems personnel,
  2. History of system attack,
  3. Data from intelligence agencies (e.g. NIPC, OIG, ISC, FedCIRC, mass media),
  4. Questionnaires and interviews of staff to assess what threats are considered valid by the organization.

with the Output of:

Identifying potential threat sources and compiling a threat statement listing potential sources that are applicable to the IT system being evaluated and the threat agent motivation.

Vulnerability Identification

The purpose of vulnerability identification in the context of a Threat Model is to understand system vulnerabilities (flaws or weaknesses) that could be exploited by the identified threat-sources, typically each vulnerability will pair up well with a specific threat and through analysis of system configurations, previous audits, and low-risk system testing develop a comprehensive list of vulnerabilities to be exploited by the identified threat agents.

Most vulnerability identification phases will consist of gathering

  1. Reports from prior risk assessments,
  2. Any audit comments provided regarding the systems in scope and their supporting systems,
  3. Security requirements as determined by the data classification and criticality,
  4. Security testing results from both point-in-time testing, and
  5. Evaluation of system logs.

Control Analysis

When you think of the Control Analysis phase think of these in the form of zones or areas that are explicitly, and programmatically controlled. In order to accomplish this, gathering a list of current or planned controls used for the IT systems will need to be generated. This will be used to mitigate the likelihood of a vulnerability being exploited.

This phase only has two major input and output items.

The Input is a list of Current and Planned Controls along with what data or system they're associated with, and the output is that list.

Likelihood and Impact Determination

Within the Likelihood and Impact Determination phase the goal is to analyze threat-source motivation, threat capacity, nature of vulnerabilities, and compare those to the currently applied controls per the asset criticality assessment, data criticality and data sensitivity, to determine the likelihood and impact of exploitation.

The likelihood input is the threat-source motivation, threat capacity, nature of vulnerability vs the currently deployed controls with the output being a likelihood value The impact determination is based on the mission impact analysis, asset criticality assessment, data criticality, and data sensitivity with an impact rating being the output

Threat Modeling Techniques

There are a large number of Threat Modeling Techniques that can be utilized but Threat Modeling of code has the option of Threat Model as Code automation.

Outside of TM-aC there are a few prominant threat model methods

STRIDE

DREAD

59974