With the advancement in technology, it becomes easier day by day for the hacker to gain access to sensitive data, disable applications etc. Thus, Application Security has become a major concern. One method used to implement application security in the design process is through THREAT MODELLING.
Threats can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, harm objects or objects of interest. Threat Modelling can be done at any stage of development but if done at the beginning it will help in the early determination of threats that can be dealt with properly.
The purpose of Threat modelling is to identify, communicate, and understand threats and mitigation to the organisation’s stakeholders as early as possible. Documentation from this process provides system analysts and defenders with a complete analysis of probable attackers profiles, the most likely attack vectors, and the assets most desired by the attacker.
Threat modelling helps to achieve the following:
- Defines security of application
- Identifies and investigates potential threats and vulnerabilities
- Results in finding architecture bugs earlier
The development team will be able to implement application security as part of the design and development process by using threat modelling to identify threats, risks, and mitigation during the designing phase. There are various threat modelling methodologies available. We will be discussing 8 methodologies:
- STRIDE –
STRIDE is a methodology developed by Microsoft for threat modelling. It provides a mnemonic for security threats in six categories:
- Spoofing: An adversary posing as another user, component, or another system that has an identity in the system being modelled.
- Tampering: The modification of data within the system to achieve a malicious goal.
- Repudiation: The ability of an adversary to deny performing some malicious activity in absence of sufficient proof.
- Information Disclosure: The exposure of protected data to a user that is not otherwise allowed access to that data.
- Denial of Service: Occurs when an adversary uses illegitimate means to assume a trust level than he currently has with different privileges.
- Elevation of Privilege: This threat occurs when an attacker successfully breaches the administrative controls of a system and tampers its configured permissions and privileges. By this, attackers can reach from low-level systems in the network to systems of higher authority, which contains confidential information.
- DREAD –
DREAD was proposed for threat modelling but due to inconsistent ratings, it was dropped by Microsoft in 2008. It is currently used by OpenStack and many other corporations. It provides a mnemonic for risk rating security threats using five categories. The categories are:
- Damage Potential: ranks the extent of damage that would occur if a vulnerability is exploited.
- Reproducibility: ranks how easy it is to reproduce an attack
- Exploitability: Assigns a number to the effort required to launch the attack.
- Affected Users: A value characterizing how many people will be impacted if an exploit becomes widely available.
- Discoverability: Measures the likelihood of how easy it is to discover the threat.
- P.A.S.T.A. –
The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. The purpose is to provide a dynamic threat identification, enumeration, and scoring process. Upon completion of the threat model, security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This helps developers to develop an asset-centric mitigation strategy by analyzing the attacker-centric view of an application.
- Trike –
The focus is on using threat models as a risk management tool. Threat models are based on the requirement model. The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are identified and assigned risk values. The completed threat model is used to build a risk model on the basis of assets, roles, actions, and calculated risk exposure.
- VAST –
VAST is an acronym for Visual, Agile, and Simple Threat modelling. The methodology provides actionable outputs for the unique needs of various stakeholders like application architects and developers, cyber security personnel, etc. It provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.
- Attack Tree –
Attack trees are the conceptual diagram showing how an asset, or target, might be attacked. These are multi-level diagrams consisting of one root node, leaves, and children nodes. Bottom to Top, child nodes are conditions that must be satisfied to make the direct parent node true. An attack is considered complete when the root is satisfied. Each node may be satisfied only by its direct child nodes.
Suppose there is 1 grandchild below the root node. In such a case multiple steps must be taken to carry out an attack as first the grandchild’s conditions must be satisfied for the direct parent node to be true and then the direct parent node condition must be satisfied to make the root node true. It also has AND and OR options which represent alternatives and different steps towards achieving that goal.
- Common Vulnerability Scoring System (CVSS) –
It provides a way to capture the principal characteristics of a vulnerability and produce a numerical score (ranging from 0-10, with 10 being the most severe) depicting its severity.
The score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
- T-MAP –
T-MAP is an approach that is used in Commercial Off The Shelf (COTS) systems to calculate the weights of attack paths. This model is developed by using UML class diagrams, access class diagrams, vulnerability class diagrams, target asset class diagrams, and affected Value class diagrams.
Currently, eight tools are available for Threat Modelling:
- Microsoft’s Threat Modelling Tool –
This tool identifies threats based on STRIDE threat model classification and is based on Data Flow Diagram (DFD), which can be used to discover threats associated with overall IT assets in an organization.
- MyAppSecurity –
It offers the first commercially available threat modelling tool – ThreatModeler. It uses a VAST threat classification scheme and it is based on Process Flow Diagram (PFD), which provides a detailed view of the risks and vulnerable loopholes.
- IriuRisk –
Offers both a community and a commercial version of the tool. This tool is primarily used to create and maintain a live Threat model through the entire SDLC. It connects with several different tools like OWASP ZAP, BDD-Security, etc. to facilitate automation and involves fully customizable questionnaires and Risk Pattern Libraries.
- securiCAD –
It is a threat modelling and risk management tool developed by the Scandinavian company foreseeti. Risk is identified and quantified by conducting automated attack simulations to current and future IT architectures and providing decision support based on the findings. securiCAD is offered in both commercial and community editions.
- SD Elements by Security Compass –
It is a software security requirements management platform that includes automated threat modelling capabilities. A short Questionnaire about the technical details and compliance drivers of the application is conducted to generate a set of threats. Countermeasures are included in the form of actionable tasks for developers.
- Modelling Attack trees –
Commercial Tools like SecurITree, AttackTree+ and opensource tools like ADTool, Ent, SeaMonster are used to model Attack Trees.
- CVSS 3.0 –
CVSS is currently at version 3.0. It is used for the CVSS model. In addition to this, the CVV score of vulnerabilities identified for different hardware and software can be analyzed online, as it aids to identify potential threats, which can harm the system.
- Tiramisu –
This tool is used for the T-MAP approach. It is used to calculate a list of all attack paths and produce overall threats in terms of the total weight of attack paths.
How to create a Threat Model:
All threat modelling processes start with creating a visual representation of the application or system being analyzed. There are two ways to create visual representation:
- Visual Representation using Data Flow Diagram –
The Microsoft Methodology, PASTA, and Trike each develop a visual representation of the application infrastructure utilizing data flow diagrams (DFD). DFDs were developed in the 1970s as tools for system engineers to provide a high-level visualization of how an application works within a system to move, store, and manipulate data. The concept of trust boundaries was added in the early 2000s by Security professionals in an attempt to make them applicable for threat modelling.
DFDs are used to identify broad categories usually using the STRIDE threat classification scheme. The list of threats identified through such methods is limited and thus a poor starting point for the modelling. DFD based approach uses three main steps:
- View System as an adversary
- Characterize the system
- Determine the threats
- DFD does not accurately represent the design and flow of the application.
- They analyze how data is flowing rather than how users interact with the system.
- DFD based threat modelling has no standard approach due to which different people create threat models with different outputs for the same scenario or problem.
- Visual Representation using Process Flow Diagram –
To deal with the limitations of DFD based threat modelling Process Flow Diagrams were introduced in 2011 as a tool to allow Agile software development teams to create threat models based on the application design process. These were specifically designed to illustrate how the attacker thinks.
The attacker does not analyze data flow. Rather, they try to figure out how they can move through an application that was not supported in DFD based threat modelling.
Their analysis lays emphasis on how to abuse ordinary use-cases to access assets or other targeted goals.
The VAST methodology uses PFD for the visual representation of an application.
Threat models based on PFD view applications from the perspective of user interactions. Following are the steps for PFD based threat modelling:
- Designing application’s use cases
- The communication protocols by which individuals move between use cases are defined
- Including the various technical controls – such as forms, cookies etc
- PFD based threat models are easy to understand that don’t require any security expertise.
- Creation of process map -showing how individuals move through an application. Thus, it is easy to understand the application from the attacker’s point of view.