Jump to content

Threat model: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Added commas for grammatical correctness
Undid revision 1259463045 by 145.89.162.129 (talk)
 
(43 intermediate revisions by 28 users not shown)
Line 2: Line 2:
'''Threat modeling''' is a process by which potential threats, such as [[Structural vulnerability (computing)|structural vulnerabilities]] or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized.<ref name=":1" /> The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like ''"Where am I most vulnerable to attack?"'', ''"What are the most relevant threats?"'', and ''"What do I need to do to safeguard against these threats?"''.
'''Threat modeling''' is a process by which potential threats, such as [[Structural vulnerability (computing)|structural vulnerabilities]] or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized.<ref name=":1" /> The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like ''"Where am I most vulnerable to attack?"'', ''"What are the most relevant threats?"'', and ''"What do I need to do to safeguard against these threats?"''.


Conceptually, most people incorporate some form of threat modeling in their daily life and don't even realize it.{{cn|date=May 2022}} Commuters use threat modeling to consider what might go wrong during the morning journey to work and to take preemptive action to avoid possible accidents. Children engage in threat modeling when determining the best path toward an intended goal while avoiding the playground bully. In a more formal sense, threat modeling has been used to prioritize military defensive preparations since antiquity.
Conceptually, most people incorporate some form of threat modeling in their daily life and don't even realize it.{{citation needed|date=May 2022}} Commuters use threat modeling to consider what might go wrong during the morning journey to work and to take preemptive action to avoid possible accidents. Children engage in threat modeling when determining the best path toward an intended goal while avoiding the playground bully. In a more formal sense, threat modeling has been used to prioritize military defensive preparations since antiquity.


== Evolution of IT-based threat modeling ==
== Evolution of technology-centric threat modeling ==
Shortly after shared computing made its debut in the early 1960s, individuals began seeking ways to exploit security vulnerabilities for personal gain.<ref>{{Cite web|url=https://www.wired.com/2012/01/computer-password/|title=The World's First Computer Password? It Was Useless Too|last=McMillan|first=Robert|date=2012|website=|publisher=Wired Business|access-date=}}</ref> As a result, engineers and computer scientists soon began developing threat modeling concepts for information technology systems.
Shortly after shared computing made its debut in the early 1960s, individuals began seeking ways to exploit security vulnerabilities for personal gain.<ref>{{Cite web|url=https://www.wired.com/2012/01/computer-password/|title=The World's First Computer Password? It Was Useless Too|last=McMillan|first=Robert|date=2012|website=|publisher=Wired Business|access-date=}}</ref> As a result, engineers and computer scientists soon began developing threat modeling concepts for information technology systems.


Early IT-based threat modeling methodologies were based on the concept of architectural patterns<ref>{{Cite web|url=http://threatmodelingbook.com|title=Threat Modeling: Designing for Security|last=Shostack|first=Adam|author-link=Adam Shostack|date=2014|website=|publisher=John Wiley & Sons Inc: Indianapolis|access-date=}}</ref> first presented by [[Christopher Alexander]] in 1977. In 1988 Robert Barnard developed and successfully applied the first profile for an IT-system attacker.
Early technology-centered threat modeling methodologies were based on the concept of architectural patterns<ref>{{Cite web|url=http://threatmodelingbook.com|title=Threat Modeling: Designing for Security|last=Shostack|first=Adam|author-link=Adam Shostack|date=2014|website=|publisher=John Wiley & Sons Inc: Indianapolis|access-date=}}</ref> first presented by [[Christopher Alexander]] in 1977. In 1988 Robert Barnard developed and successfully applied the first profile for an IT-system attacker.


In 1994, Edward Amoroso put forth the concept of a "threat tree" in his book, "Fundamentals of Computer Security Technology.<ref>{{Cite book|url=http://dl.acm.org/citation.cfm?id=179237|title=Fundamentals of Computer Security Technology|last=Amoroso|first=Edward G|date=1994|website=|publisher=AT&T Bell Labs. Prentice-Hall: Upper Saddle River.|isbn=9780131089297|access-date=}}</ref>" The concept of a threat tree was based on decision tree diagrams. Threat trees graphically represent how a potential threat to an IT system can be exploited.
In 1994, Edward Amoroso put forth the concept of a "threat tree" in his book, "Fundamentals of Computer Security Technology.<ref>{{Cite book|url=http://dl.acm.org/citation.cfm?id=179237|title=Fundamentals of Computer Security Technology|last=Amoroso|first=Edward G|date=1994|publisher=AT&T Bell Labs. Prentice-Hall: Upper Saddle River.|isbn=9780131089297|access-date=}}</ref>" The concept of a threat tree was based on decision tree diagrams. Threat trees graphically represent how a potential threat to an IT system can be exploited.


Independently, similar work was conducted by the [[National Security Agency|NSA]] and [[DARPA]] on a structured graphical representation of how specific attacks against IT-systems could be executed. The resulting representation was called "[[attack tree]]s." In 1998 [[Bruce Schneier]] published his analysis of cyber risks utilizing attack trees in his paper entitled "Toward a Secure System Engineering Methodology".<ref>{{Cite web|url=https://www.schneier.com/academic/paperfiles/paper-secure-methodology.pdf|title=Toward A Secure System Engineering Methodology|last=Schneier|first=Bruce|display-authors=etal|date=1998|website=|publisher=National Security Agency: Washington|access-date=}}</ref> The paper proved to be a seminal contribution in the evolution of threat modeling for IT-systems. In Schneier's analysis, the attacker's goal is represented as a "root node," with the potential means of reaching the goal represented as "leaf nodes." Utilizing the attack tree in this way allowed cybersecurity professionals to systematically consider multiple attack vectors against any defined target.
Independently, similar work was conducted by the [[National Security Agency|NSA]] and [[DARPA]] on a structured graphical representation of how specific attacks against IT-systems could be executed. The resulting representation was called "[[attack tree]]s." In 1998 [[Bruce Schneier]] published his analysis of cyber risks utilizing attack trees in his paper entitled "Toward a Secure System Engineering Methodology".<ref>{{Cite web|url=https://www.schneier.com/academic/paperfiles/paper-secure-methodology.pdf|title=Toward A Secure System Engineering Methodology|last=Schneier|first=Bruce|display-authors=etal|date=1998|website=|publisher=National Security Agency: Washington|access-date=}}</ref> The paper proved to be a seminal contribution in the evolution of threat modeling for IT-systems. In Schneier's analysis, the attacker's goal is represented as a "root node," with the potential means of reaching the goal represented as "leaf nodes." Utilizing the attack tree in this way allowed cybersecurity professionals to systematically consider multiple attack vectors against any defined target.


In 1999, Microsoft cybersecurity professionals Loren Kohnfelder and Praerit Garg developed a model for considering attacks relevant to the Microsoft Windows development environment. ([[STRIDE (security)|STRIDE]]<ref name=":1">{{Cite web|url=https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx|title=The STRIDE Threat Model|date=2016|website=|publisher=Microsoft|access-date=}}</ref> is an [[acrostic]] for: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege) The resultant mnemonic helps security professionals systematically determine how a potential attacker could utilize any threat included in STRIDE.
In 1999, Microsoft cybersecurity professionals [[Loren Kohnfelder]] and Praerit Garg developed a model for considering attacks relevant to the Microsoft Windows development environment. ([[STRIDE (security)|STRIDE]]<ref name=":1">{{Cite web|url=https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx|title=The STRIDE Threat Model|date=2016|website=|publisher=Microsoft|access-date=}}</ref> is an [[acrostic]] for: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege) The resultant mnemonic helps security professionals systematically determine how a potential attacker could utilize any threat included in STRIDE.


In 2003, OCTAVE<ref>{{Cite web|url=http://www.itgovernanceusa.com/files/Octave.pdf|title=Introduction to the OCTAVE® Approach|last=Alberts|first=Christopher|date=2003|website=|publisher=Software Engineering Institute, Carnegie Mellon: Pittsburg.|access-date=}}</ref> (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, an operations-centric threat modeling methodology, was introduced with a focus on organizational risk management.
In 2003, OCTAVE<ref>{{Cite web|url=http://www.itgovernanceusa.com/files/Octave.pdf|title=Introduction to the OCTAVE® Approach|last=Alberts|first=Christopher|date=2003|website=|publisher=Software Engineering Institute, Carnegie Mellon: Pittsburgh.|access-date=}}</ref> (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, an operations-centric threat modeling methodology, was introduced with a focus on organizational risk management.


In 2004, Frank Swiderski and [[Window Snyder]] wrote "Threat Modeling," by Microsoft press. In it they developed the concept of using threat models to create secure applications.
In 2004, Frank Swiderski and [[Window Snyder]] wrote "Threat Modeling," published by Microsoft press. In it they developed the concept of using threat models to create secure applications.


In 2014, Ryan Stillions expressed the idea that [[Cyber threat hunting|cyber threats]] should be expressed with different semantic levels, and proposed the DML (Detection Maturity Level) model.<ref>{{Cite web|url=http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html|title=The DML Model|last=Stillions|first=Ryan|date=2014|website=Ryan Stillions security blog|publisher=Ryan Stillions|access-date=}}</ref> An attack is an instantiation of a threat scenario which is caused by a specific attacker with a specific goal in mind and a strategy for reaching that goal. The goal and strategy represent the highest semantic levels of the DML model. This is followed by the TTP (Tactics, Techniques and Procedures) which represent intermediate semantic levels. The lowest semantic levels of the DML model are the tools used by the attacker, host and observed network artifacts such as packets and payloads, and finally atomic indicators such as IP addresses at the lowest semantic level. Current [[Security information and event management|SIEM]] (Security Information and Event Management) tools typically only provide indicators at the lowest semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.<ref>{{Cite web|url=http://folk.uio.no/josang/papers/BJE2016-STIDS.pdf|title=Semantic Cyberthreat Modelling|last=Bromander|first=Siri|date=2016|website=|publisher=Semantic Technology for Intelligence, Defence and Security (STIDS 2016)|access-date=}}</ref>
In 2014, Ryan Stillions expressed the idea that [[Cyber threat hunting|cyber threats]] should be expressed with different semantic levels, and proposed the DML (Detection Maturity Level) model.<ref>{{Cite web|url=http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html|title=The DML Model|last=Stillions|first=Ryan|date=2014|website=Ryan Stillions security blog|publisher=Ryan Stillions|access-date=}}</ref> An attack is an instantiation of a threat scenario which is caused by a specific attacker with a specific goal in mind and a strategy for reaching that goal. The goal and strategy represent the highest semantic levels of the DML model. This is followed by the TTP (Tactics, Techniques and Procedures) which represent intermediate semantic levels. The lowest semantic levels of the DML model are the tools used by the attacker, host and observed network artifacts such as packets and payloads, and finally atomic indicators such as IP addresses at the lowest semantic level. Current [[Security information and event management|SIEM]] (Security Information and Event Management) tools typically only provide indicators at the lowest semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.<ref>{{Cite web|url=http://folk.uio.no/josang/papers/BJE2016-STIDS.pdf|title=Semantic Cyberthreat Modelling|last=Bromander|first=Siri|date=2016|website=|publisher=Semantic Technology for Intelligence, Defence and Security (STIDS 2016)|access-date=}}</ref>


== Threat Modeling Manifesto ==
=== Emphasis on the security of systems' architecture ===
The threat modeling manifesto is a document published in 2020 by threat modeling authorities in order to clearly state the core values and principles that every threat modeler should know and follow.<ref>{{cite web | url=https://www.threatmodelingmanifesto.org// | title=Threat Modeling Manifesto }}</ref>
<ref>{{Cite web|url=https://www.routledge.com/Securing-Systems-Applied-Security-Architecture-and-Threat-Models/Schoenfield/p/book/9781032027401|title=Securing Systems Applied Security Architecture and Threat Models|last=Schoenfield|first=Brook S.E.|date=2015|publisher=CRC Press|access-date=}}</ref> covers all types of systems, from the simplest applications to complex, enterprise-grade, hybrid cloud architectures. It describes the many factors and prerequisite information that can influence an assessment.


In 2024 the same group of authors followed up the Manifesto with a Threat Modeling Capabilities document, which "...provides a catalog of capabilities to help you cultivate value from your Threat Modeling practice".<ref>{{cite web | url=https://www.threatmodelingmanifesto.org/capabilities/ | title=Threat Modeling Capabilities }}</ref>
== Threat modeling methodologies for IT purposes ==
Conceptually, a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Typically, threat modeling has been implemented using one of five approaches independently, asset-centric, attacker-centric, software-centric, value and stakeholder-centric, and hybrid. Based on the volume of published online content, the methodologies discussed below are the most well known.


=== STRIDE methodology ===
== Threat modeling frameworks ==
Conceptually, a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Typically, threat modeling has been implemented using one of five approaches independently: asset-centric, attacker-centric, software-centric, value and stakeholder-centric, and hybrid. Based on the volume of published online content, the methodologies discussed below are the most well known.
The [[STRIDE (security)|STRIDE]] approach to threat modeling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products'.<ref>{{cite web|url=http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-09-88-74-86/The-threats-to-our-products.docx|last1=Kohnfelder|first1=Loren|last2=Garg|first2=Praerit|title=Threats to Our Products|publisher=Microsoft|accessdate=20 September 2016|ref=STRIDE}}</ref> STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to "the" Microsoft methodology commonly mean STRIDE and Data Flow Diagrams.


=== P.A.S.T.A. ===
=== STRIDE ===
The [[STRIDE (security)|STRIDE]] was created in 1999 at Microsoft as a mnemonic for developers to find 'threats to our products'.<ref>{{cite web|url=https://shostack.org/files/microsoft/The-Threats-To-Our-Products.docx|last1=Kohnfelder|first1=Loren|last2=Garg|first2=Praerit|title=Threats to Our Products|publisher=Microsoft|accessdate=4 Feb 2024|ref=STRIDE}} </ref> STRIDE can be used as a simple prompt or checklist, or in more structured approaches such as STRIDE per element. STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to "the" Microsoft methodology commonly mean STRIDE and Data Flow Diagrams.

=== PASTA ===
The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.<ref>{{Cite web|url=http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470500964.html#|title=Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis|last=Ucedavélez|first=Tony and Marco M. Morana|date=2015|website=|publisher=John Wiley & Sons: Hobekin|access-date=}}</ref> It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed, security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.
The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.<ref>{{Cite web|url=http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470500964.html#|title=Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis|last=Ucedavélez|first=Tony and Marco M. Morana|date=2015|website=|publisher=John Wiley & Sons: Hobekin|access-date=}}</ref> It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed, security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.


=== 'The Hybrid' Threat Modeling Method ===
=== Trike ===
The focus of the Tree methodology<ref>{{Cite web|url=http://octotrike.org/papers|title=Trike v1 Methodology Document|last=Eddington|first=Michael, Brenda Larcom, and Eleanor Saitta|date=2005|website=Octotrike.org|access-date=}}</ref> is using threat models as a risk-management tool. Within this framework, threat models are used to satisfy the security auditing process. Threat models are based on a "requirements model." The requirements model establishes the stakeholder-defined "acceptable" level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.


Researchers created this method to combine the positive elements of different methodologies.<ref>{{cite web | url=https://insights.sei.cmu.edu/blog/the-hybrid-threat-modeling-method/ | title=The Hybrid Threat Modeling Method | date=22 April 2018 }}</ref><ref>{{cite web | url=https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=516617 | title=A Hybrid Threat Modeling Method | date=27 March 2018 }}</ref><ref>{{cite book | isbn=978-1492056553 | title=Threat Modeling: A Practical Guide for Development Teams | last1=Tarandach | first1=Izar | last2=Coles | first2=Matthew J. | date=24 November 2020 | publisher=O'Reilly Media, Incorporated }}</ref> This methodology combines different methodologies, including SQUARE<ref>{{cite web | url=https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=7657 | title=Security Quality Requirements Engineering Technical Report | date=31 October 2005 }}</ref> and the Security Cards<ref>{{Cite web|url=https://securitycards.cs.washington.edu/|title=Home &#124; The Security Cards: A Security Threat Brainstorming Kit|website=securitycards.cs.washington.edu}}</ref> and Personae Non Gratae.<ref>{{cite web | url=https://www.computer.org/csdl/magazine/so/2014/04/mso2014040028/13rRUwInvrl | title=CSDL &#124; IEEE Computer Society }}</ref>
=== VAST ===
The Visual, Agile and Simple Threat (VAST) methodology,<ref>{{Cite web|last=Fruhlinger|first=Josh|date=2020-04-15|title=Threat modeling explained: A process for anticipating cyber attacks|url=https://www.csoonline.com/article/3537370/threat-modeling-explained-a-process-for-anticipating-cyber-attacks.html|access-date=2022-02-03|website=CSO Online|language=en}}</ref> is based on ThreatModeler, a commercial automated threat-modeling platform. VAST requires creating two types of models: application threat models and operational threat models. Application threat models use process-flow diagrams, representing the architectural point of view. Operational threat models are created from an attacker point of view based on DFDs. This approach allows for the integration of VAST into the organization's development and DevOps lifecycles.<ref>{{Cite web|title=Threat Modeling: 12 Available Methods|url=https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/|access-date=2022-02-03|website=SEI Blog|language=en}}</ref>


== Generally accepted technology threat modeling processes ==
=== The Hybrid Threat Modeling Method ===
All IT-related threat modeling processes start with creating a visual representation of the application, infrastructure or both being analyzed. The application or infrastructure is decomposed into various elements to aid in the analysis. Once completed, the visual representation is used to identify and enumerate potential threats. Further analysis of the model regarding risks associated with identified threats, prioritization of threats, and enumeration of the appropriate mitigating controls depends on the methodological basis for the threat model process being utilized. Threat modeling approaches can focus on the system in use, attackers, or assets.

Researchers created this method to combine the positive elements of different methodologies.<ref>{{cite web | url=https://insights.sei.cmu.edu/blog/the-hybrid-threat-modeling-method/ | title=The Hybrid Threat Modeling Method }}</ref><ref>{{cite web | url=https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=516617 | title=A Hybrid Threat Modeling Method }}</ref><ref>{{cite book | isbn=978-1492056553 | title=Threat Modeling: A Practical Guide for Development Teams | last1=Tarandach | first1=Izar | last2=Coles | first2=Matthew J. | date=24 November 2020 }}</ref> This methodology combines different methodologies, including SQUARE<ref>{{cite web | url=https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=7657 | title=Security Quality Requirements Engineering Technical Report }}</ref> and the Security Cards<ref>https://securitycards.cs.washington.edu/</ref> and Personae Non Gratae.<ref>{{cite web | url=https://www.computer.org/csdl/magazine/so/2014/04/mso2014040028/13rRUwInvrl | title=CSDL &#124; IEEE Computer Society }}</ref>

== Generally accepted IT threat modeling processes ==
All IT-related threat modeling processes start with creating a visual representation of the application and / or infrastructure being analyzed. The application / infrastructure is decomposed into various elements to aid in the analysis. Once completed, the visual representation is used to identify and enumerate potential threats. Further analysis of the model regarding risks associated with identified threats, prioritization of threats, and enumeration of the appropriate mitigating controls depends on the methodological basis for the threat model process being utilized. The identification and enumeration of threats (or of mitigation objectives), can either be carried out in an ''attack-centric'' way or in an ''asset-centric'' way. The former focuses on the types of possible attacks that shall be mitigated, whereas the latter focuses on the assets that shall be protected.


=== Visual representations based on data flow diagrams ===
=== Visual representations based on data flow diagrams ===
[[File:Data Flow Diagram - Online Banking Application.jpg|alt=Data Flow Diagram – Online Banking Application|thumb]]
[[File:Data Flow Diagram - Online Banking Application.jpg|alt=Data Flow Diagram – Online Banking Application|thumb]]
The Microsoft methodology, PASTA, and Trike each develop a visual representation of the application-infrastructure utilizing [[Data-flow diagram|data flow diagrams]] (DFD). DFDs were developed in the 1970s as tool for system engineers to communicate, on a high level, how an application caused data to flow, be stored, and manipulated by the infrastructure upon which the application runs. Traditionally, DFDs utilize only four unique symbols: data flows, data stores, processes, and interactors. In the early 2000s, an additional symbol, trust boundaries, were added to allow DFDs to be utilized for threat modeling.
Most threat modeling approaches use [[Data-flow diagram|data flow diagrams]] (DFD). DFDs were developed in the 1970s as tool for system engineers to communicate, on a high level, how an application caused data to flow, be stored, and manipulated by the infrastructure upon which the application runs. Traditionally, DFDs utilize only four unique symbols: data flows, data stores, processes, and interactors. In the early 2000s, an additional symbol, trust boundaries, were added to improve the usefulness of DFDs for threat modeling.


Once the application-infrastructure system is decomposed into its five elements, security experts consider each identified threat entry point against all known threat categories. Once the potential threats are identified, mitigating security controls can be enumerated or additional analysis can be performed.
Once the application-infrastructure system is decomposed into its five elements, security experts consider each identified threat entry point against all known threat categories. Once the potential threats are identified, mitigating security controls can be enumerated or additional analysis can be performed.

== Threat modeling tools ==

*Microsoft's free '''Threat Modeling Tool''' (formerly SDL Threat Modeling Tool),<ref>[https://cloudblogs.microsoft.com/microsoftsecure/2015/10/07/whats-new-with-microsoft-threat-modeling-tool-2016/ "What's New with Microsoft Threat Modeling Tool 2016"]. ''Microsoft Secure Blog''. Microsoft. 2015.</ref> also uses the Microsoft threat modeling methodology, is based on DFD and identifies threats based on the STRIDE threat classification system. It is mainly intended for general use.
*'''IriusRisk''' provides both a community and a commercial version of the tool. This tool focuses on creating and maintaining a living threat model throughout the [[:en:Systems development life cycle|SDLC]]. It drives the process using fully customizable questionnaires and risk model libraries, and connects to several other different tools (OWASP ZAP, BDD-Security, Threadfix) to enable automation.<ref>[https://continuumsecurity.net/ "Irius Risk Risk Management Tool"]. Continuum Security. 2016.</ref>
*'''securiCAD''' is a threat modeling and risk management tool from the Scandinavian company foreseeti.<ref>{{cite web|access-date=November 27, 2018|title=foreseeti - securiCAD|url=https://www.foreseeti.com/securicad-enterprise/|website=foreseeti.com}}<!-- auto-translated by Module:CS1 translator --></ref> It is intended for enterprise cybersecurity management, from [[CISO]] to security engineer, including technician. securiCAD performs automated attack simulations on current and future IT architectures, identifies and quantifies risks globally, including structural vulnerabilities, and provides decision support based on results. securiCAD is available in commercial and community editions.<ref>[https://www.foreseeti.com/ "Cyber Threat Modelling and Risk Management - securiCAD by foreseeti"]. foreseeti.</ref>
*'''SD Elements by Security Compass''' is a software security requirements management platform that includes automated threat modeling capabilities. A set of threats is generated by filling out a short questionnaire on the application's technical details and compliance factors. Countermeasures are included in the form of actionable tasks for developers that can be tracked and managed across the SDLC.<ref>[https://www.securitycompass.com/sdelements/ "SD Elements by Security Compass"]. ''www.securitycompass.com''. Retrieved 2017-03-24.</ref>
*'''OWASP Threat Dragon''' is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. Threat Dragon follows the values and principles of the threat modeling manifesto. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces. Threat Dragon runs either as a web application or as a desktop application. Threat Dragon supports STRIDE / LINDDUN / CIA / DIE / PLOT4ai, provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.<ref>[https://owasp.org/www-project-threat-dragon/ "OWASP Threat Dragon"].</ref>
*'''OWASP pytm''' is a Pythonic framework for threat modeling and the first Threat-Model-as-Code tool: The system is first defined in Python using the elements and properties described in the pytm framework. Based on this definition, pytm can generate a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to the system.<ref>[https://owasp.org/www-project-pytm/ "OWASP pytm"].</ref>


== Further fields of application ==
== Further fields of application ==
Threat modeling is being applied not only to IT but also to other areas such as vehicle,<ref>http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf {{Bare URL PDF|date=March 2022}}</ref><ref>{{Cite journal|url=https://publikationsserver.tu-braunschweig.de/servlets/MCRFileNodeServlet/dbbs_derivate_00044573/Hamad_Towards_Comprehensive_Threat_Modeling_for_Vehicles.pdf |title=Towards Comprehensive Threat Modeling for Vehicles |last1=Hamad |first1=Mohammad |first2=Vassilis |last2=Prevelakis |first3=Marcus |last3=Nolte |date=November 2016 |access-date=11 March 2019 |doi=10.24355/dbbs.084-201806251532-0 |series=Publications Institute of Computer and Network Engineering}}</ref> [[Building automation|building]] and [[home automation]].<ref name=":0">{{Cite book |last1=Meyer |first1=D.|last2=Haase |first2=J. |last3=Eckert |first3=M. |last4=Klauer |first4=B. |title=2016 IEEE 14th International Conference on Industrial Informatics (INDIN) |chapter=A threat-model for building and home automation |date=2016-07-01|pages=860–866 |doi=10.1109/INDIN.2016.7819280|isbn=978-1-5090-2870-2|s2cid=12725362}}</ref> In this context, threats to security and privacy like information about the inhabitant's movement profiles, working times, and health situations are modeled as well as physical or network-based attacks. The latter could make use of more and more available smart building features, i.e., sensors (e.g., to spy on the inhabitant) and actuators (e.g., to unlock doors).<ref name=":0" />
Threat modeling is being applied not only to IT but also to other areas such as vehicle,<ref>{{Cite web | url=http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf | title=Adapting Threat Modeling Methods for the Automotive Industry | website=publications.lib.chalmers.se | publisher=Chalmers Publication Library}}</ref><ref>{{Cite journal|url=https://publikationsserver.tu-braunschweig.de/servlets/MCRFileNodeServlet/dbbs_derivate_00044573/Hamad_Towards_Comprehensive_Threat_Modeling_for_Vehicles.pdf |title=Towards Comprehensive Threat Modeling for Vehicles |last1=Hamad |first1=Mohammad |first2=Vassilis |last2=Prevelakis |first3=Marcus |last3=Nolte |date=November 2016 |access-date=11 March 2019 |doi=10.24355/dbbs.084-201806251532-0 |series=Publications Institute of Computer and Network Engineering| journal=Institute of Control Engineering}}</ref> [[Building automation|building]] and [[home automation]].<ref name=":0">{{Cite book |last1=Meyer |first1=D.|last2=Haase |first2=J. |last3=Eckert |first3=M. |last4=Klauer |first4=B. |title=2016 IEEE 14th International Conference on Industrial Informatics (INDIN) |chapter=A threat-model for building and home automation |date=2016-07-01|pages=860–866 |doi=10.1109/INDIN.2016.7819280|isbn=978-1-5090-2870-2|s2cid=12725362}}</ref> In this context, threats to security and privacy like information about the inhabitant's movement profiles, working times, and health situations are modeled as well as physical or network-based attacks. The latter could make use of more and more available smart building features, i.e., sensors (e.g., to spy on the inhabitant) and actuators (e.g., to unlock doors).<ref name=":0" />


==References==
==References==

Latest revision as of 16:21, 25 November 2024

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized.[1] The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like "Where am I most vulnerable to attack?", "What are the most relevant threats?", and "What do I need to do to safeguard against these threats?".

Conceptually, most people incorporate some form of threat modeling in their daily life and don't even realize it.[citation needed] Commuters use threat modeling to consider what might go wrong during the morning journey to work and to take preemptive action to avoid possible accidents. Children engage in threat modeling when determining the best path toward an intended goal while avoiding the playground bully. In a more formal sense, threat modeling has been used to prioritize military defensive preparations since antiquity.

Evolution of technology-centric threat modeling

[edit]

Shortly after shared computing made its debut in the early 1960s, individuals began seeking ways to exploit security vulnerabilities for personal gain.[2] As a result, engineers and computer scientists soon began developing threat modeling concepts for information technology systems.

Early technology-centered threat modeling methodologies were based on the concept of architectural patterns[3] first presented by Christopher Alexander in 1977. In 1988 Robert Barnard developed and successfully applied the first profile for an IT-system attacker.

In 1994, Edward Amoroso put forth the concept of a "threat tree" in his book, "Fundamentals of Computer Security Technology.[4]" The concept of a threat tree was based on decision tree diagrams. Threat trees graphically represent how a potential threat to an IT system can be exploited.

Independently, similar work was conducted by the NSA and DARPA on a structured graphical representation of how specific attacks against IT-systems could be executed. The resulting representation was called "attack trees." In 1998 Bruce Schneier published his analysis of cyber risks utilizing attack trees in his paper entitled "Toward a Secure System Engineering Methodology".[5] The paper proved to be a seminal contribution in the evolution of threat modeling for IT-systems. In Schneier's analysis, the attacker's goal is represented as a "root node," with the potential means of reaching the goal represented as "leaf nodes." Utilizing the attack tree in this way allowed cybersecurity professionals to systematically consider multiple attack vectors against any defined target.

In 1999, Microsoft cybersecurity professionals Loren Kohnfelder and Praerit Garg developed a model for considering attacks relevant to the Microsoft Windows development environment. (STRIDE[1] is an acrostic for: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege) The resultant mnemonic helps security professionals systematically determine how a potential attacker could utilize any threat included in STRIDE.

In 2003, OCTAVE[6] (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, an operations-centric threat modeling methodology, was introduced with a focus on organizational risk management.

In 2004, Frank Swiderski and Window Snyder wrote "Threat Modeling," published by Microsoft press. In it they developed the concept of using threat models to create secure applications.

In 2014, Ryan Stillions expressed the idea that cyber threats should be expressed with different semantic levels, and proposed the DML (Detection Maturity Level) model.[7] An attack is an instantiation of a threat scenario which is caused by a specific attacker with a specific goal in mind and a strategy for reaching that goal. The goal and strategy represent the highest semantic levels of the DML model. This is followed by the TTP (Tactics, Techniques and Procedures) which represent intermediate semantic levels. The lowest semantic levels of the DML model are the tools used by the attacker, host and observed network artifacts such as packets and payloads, and finally atomic indicators such as IP addresses at the lowest semantic level. Current SIEM (Security Information and Event Management) tools typically only provide indicators at the lowest semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.[8]

Threat Modeling Manifesto

[edit]

The threat modeling manifesto is a document published in 2020 by threat modeling authorities in order to clearly state the core values and principles that every threat modeler should know and follow.[9]

In 2024 the same group of authors followed up the Manifesto with a Threat Modeling Capabilities document, which "...provides a catalog of capabilities to help you cultivate value from your Threat Modeling practice".[10]

Threat modeling frameworks

[edit]

Conceptually, a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Typically, threat modeling has been implemented using one of five approaches independently: asset-centric, attacker-centric, software-centric, value and stakeholder-centric, and hybrid. Based on the volume of published online content, the methodologies discussed below are the most well known.

STRIDE

[edit]

The STRIDE was created in 1999 at Microsoft as a mnemonic for developers to find 'threats to our products'.[11] STRIDE can be used as a simple prompt or checklist, or in more structured approaches such as STRIDE per element. STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to "the" Microsoft methodology commonly mean STRIDE and Data Flow Diagrams.

PASTA

[edit]

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.[12] It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed, security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

'The Hybrid' Threat Modeling Method

[edit]

Researchers created this method to combine the positive elements of different methodologies.[13][14][15] This methodology combines different methodologies, including SQUARE[16] and the Security Cards[17] and Personae Non Gratae.[18]

Generally accepted technology threat modeling processes

[edit]

All IT-related threat modeling processes start with creating a visual representation of the application, infrastructure or both being analyzed. The application or infrastructure is decomposed into various elements to aid in the analysis. Once completed, the visual representation is used to identify and enumerate potential threats. Further analysis of the model regarding risks associated with identified threats, prioritization of threats, and enumeration of the appropriate mitigating controls depends on the methodological basis for the threat model process being utilized. Threat modeling approaches can focus on the system in use, attackers, or assets.

Visual representations based on data flow diagrams

[edit]
Data Flow Diagram – Online Banking Application

Most threat modeling approaches use data flow diagrams (DFD). DFDs were developed in the 1970s as tool for system engineers to communicate, on a high level, how an application caused data to flow, be stored, and manipulated by the infrastructure upon which the application runs. Traditionally, DFDs utilize only four unique symbols: data flows, data stores, processes, and interactors. In the early 2000s, an additional symbol, trust boundaries, were added to improve the usefulness of DFDs for threat modeling.

Once the application-infrastructure system is decomposed into its five elements, security experts consider each identified threat entry point against all known threat categories. Once the potential threats are identified, mitigating security controls can be enumerated or additional analysis can be performed.

Threat modeling tools

[edit]
  • Microsoft's free Threat Modeling Tool (formerly SDL Threat Modeling Tool),[19] also uses the Microsoft threat modeling methodology, is based on DFD and identifies threats based on the STRIDE threat classification system. It is mainly intended for general use.
  • IriusRisk provides both a community and a commercial version of the tool. This tool focuses on creating and maintaining a living threat model throughout the SDLC. It drives the process using fully customizable questionnaires and risk model libraries, and connects to several other different tools (OWASP ZAP, BDD-Security, Threadfix) to enable automation.[20]
  • securiCAD is a threat modeling and risk management tool from the Scandinavian company foreseeti.[21] It is intended for enterprise cybersecurity management, from CISO to security engineer, including technician. securiCAD performs automated attack simulations on current and future IT architectures, identifies and quantifies risks globally, including structural vulnerabilities, and provides decision support based on results. securiCAD is available in commercial and community editions.[22]
  • SD Elements by Security Compass is a software security requirements management platform that includes automated threat modeling capabilities. A set of threats is generated by filling out a short questionnaire on the application's technical details and compliance factors. Countermeasures are included in the form of actionable tasks for developers that can be tracked and managed across the SDLC.[23]
  • OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. Threat Dragon follows the values and principles of the threat modeling manifesto. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces. Threat Dragon runs either as a web application or as a desktop application. Threat Dragon supports STRIDE / LINDDUN / CIA / DIE / PLOT4ai, provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.[24]
  • OWASP pytm is a Pythonic framework for threat modeling and the first Threat-Model-as-Code tool: The system is first defined in Python using the elements and properties described in the pytm framework. Based on this definition, pytm can generate a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to the system.[25]

Further fields of application

[edit]

Threat modeling is being applied not only to IT but also to other areas such as vehicle,[26][27] building and home automation.[28] In this context, threats to security and privacy like information about the inhabitant's movement profiles, working times, and health situations are modeled as well as physical or network-based attacks. The latter could make use of more and more available smart building features, i.e., sensors (e.g., to spy on the inhabitant) and actuators (e.g., to unlock doors).[28]

References

[edit]
  1. ^ a b "The STRIDE Threat Model". Microsoft. 2016.
  2. ^ McMillan, Robert (2012). "The World's First Computer Password? It Was Useless Too". Wired Business.
  3. ^ Shostack, Adam (2014). "Threat Modeling: Designing for Security". John Wiley & Sons Inc: Indianapolis.
  4. ^ Amoroso, Edward G (1994). Fundamentals of Computer Security Technology. AT&T Bell Labs. Prentice-Hall: Upper Saddle River. ISBN 9780131089297.
  5. ^ Schneier, Bruce; et al. (1998). "Toward A Secure System Engineering Methodology" (PDF). National Security Agency: Washington.
  6. ^ Alberts, Christopher (2003). "Introduction to the OCTAVE® Approach" (PDF). Software Engineering Institute, Carnegie Mellon: Pittsburgh.
  7. ^ Stillions, Ryan (2014). "The DML Model". Ryan Stillions security blog. Ryan Stillions.
  8. ^ Bromander, Siri (2016). "Semantic Cyberthreat Modelling" (PDF). Semantic Technology for Intelligence, Defence and Security (STIDS 2016).
  9. ^ "Threat Modeling Manifesto".
  10. ^ "Threat Modeling Capabilities".
  11. ^ Kohnfelder, Loren; Garg, Praerit. "Threats to Our Products". Microsoft. Retrieved 4 Feb 2024.
  12. ^ Ucedavélez, Tony and Marco M. Morana (2015). "Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis". John Wiley & Sons: Hobekin.
  13. ^ "The Hybrid Threat Modeling Method". 22 April 2018.
  14. ^ "A Hybrid Threat Modeling Method". 27 March 2018.
  15. ^ Tarandach, Izar; Coles, Matthew J. (24 November 2020). Threat Modeling: A Practical Guide for Development Teams. O'Reilly Media, Incorporated. ISBN 978-1492056553.
  16. ^ "Security Quality Requirements Engineering Technical Report". 31 October 2005.
  17. ^ "Home | The Security Cards: A Security Threat Brainstorming Kit". securitycards.cs.washington.edu.
  18. ^ "CSDL | IEEE Computer Society".
  19. ^ "What's New with Microsoft Threat Modeling Tool 2016". Microsoft Secure Blog. Microsoft. 2015.
  20. ^ "Irius Risk Risk Management Tool". Continuum Security. 2016.
  21. ^ "foreseeti - securiCAD". foreseeti.com. Retrieved November 27, 2018.
  22. ^ "Cyber Threat Modelling and Risk Management - securiCAD by foreseeti". foreseeti.
  23. ^ "SD Elements by Security Compass". www.securitycompass.com. Retrieved 2017-03-24.
  24. ^ "OWASP Threat Dragon".
  25. ^ "OWASP pytm".
  26. ^ "Adapting Threat Modeling Methods for the Automotive Industry" (PDF). publications.lib.chalmers.se. Chalmers Publication Library.
  27. ^ Hamad, Mohammad; Prevelakis, Vassilis; Nolte, Marcus (November 2016). "Towards Comprehensive Threat Modeling for Vehicles" (PDF). Institute of Control Engineering. Publications Institute of Computer and Network Engineering. doi:10.24355/dbbs.084-201806251532-0. Retrieved 11 March 2019.
  28. ^ a b Meyer, D.; Haase, J.; Eckert, M.; Klauer, B. (2016-07-01). "A threat-model for building and home automation". 2016 IEEE 14th International Conference on Industrial Informatics (INDIN). pp. 860–866. doi:10.1109/INDIN.2016.7819280. ISBN 978-1-5090-2870-2. S2CID 12725362.
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Threat_model&oldid=1259515447"