With the advancement in technology it becomes easier day by day for the hacker to gain access to sensitive data, disable applications etc. Thus, Application Security has become a major concern. One method used to implement application security in design process is through THREAT MODELLING.
Threats can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, harm object or objects of interest. Threat Modelling can be done at any stage of development but if done at the beginning it will help in early determination of threats that can be dealt properly.
The purpose of Threat modelling is to identify, communicate, and understand threats and mitigation to the organisation’s stakeholder’s as early as possible. Documentation from this process provide system analyst and defenders with a complete analysis of probable attackers profile, the most likely attack vectors, and the assets most desired by the attacker.
Threat modelling helps to achieve following:
- Defines security of application
- Identifies and investigates potential threats and vulnerabilities
- Results in finding architecture bugs earlier
Development team will be able to implement application security as part of the design process by using threat modelling to identify threats, vulnerabilities and mitigation at design time. There are various threat modelling methodologies available. We will be discussing 8 methodologies:
- Strike –
STRIDE is a methodology developed by Microsoft for threat modelling. It provides a mnemonic for security threats in six categories:
- Spoofing: An adversary posing as another user, component, or other system that has an identity in the system being modelled.
- Tampering: The modification of data within the system to achieve a malicious goal.
- Repudiation: The ability of an adversary to deny performing some malicious activity in absence of sufficient proof.
- Information Disclosure: The exposure of protected data to a user that is not otherwise allowed access to that data.
- Denial of Service: Occurs when an adversary uses illegitimate means to assume a trust level than he currently has with different privileges.
DFD is the input of this approach and each node of the DFD is applied to the system. Subsequently, the possible number of security threats will be identified, as well as feasible mitigation.
- DREAD –
DREAD was proposed for threat modelling but due to inconsistent ratings it was dropped by Microsoft in 2008. It is currently used by OpenStack and many other corporations. It provides a mnemonic for risk rating security threats using five categories. The categories are:
- Damage Potential: ranks the extent of damage that would occur if a vulnerability is exploited.
- Reproducibility: ranks how easy it is to reproduce a attack
- Exploitability: Assigns a number to the effort required to launch the attack.
- Affected Users: A value characterizing how many people will be impacted if an exploit become widely available.
- Discoverability: Measures the likelihood how easy it is to discover the threat.
In DREAD model, the risk can be calculated by taking average of 5 categories:
Risk = (Damage Potential+Reproducibility +Exploitability+Affected Users +Discoverability)/5
- P.A.S.T.A. –
The Process for Attack Simulation and Threat Analysis (PASTA) is a seven step, risk-centric methodology. The purpose is to provide a dynamic threat identification, enumeration, and scoring process. Upon completion of threat model security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This helps developer to develop a asset-centric mitigation strategy by analyzing attacker-centric view of application.
- Trike –
The focus is in using threat models as risk management tool. Threat models are based on requirement model. The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are identified and assigned risk values. The completed threat model is used to build a risk model on the basis of asset, roles, actions, and calculated risk exposure.
- VAST –
VAST is an acronym for Visual, Agile, and Simple Threat modelling. The methodology provides actionable outputs for the unique needs of various stakeholders like application architects and developers, cyber security personnel etc.. It provides a unique application and infrastructure visualisation scheme such that the creation and use of threat models do not require specific security subject matter expertise.
- Attack Tree –
Attack trees are the conceptual diagram showing how an asset, or target, might be attacked. These are multi-level diagram consisting of one root node, leaves and children nodes. Bottom to Top, child nodes are conditions which must be satisfied to make the direct parent node true. An attack in considered complete when the root is satisfied. Each node may be satisfied only by its direct child nodes.
Suppose there is 1 grandchild below root node. In such a case multiple steps must be taken to carry out an attack as first the grandchild’s conditions must be satisfied for the direct parent node to be true and then direct parent node condition must be satisfied to make root node true. It also has AND and OR options which represent alternatives and different steps towards achieving that goals.
- Common Vulnerability Scoring System (CVSS) –
It provides a way to capture the principal characteristics of a vulnerability and produce a numerical score (ranging from 0-10, with 10 being the most severe) depicting its severity.
The score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
- T-MAP –
T-MAP is an approach which is used in Commercial Off The Shelf (COTS) systems to calculate the weights of attack paths. This model is developed by using UML class diagrams, access class diagrams, vulnerability class diagrams, target asset class diagrams and affected Value class diagrams.
Currently eight tools are available for Threat Modelling:
- Microsoft’s Threat Modelling Tool –
This tool identifies threats based on STRIDE threat classification scheme and is Data Flow Diagram (DFD) Based.
- MyAppSecurity –
It offers the first commercially available threat modeling tool – ThreatModeler. It uses VAST threat ckassification scheme and is Process Flow Diagram (PFD) based.
- IriuRisk –
Offers both a community and a commercial version of the tool. This tool is primarily used to create and maintain live Threat model through the entire SDLC. It connects with other several different tools like OWASP ZAP, BDD-Security etc. to facilitate automation and involves fully customizable questionnaires and Risk Pattern Libraries.
- securiCAD –
It is a threat modelling and risk management tool developed by the Scandinavian company foreseeti. Risk are identified and quantified by conducting automated attack simulations to current and future IT architectures, and provides decision support based on the findings. securiCAD is offered in both commercial and community editions.
- SD Elements by Security Compass –
It is a software security requirements management platform that includes automated threat modeling capabilities. A short Questionnaire about the technical details and compliance drivers of the application is conducted to generate a set of threats. Countermeasures are included in the form of actionable tasks for developers.
- Modelling Attack trees –
Commercial Tools like SecurITree, AttackTree+ and opensource tools like ADTool, Ent, SeaMonster are used to model Attack Trees.
- CVSS 3.0 –
CVSS is currently at version 3.0. It is used for CVSS model.
- Tiramisu –
This tool is used for T-MAP approach. It is used to calculate a list of all attack paths and produce overall threats in terms of total weight of attack paths.
How to create a Threat Model:
All threat modelling process start with creating visual representation of application or system being analyzed. There are two ways to create visual representation:
- Visual Representation using Data Flow Diagram – The Microsoft Methodology, PASTA and Trike each develop a visual representation of the application-infrastructure utilizing data flow diagrams (DFD). DFDs were developed in 1970s as tool for system engineers to provide a high-level visualization of how an application works within a system to move, store, and manipulate data. The concept of trust boundaries was added in early 2000s by Security professionals in an attempt to make them applicable for threat modeling.
DFDs are used to identify broad categories usually using STRIDE threat classification scheme. The list of threats identifies through such methods is limited and thus a poor starting point for the modelling. DFD based approach uses three main steps:
- View System as an adversary
- Characterize the system
- Determine the threats
DFD based approach has certain weakness:
- DFD do not accurately represent design and flow of application.
- They analyse how data is flowing rather than how user interact with system.
- DFD based threat modelling has no standard approach due to which different people create threat models with different output for the same scenario or problem.
- Visual Representation using Process Flow Diagram – To deal with the limitations of DFD based threat modelling Process Flow Diagrams were introduced in 2011 as a tool to allow Agile software development teams to create threat models based on the application design process. These were specifically designed to illustrate how attacker thinks.
Attacker do not analyze data flow. Rather, they try to figure out how they can move through application which was the not supported in DFD based threat modelling.
Their analysis lays emphasis on how to abuse ordinary use-cases to access assets or other targeted goals.
VAST methodology uses PFD for the visual representation of application.
Threat models based on PFD view application from the perspective of user interactions. Following are the steps for PFD based threat modelling:
- Designing application’s use cases
- The communication protocols by which individuals move between use cases are defined
- Including the various technical controls – such as a forms, cookies etc
PFD based threat modelling has following advantages:
- PFD based threat models are easy to understand that don’t require any security expertise.
- Creation of process map -showing how individuals move through an application. Thus, it is easy to understand application from attacker’s point of view.