Threat Modeling

avatar
Created by
EarlyHorse17571

Cards (46)

  • What is Threat Modelling?
    • Threat modelling is a systematic approach to identifying, prioritising, and addressing potential security threats across the organisation. By simulating possible attack scenarios and assessing the existing vulnerabilities of the organisation's interconnected systems and applications, threat modelling enables organisations to develop proactive security measures and make informed decisions about resource allocation. 
  • What is Threat Modelling?
    • Threat modelling aims to reduce an organisation's overall risk exposure by identifying vulnerabilities and potential attack vectors, allowing for adequate security controls and strategies. This process is essential for constructing a robust defence strategy against the ever-evolving cyber threat landscape.
    • Threat: Refers to any potential occurrence, event, or actor that may exploit vulnerabilities to compromise information confidentiality, integrity, or availability. It may come in various forms, such as cyber attacks, human error, or natural disasters.
    • Vulnerability: A weakness or flaw in a system, application, or process that may be exploited by a threat to cause harm. It may arise from software bugs, misconfiguration, or design flaws.
    • Risk: The possibility of being compromised because of a threat taking advantage of a vulnerability. A way to think about how likely an attack might be successful and how much damage it could cause.
  • High-Level Process of Threat Modelling
    1. Defining the scope
    2. Asset Identification
    3. Identify Threats
    4. Analyse Vulnerabilities and Prioritise Risks 
    5. Develop and Implement Countermeasures
    6. Monitor and Evaluate
  • High-Level Process of Threat Modelling
    1. Defining the scope: Identify the specific systems, applications, and networks in the threat modelling exercise.
    2. Asset Identification: Develop diagrams of the organisation's architecture and its dependencies. It is also essential to identify the importance of each asset based on the information it handles,  such as customer data, intellectual property, and financial information.
    3. Identify Threats: Identify potential threats that may impact the identified assets, such as cyber attacks, physical attacks, social engineering, and insider threats.
  • High-Level Process of Threat Modelling
    1. Analyse Vulnerabilities and Prioritise Risks: Analyse the vulnerabilities based on the potential impact of identified threats in conjunction with assessing the existing security controls. Given the list of vulnerabilities, risks should be prioritised based on their likelihood and impact.
    2. Develop and Implement Countermeasures: Design and implement security controls to address the identified risks, such as implementing access controls, applying system updates, and performing regular vulnerability assessments.
  • High-Level Process of Threat Modelling
    1. Monitor and Evaluate: Continuously test and monitor the effectiveness of the implemented countermeasures and evaluate the success of the threat modelling exercise. An example of a simple measurement of success is tracking the identified risks that have been effectively mitigated or eliminated.
  • An attack tree is a graphical representation used in threat modelling to systematically describe and analyse potential threats against a system, application or infrastructure. It provides a structured, hierarchical approach to breaking down attack scenarios into smaller components. Each node in the tree represents a specific event or condition, with the root node representing the attacker's primary goal.
    For a quick example, let's use the diagram below that represents a scenario of an attacker trying to gain unauthorised access to sensitive data stored in a cloud-based storage system.
  • MITRE ATT&CK Framework
    • MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive, globally accessible knowledge base of cyber adversary behaviour and tactics. Developed by the MITRE Corporation, it is a valuable resource for organisations to understand the different stages of cyber attacks and develop effective defences.
  • MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
    • The ATT&CK framework is organised into a matrix that covers various tactics (high-level objectives) and techniques (methods used to achieve goals). The framework includes descriptions, examples, and mitigations for each technique, providing a detailed overview of threat actors' methods and tools.
  • MITRE ATT&CK Framework Sections:
    Technique Name and Details
    • Information such as name, detailed explanation of the technique, types of data or logs that can help or detect, and platforms (Windows, MacOS, Linux) relevant to the technique.
    Procedure Examples
    • Real-world examples of how threat actors have employed the technique in their adversarial operations.
    Mitigations
    • Recommended security measures and best practices to protect against the technique.
    Detections 
    • Strategies and indicators that can help identify the technique, as well as potential challenges in detecting the technique.
  • MITRE ATT&CK Framework
    References 
    • External sources, reports, and articles that provide additional information, context, or examples related to the technique.
  • Applying MITRE ATT&CK in Threat Modelling Process
    • Map to MITRE ATT&CK Map the identified threats to the corresponding tactics and techniques in the MITRE ATT&CK Framework. For each mapped technique, utilise the information found on the corresponding ATT&CK technique page, such as the description, procedure examples, mitigations, and detection strategies, to gain a deeper understanding of the threats and vulnerabilities in your system.
  • Utilising MITRE ATT&CK for Different Use Cases
    1. Identifying potential attack paths based on your infrastructure: Based on your assets, the framework can map possible attack paths an attacker might use to compromise your organisation. For example, if your organisation uses Office 365, all techniques attributed to this platform are relevant to your threat modelling exercise.
  • Utilising MITRE ATT&CK for Different Use Cases
    1. Developing threat scenarios: MITRE ATT&CK has attributed all tactics and techniques to known threat groups. This information can be leveraged to assess your organisation based on threat groups identified to be targeting the same industry.
    2. Prioritising vulnerability remediation: The information provided for each MITRE ATT&CK technique can be used to assess the significant impact that may occur if your organisation experiences a similar attack. Given this, your security team can identify the most critical vulnerabilities to address.
  • The MITRE ATT&CK Navigator is an open-source, web-based tool that helps visualise and navigate the complex landscape of the MITRE ATT&CK Framework. It allows security teams to create custom matrices by selecting relevant tactics and techniques that apply to their specific environment or threat scenario.
  • MITRE Attack Navigator
    You may have observed that there are three options for creating a new layer.
    • Enterprise - The Enterprise Matrix focuses on threats and techniques commonly used against enterprise networks.
    • Mobile - The Mobile Matrix focuses on threats and techniques against mobile devices, such as smartphones and tablets.
    • ICS - The ICS Matrix focuses on threats and techniques against industrial control systems, which control critical infrastructure, such as power plants, water treatment facilities, and transportation systems.
  • What is the DREAD Framework?
    • The DREAD framework is a risk assessment model developed by Microsoft to evaluate and prioritise security threats and vulnerabilities. 
  • DREAD Damage: The potential harm that could result from the successful exploitation of a vulnerability. This includes data loss, system downtime, or reputational damage.
    Reproducibility: The ease with which an attacker can successfully recreate the exploitation of a vulnerability. A higher reproducibility score suggests that the vulnerability is straightforward to abuse, posing a greater risk.
  • DREAD
    • Exploitability: The difficulty level involved in exploiting the vulnerability considering factors such as technical skills required, availability of tools or exploits, and the amount of time it would take to exploit the vulnerability successfully.
    • Affected Users: The number or portion of users impacted once the vulnerability has been exploited.
  • DREAD
    Discoverability: The ease with which an attacker can find and identify the vulnerability considering whether it is publicly known or how difficult it is to discover based on the exposure of the assets (publicly reachable or in a regulated environment).
  • DREAD
    The categories are commonly phrased with the following questions to ingest the definitions provided above quickly:
    • Damage - How bad would an attack be?
    • Reproducibility - How easy is it to reproduce the attack?
    • Exploitability - How much work is it to launch the attack?
    • Affected Users - How many people will be impacted?
    • Discoverability - How easy is it to discover the vulnerability?
  • DREAD Framework Guidelines:
    1. Establish a standardised set of guidelines and definitions for each DREAD category that provides a consistent understanding of how to rate vulnerabilities. This can be supported by providing examples and scenarios to illustrate how scores should be assigned under various circumstances.
    2. Encourage collaboration and discussion among multiple teams. Constructive feedback from different members aids in justifying the assigned scores, which can lead to a more accurate assessment.
  • DREAD Framework Guidelines:
    1. Use the DREAD framework with other risk-assessment methodologies and regularly review and update the chosen methods and techniques to ensure they remain relevant and aligned with the organisation's needs.
  • Qualitative Analysis Using DREAD Framework
    • The DREAD Framework is typically used for Qualitative Risk Analysis, rating each category from one to ten based on a subjective assessment and interpretation of the questions above. Moreover, the average score of all criteria will calculate the overall DREAD risk rating. 
  • What is the STRIDE Framework?
    • The STRIDE framework is a threat modelling methodology also developed by Microsoft, which helps identify and categorise potential security threats in software development and system design.
  • STRIDE Framework:
    • Spoofing: Unauthorised access or impersonation of a user or system. Policy Violated = Authentication
    • Tampering: Unauthorised modification or manipulation of data or code. Policy Violated = Integrity
    • Repudiation: Ability to deny having acted, typically due to insufficient auditing or logging. Policy Violated = Non-repudiation
    • Information Disclosure: Unauthorised access to sensitive information, such as personal or financial data. Policy Violated = Confidentiality
  • STRIDE Framework:
    • Denial of Service: Disruption of the system's availability, preventing legitimate users from accessing it. Policy Violated = Availability
    • Elevation of Privilege: Unauthorized elevation of access privileges, allowing threat actors to perform unintended actions. Policy Violated = Authorization
  • STRIDE
    • Spoofing 
    • Sending an email as another user.
    • Creating a phishing website mimicking a legitimate one to harvest user credentials.
    • Tampering
    • Updating the password of another user.
    • Installing system-wide backdoors using an elevated access.
    • Repudiation
    • Denying unauthorised money-transfer transactions, wherein the system lacks auditing.
    • Denying sending an offensive message to another person, wherein the person lacks proof of receiving one.
    • Information Disclosure 
    • Unauthenticated access to a misconfigured database that contains sensitive customer information.
    • Accessing public cloud storage that handles sensitive documents.
    • Denial of Service
    • Flooding a web server with many requests, overwhelming its resources, and making it unavailable to legitimate users.
    • Deploying a ransomware that encrypts all system data that prevents other systems from accessing the resources the compromised server needs.
    • Elevation of Privilege
    • Creating a regular user but being able to access the administrator console.
    • Gaining local administrator privileges on a machine by abusing unpatched systems.
  • A typical representation of results after using the STRIDE framework is via a checklist table, wherein each use case is marked based on what STRIDE component affects it.
  • Threat Modelling With STRIDE
    • To implement the STRIDE framework in threat modelling, it is essential to integrate the six threat categories into a systematic process that effectively identifies, assesses, and mitigates security risks. 
  • Threat Modelling With STRIDE
    1. System Decomposition: Break down all accounted systems into components, such as applications, networks, and data flows. Understand the architecture, trust boundaries, and potential attack surfaces.
    2. Apply STRIDE Categories: For each component, analyse its exposure to the six STRIDE threat categories. Identify potential threats and vulnerabilities related to each category.
  • Threat Modelling With STRIDE
    1. Threat Assessment: Evaluate the impact and likelihood of each identified threat. Consider the potential consequences and the ease of exploitation and prioritise threats based on their overall risk level.
    2. Develop Countermeasures Design and implement security controls to address the identified threats tailored to each STRIDE category. For example, to enhance email security and mitigate spoofing threats, implement DMARC, DKIM, and SPF, which are email authentication and validation mechanisms that help prevent email spoofing, phishing, and spamming.
  • Threat Modelling With STRIDE
    1. Validation and VerificationTest the effectiveness of the implemented countermeasures to ensure they effectively mitigate the identified threats. If possible, conduct penetration testing, code reviews, or security audits.
    2. Continuous ImprovementRegularly review and update the threat model as the system evolves and new threats emerge. Monitor the effective countermeasures and update them as needed.
  • What is the PASTA Framework?
    • PASTA, or Process for Attack Simulation and Threat Analysis, is a structured, risk-centric threat modelling framework designed to help organisations identify and evaluate security threats and vulnerabilities within their systems, applications, or infrastructure. PASTA provides a systematic, seven-step process that enables security teams to understand potential attack scenarios better, assess the likelihood and impact of threats, and prioritise remediation efforts accordingly.
  • PASTA Seven-Step Methodology