What do vulnerability-threat-control-frameworks do?
Describe how assets may be harmed and how to counter/mitigate that harm
Why are threats modelled?
Find issues early
Improve security requirements
Mitigate risks
Three Types of Threat Models with examples
- Attacker-centric – starts with attacker/goals (e.g. attack trees)
- System-centric – models system dynamics/logic (e.g. STRIDE)
- Asset-centric – focuses on assets and CIA branches (e.g. ISO27005)
What does STRIDE stand for?
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privileges
Spoofing - definition, property, example
Definition - impersonating something/someone else
Property – authentication
Ex – pretending to be Microsoft.com
Tampering - definition, property, example
Definition: modifying data/code
Property – integrity
Ex – modifying a DLL on disk
Repudiation - definition, property, example
Definition - denying actions Property – non-repudiation
Ex – I didn’t send that email
Information disclosure - definition, property, example
Definition - exposing data to unauthorised party
Property – confidentiality
Ex – leaking credit cards
Denial of service - definition, property, example
Definition - denying or degrading services to users
Property – availability
Ex – CPU overload
Elevation of Privileges - definition, property, example
Definition - gaining capabilities w/o proper authorisation
Property – authorisation
Ex – becoming admin
Steps in STRIDE process
Step 1: Model the software system. Use data flow diagram (DFD) for functionality and data flow.
Step 2: Identify the threats. Apply STRIDE to DFD elements
Step 3: Mitigate the threats. Redesign to address threats (generates security requirements)
Step 4: Validate. Ensure threats are removed
DFD Elements
External entity = data source/sink (e.g., user, other system)
Process = data action (e.g., transformation)
Data store = storage (e.g., DB file)
Data flow = labelled arrows (uni/bi-directional)
DFD Levels
level 0 (context: overview, single process). Level 1+ (detailed processes/stores)
What are trust boundaries in DFD?
Dashed lines where control changes (e.g., machine/privilege); ignore threats inside trusted areas
DFD validation rules
No magic data
No sinks
Flows through processes
stick to model
Application of STRIDE
Process - apply all STRIDE
Data store/data flow - apply TID
Data store with logs - apply TID+R
External entity - apply SR
What do you do after STRIDE is applied?
Number each DFD element
Write the set of threats that impact that element
What is an attack tree?
A tree data structure modeling attacks from attacker’s view
Root = global goal
Children = sub-goals (AND/OR)
Benefits of attack trees
Structured
Visual
Modular
Reusable
Attacker-centric for likely threats
Key questions for attacker-centric modelling
Adversaries? Motivations/goals? Inside info? Funding? Risk aversion?
Motivation for using attack trees over system-based modelling
Avoids random/incomplete lists
Thinks like attacker for better threat identification
Difference between AND and OR nodes in attack trees?
AND: All sub-goals required
OR: Any one sub-goal sufficient.
Notation for Nodes AND
Graphical: straight line connecting children
Textual: Goal G0
AND G1
G2
…
Gn
Notation for Nodes: OR
Graphical - curved/dotted line
Textual: Goal G0
OR G1
G2
…
Gn
-
Threat Modelling with STRIDE/Attack Trees27
-
Security Governance and Information Security Management19
-
Intro to Risk Management40
-
Risk Assessment Methodolgies27
-
Asset Management21
-
Risk Assessment Techniques25
-
Security Policy and Strategic Planning24
-
Security Monitoring and Intelligence0
-
Contingency Planning28
