Threat Modeling - The Practical Way
Threat modeling is a procedure for visualizing the likely target(s) and method(s) of an attack, in order to optimize security. It contributes to design by anticipating attacks before they occur. It is an aspect of design.
“Threat modeling is analyzing representation of a system to highlight concern about security and privacy characteristics.”
— Threat Modeling Manifesto
This Involves:
- Identifying the assets
- Understanding the objectives of an attacker
- Highlighting the vulnerabilities that an attacker is likely to target
- Defining the countermeasures to prevent or mitigate this
What, Who & How:
- What Assets Description, Asset Type, Asset Value we need to consider?
- Who is the Threat Agent here?
- How we can do Threat Clarification?
STRIDE: It is an acronym to help categories security threats to application systems.
- Spoofing of user identity — can an attacker gain access using a false identity?
- Tampering — can an attacker modify data as it flows through the application?
- Repudiation — if an attacker denies doing something, can we prove he did it?
- Information Disclosure — Can an attacker gain access to private or potentially injurious data?
- Denial of Service (DoS) — Can an attacker crash or reduce the availability of the system?
- Elevation of Privilege — Can an attacker assume the identity of privileged user?
Microsoft DSL Threat Modeling:
- Diagram
- Threat Enumeration
- Mitigation
- Validation
Elevation Of Privilege Card Game:
Elevation of Privilege (EoP) is the easy way to get started threat modeling. It is a card game that developers, architects or security experts can play.
Link: https://www.microsoft.com/en-us/download/details.aspx?id=20303
The Security Cards:
University of Washington: The Security Cards encourage you to think broadly and creatively about computer security threats. Explore with 42 cards along 4 dimensions (suits).
Secure Developer Checklist — Continuous Threat Modeling:
Use this list as an indicator of security-notable events you may want to refer up to the curator of your product’s threat model.
Link: https://github.com/Autodesk/continuous-threat-modeling/blob/master/Secure_Developer_Checklist.md
OWASP Documentation — Threat Modeling:
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
Threat Model Analysis:
- Apply known & successful attacks
- To points on a system that attackers might reach
- Gauge the potential (negative) impacts
- Rate the risk of each attack scenario
- To identify appropriate defenses
Threat Modeling Tools & Concepts:
- Microsoft Threat Modeling Tool:
Link: https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
- Threagile — Agile Threat Modeling:
Threagile enables teams to execute Agile Threat Modeling as seamless as possible, even highly-integrated into DevSecOps environments.
Link: https://threagile.io/
- pytm — A Pythonic framework for threat modeling:
Traditional threat modeling too often comes late to the party, or sometimes not at all. In addition, creating manual data flows and reports can be extremely time-consuming. The goal of pytm is to shift threat modeling to the left, making threat modeling more automated and developer-centric.
Link: https://owasp.org/2020/12/15/spotlight-pytm, https://github.com/izar/pytm
- ThreatModeler Community Edition:
ThreatModeler is more representative of today’s complex architectures.
Links: https://threatmodeler.com/threatmodeler, https://threatmodeler.com/threatmodeler-launches-free-lite-community-edition/
- IriusRisk Community Edition:
The industry-trusted platform for automated threat modeling. Powering security and development teams to collaborate, speed up time-to-market, and truly shift security left.
Links: https://www.iriusrisk.com/, https://www.iriusrisk.com/resources-blog/community-edition-new-release
- Mitre’s Att@ck & D3fend:
MITRE is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
- CWE/CAPEC:
The mission of the CWE/CAPEC Board is to set and promote the goals and objectives of the CWE/CAPEC Program to ensure the ongoing adoption, coverage, and quality of Common Weakness Enumeration (CWE™)/Common Attack Pattern Enumeration and Classification (CAPEC™).
Refine, Revisit & Review:
- Structural (architecture) change
○ New/changed components
○ Flow/data exchange - Security Items
- New attack methods
- No existing threat model
Helpful Links:
- Cairis — https://cairis.org/cairis/tmdocsmore/
- ThreatDragon — https://www.threatdragon.com/#/
- ThreatSpec — https://threatspec.org/
- Threat Playbook — https://we45.gitbook.io/threatplaybook/
- Awesome Threat Modeling — https://github.com/hysnsec/awesome-threat-modelling
Case Study
CyberSec Association is a members-only, not-for-profit association of aspiring cybersecurity professionals. CyberSec has contracted you to perform a threat model on their membership management software, which is in the design phase. The primary function of the software is to automate the process of onboarding new members and manage existing members. Only authenticated users will have create/read/update/delete permissions according to policies set by database designers and administrators. (This combines authorization and confidentiality requirements.). Admin users will have elevated permissions.
The main software features are:
- Membership management
○ Administrative section with privileged access
○ Members’ area with standard user access - Accounting and payment processing
○ Third-party payment integration (PayPal, Stripe, etc.)
CyberSec wants members to be able to have web access as well as mobile access (Android and iOS) to their software. Below is the high-level architecture diagram of the application.
Using the Microsoft Threat Modeling tool:
- Create a data flow diagram to identify all the application components.
- Identify the trust boundaries.
- Identify all threat types to each element.
- Identify three or more threats: one for a data flow, one for a data store and one for a process.
- Identify mitigations for each threat.
Solution
Now we’ll see Microsoft Threat Modeling Tool in action in the following example:
- Download Microsoft Threat Model Tool from Microsoft website (https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling)
2. Launch threat modeling tool after installation
3. Click on Create A Model and start using stencils to create your data flow diagram
4. My Data Flow Diagram:
5. After creating your data flow diagram, Click on View -> Analysis View
This will now list your threats.
6. For all the threats based on report, No Mitigation Is Provided.
7. To generate report, go to main menu Reports -> Create Full Report -> Generate Report.
It will prompt you to save the report.
That’s pretty much it for now. If I find anything more, I’ll update it here. Till then Thank You!
remember #SharingIsCaring ;)
