Application Threat Modeling

Application Threat modeling should be considered separate from Risk Assessment, although similar but Application Threat Modeling is more of a calculated approach.

Threat modeling allows you to systematically identify and rate the threats that are most likely to affect your system. By identifying and rating threats based on a solid understanding of the architecture and implementation of your application, you can address threats with appropriate countermeasures in a logical order, starting with the threats that present the greatest risk.

Threat modeling has a structured approach that is far more cost efficient and effective than applying security features in a haphazard manner without knowing precisely what threats each feature is supposed to address. With a random, “shotgun” approach to security, how do you know when your application is “secure enough,” and how do you know the areas where your application is still vulnerable? In short, until you know your threats, you cannot secure your system.

Basic terminology:

• Asset. A resource of value, such as the data in a database or on the file system. A system resource.
• Threat. A potential occurrence, malicious or otherwise, that might damage or compromise your assets.
• Vulnerability. A weakness in some aspect or feature of a system that makes a threat possible. Vulnerabilities might exist at the network, host, or application levels.
• Attack (or exploit). An action taken by someone or something that harms an asset. This could be someone following through on a threat or exploiting a vulnerability.
• Countermeasure. A safeguard that addresses a threat and mitigates risk.

Consider a simple house analogy: an item of jewelry in a house is an asset and a burglar is an attacker. A door is a feature of the house and an open door represents a vulnerability. The burglar can exploit the open door to gain access to the house and steal the jewelry. In other words, the attacker exploits a vulnerability to gain access to an asset. The appropriate countermeasure in this case is to close and lock the door.

Overview:

STRIDE Methodology

The STRIDE approach to threat modeling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find ‘threats to our products’ ^[9] . STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to “the” Microsoft methodology commonly mean STRIDE.

P.A.S.T.A.

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.^[10] It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

Trike

The focus of the Trike methodology^[11] is using threat models as a risk-management tool. Within this framework, threat models are used to satisfy the security auditing process. Threat models are based on a “requirements model.” The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.

VAST

VAST is an acronym for Visual, Agile, and Simple Threat modeling.^[12] The underlying principle of this methodology is the necessity of scaling the threat modeling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.

DREAD and STRIDE

Application Threat Modeling using DREAD and STRIDE is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, classify, rate, compare and prioritize the security risks associated with an application. DREAD methodology is used to rate, compare and prioritize the severity of risk presented by each threat that is classified using STRIDE.

Procedure

To perform Application Threat Risk Modeling use  OWASP testing framework to identify, STRIDE methodology to Classify and DREAD methodology to rate, compare and prioritize risks, based on severity

STRIDE

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege

DREAD

• Reproduciblity
• Exploitability
• Affected Users
• Discoverability

DREAD Risk = (Damage + Reproduciblity + Exploitability + Affected Users + Discoverability) / 5. Calculation always produces a number between 10. Higher the number means more serious the risk is.

Threat Modeling Tools

There are currently five tools available for organizational threat modeling:

• Microsoft’s free threat modeling tool – the Threat Modeling Tool (formerly SDL Threat Modeling Tool).^[15] This tool also utilizes the Microsoft threat modeling methodology, is DFD-based, and identifies threats based on the STRIDE threat classification scheme. It is intended primarily for general use.
• MyAppSecurity offers the first commercially available threat modeling tool – ThreatModeler^[16] It utilizes the VAST methodology, is PFD-based, and identifies threats based on a customizable comprehensive threat library.^[17] It is intended for collaborative use across all organizational stakeholders.
• IriusRisk offers both a community and a commercial version of the tool. This tool focus on the creation and maintenance of a live Threat Model through the entire SDLC. It drives the process by using fully customizable questionnaires and Risk Pattern Libraries, and connects with other several different tools (OWASP ZAP, BDD-Security, Threadfix…) to empower automation.^[18]
• securiCAD is a threat modelling and risk management tool by the Scandinavian company foreseeti. It is intended for company cyber security management, from CISO, to security engineer, to technician. securiCAD conducts automated attack simulations to current and future IT architectures, identifies and quantifies risks holistically including structural vulnerabilities, and provides decision support based on the findings. securiCAD is offered in both commercial and community editions. ^[19]
• SD Elements by Security Compass is a software security requirements management platform that includes automated threat modeling capabilities. A set of threats is generated by completing a short questionnaire about the technical details and compliance drivers of the application. Countermeasures are included in the form of actionable tasks for developers that can be tracked and managed throughout the entire SDLC.^[20]

Further Methodologies

• Intel Threat Agent Risk Assessment (TARA)
• Factor Analysis of Information Risk (FAIR)
•  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM)
• NIST Risk Management Framework (RMF) 
• OWASP Threat Risk Modeling

Related Work

• Lockheed Martin – Kill Chains
• Dan Guido – Exploit Intelligence Project
• Dino Dai Zovi – Attacker Math 101
• Australian DSD – Strategies to Mitigate Targeted Cyber Intrusions
• SANS/CSIS – Twenty Critical Security Controls for Effective Cyber Defense

More good reading