Threat Modeling: Methods and Steps

Questions and Answers

What is a primary advantage of incorporating threat modeling during the early stages of system design?

• It automates the process of incident response planning.
• It reduces the need for user training on security protocols.
• It ensures compliance with industry regulations after deployment.
• It allows for design adjustments to mitigate vulnerabilities before significant investment. (correct)

Why is it important to involve all stakeholders during the threat modeling process?

• To comply with legal requirements for data protection.
• To ensure that all possible perspectives, both technical and non-technical, are considered. (correct)
• To reduce the time required for security audits.
• To distribute responsibility for security evenly across the organization.

What is the initial step in the threat modeling process?

• Identifying potential threat actors.
• Implementing security controls based on business priorities.
• Understanding the system or application, including its business purpose and data processed. (correct)
• Determining what security tools to use.

In the context of threat modeling, what does STRIDE stand for?

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. (D)

Which element of the STRIDE model deals with an attacker pretending to be someone else?

Spoofing (C)

Within the STRIDE methodology, if a threat involves altering data in transit, which property is violated?

Integrity (D)

Which STRIDE threat category is directly addressed by implementing strong logging and auditing mechanisms?

Repudiation (D)

What is the primary purpose of using Data Flow Diagrams (DFD) in threat modeling?

To illustrate the movement of data through a system, helping to identify potential vulnerabilities. (A)

According to the STRIDE model, what does 'Information Disclosure' primarily threaten?

Confidentiality (D)

Which mitigation strategy best addresses the 'Elevation of Privilege' threat in the STRIDE model?

Validating all user inputs and enforcing the principle of least privilege. (B)

In threat modeling, what is the significance of identifying 'trust boundaries'?

They indicate areas where data transitions between different levels of trust and security control. (D)

What is the purpose of the 'Mitigation' phase in the STRIDE threat modeling process?

To identify and implement security controls that reduce or eliminate identified threats. (C)

What is the main goal of the 'Validate' step in the STRIDE model?

Ensuring the diagram accurately reflects the system, threats are enumerated, and mitigations are appropriate. (C)

Which activity is performed during the 'Diagram' stage of STRIDE threat modeling?

Visualizing the application's architecture to understand data flow and components. (A)

What is the relationship between STRIDE threat categories and Data Flow Diagram (DFD) elements in threat modeling?

STRIDE categories help identify potential threats affecting each DFD element as data crosses trust boundaries. (C)

Which of the following is a typical mitigation for a 'Tampering' threat?

Using digital signatures. (A)

What BEST describes the purpose of 'Attack Trees' in threat modeling?

To visually represent potential attack paths on a system. (C)

PASTA (Process for Attack Simulation and Threat Analysis) methodology is primarily:

Attacker-centric (A)

What is a key consideration when determining ‘what we are working on’ during threat modeling?

The application’s clear boundary and key assets. (C)

What kind of vulnerabilities can impact the ‘what can go wrong’ question?

The potential weaknesses in the design or implementation (B)

What question is answered by prioritizing security actions?

What are we going to do about it? (D)

Which of the following elements is part of the methodology’s final question?

Lessons learned (B)

Which of the following models uses CVSS?

DREAD (B)

Which model includes security cards?

Security Cards (C)

Which of these diagrams is typically used in the threat modeling process?

Data Flow Diagram (A)

Flashcards

Why do threat modelling?

Identifying potential weaknesses early in the design stages of a system.

Stakeholder Input

Ensuring all perspectives, both technical and non-technical, are considered when assessing potential threats.

Drive security controls

Guiding security measures based on the importance of business operations.

Security mindset

Fostering a proactive attitude towards security throughout the design and implementation of IT services.

System/Application Understanding

A method to understand a system's business purpose and information handling.

Consider potential threats

A step of threat modeling focused on identifying potential security issues with the system.

Mitigation Planning

A step of threat modeling addresses how to resolve identified issues.

Evaluation

A process to determine the effectiveness of threat modeling efforts.

STRIDE

A threat modeling methodology that includes Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

Attack trees

A method for visually representing potential attack paths on a system.

Attacker-centric methodology

A threat modeling technique focusing on attacker's viewpoint and motives.

PASTA

It aligns business objectives with technical requirements while considering business impact analysis.

Spoofing Identity

Authenticating as a person you are not.

Tampering with data

Unauthorized modification of data.

Repudiation

Denying responsibility for an action.

Information disclosure

Revealing sensitive data to unauthorized parties.

Denial of service

Making a system unavailable to legitimate users.

Elevation of privilege

Gaining higher-level privileges than authorized.

Data Flow Diagram (DFD)

A visual representation of data flow and processes.

Trust boundary

A boundary that separates areas of different trust levels in a system.

Validate Threat Model

Verifying that the threat model aligns with the actual system and threats.

Spoofing mitigation

Passwords, MFA, and Digital Signatures

Tampering mitigation

Permissions/ACLs, and Digital Signatures

Repudiation mitigation

Secure Logging and Auditing, and Digital Signatures

information disclosure mitigation

Encryption, and Permissions/ACLs

Study Notes

Why do Threat Modeling?

• To identify potential vulnerabilities early, ideally during design stages, to influence design and build before it's too late
• To include input from all stakeholders, ensuring all angles, both technical and non-technical, are considered
• To drive security controls based on business priorities, taking inputs from product owners and business representatives
• To encourage a security mindset which influences the selection and design of future IT services

Threat Modeling – Main Steps

• Need to understand the system or application and its business purpose, including what information is being processed
• Need to consider what could go wrong
• What can be done about threats?
• Need to evaluate how well threat mitigation went

Threat Models, Methods, and Diagrams

• STRIDE
• PASTA
• CVSS
• Attack Trees
• Security Cards
• Trike
• DREAD

STRIDE Model

• Spoofing Identity violates Authenticity, defined as pretending to be someone or something other than yourself
• Tampering with data violates Integrity, modifying data at rest, in transit, or in memory
• Repudiation violates Non-repudiation, denying that you did something
• Information Disclosure violates Confidentiality, giving sensitive information to someone not authorized
• Denial of Service violates Availability, exhausting computing resources needed to support the service
• Elevation of Privilege violates Authorization, allowing someone to do something they are not authorized to perform

Diagramming the System

• Use structured diagrams like DFD
• Add trust boundaries that intersect data flows
• Identify surfaces where an attacker can intrude, such as network boundaries and cloud boundaries
• Encrypting network traffic is an 'instinctive' mitigation, but does not address everything, like tampering or spoofing

Data Flow Diagrams (DFD)

• Helps define the scope of threat modeling
• Aids in understanding data flows within the system
• Provides a structure for assessing risks
• Data Flow Diagrams (DFD) are the most common for threat modeling

STRIDE Threat Categories

• Spoofing Identity is when someone uses your password and authenticating as you, violating Authentication
• Tampering with data includes modification of data, either at rest or sent over a network, violating Integrity
• Repudiation is when users deny having performed an action, violating Non-repudiation
• Information disclosure is when a user reads data without granted access, or eavesdrops on a communication channel, violating Confidentiality
• Denial of service is related to the availability of a system, violating Availability
• Elevation of privilege is when a less privileged user gets higher privileges; normal users obtaining root privileges, violating Authorization

STRIDE Mitigation

• Spoofing threat can be mitigated through Authentication using Passwords, MFA and Digital Signatures
• Tampering threat can be mitigated through Integrity using Permissions/ACLs and Digital Signatures
• Repudiation threat can be mitigated through Non-Repudiation using Secure Logging and auditing, and Digital Signatures
• Information Disclosure can be mitigated through Confidentiality using Encryption and Permissions/ACLs
• Denial of Service threat can be mitigated through Availability using Permissions/ACLs and Filtering
• Elevation of Privileges threat can be mitigated through Authorization using Permissions/ACLs and Input Validation

STRIDE Validation

• Validating the whole threat model involves verifying that the diagram matches the system
• Ensures all threats are enumerated
• Minimum STRIDE per element that touches a trust boundary is ensured
• Each threat is properly mitigated
• Mitigation measures are implemented correctly

Attack Trees

• Method commonly combined with other techniques like STRIDE
• Show attacks on a system in tree form
• The root represents the goal of an attack, and the leaves are the ways to achieve that goal
• Each attack goal is represented as a separate tree

PASTA

• Process for Attack Simulation and Threat Analysis (PASTA) is an attacker-centric methodology with seven steps
• PASTA aligns business objectives with technical requirements
• PASTA considers business impact analysis
• PASTA provides threat management, enumeration, and scoring

Threat Modeling Manifesto - Four Key Questions

• What are we working on? Needs support using a diagram such as a DFD
• Having a clear boundary to define the scope of the application, decomposing large and complex applications, identifies key assets
• What can go wrong? This involves threats that could impact the security or privacy of the application and a list of potential weaknesses in the design or implementation
• What are we going to do about it? Actions need to mitigate the impact of the threats identified, countermeasures or additional security controls, and prioritization of actions
• Did we do a good enough job? Have threats been identified? Have risks been reduced through effective countermeasures? and have lessons learned been taken, e.g., new recommended “standard” security controls for the organization