Security Modeling and Threat Modeling Resources

倾城 好物分享

This post is to collect some Internet resources regarding security modeling and threat modeling.

Related Posts:

Security Modeling

A security model precisely describes important aspects of security and their relationship to system behavior. The primary purpose of a security model is to provide the necessary level of understanding for a successful implementation of key security requirements. The security policy plays a primary role in determining the content of the security model. Therefore, the successful development of a good security model requires a clear, well-rounded security policy. In the case of a formal model, the development of the model also must rely on appropriate mathematical techniques of description and analysis for its form.

A security model specifically defines essential aspects of security and their relationship with the operating system performance. No organization can secure their sensitive information or data without having effective and efficient security models. We can say that the primary aim of a security model is to provide the required level of understanding for a successful and effectual implementation of key protection requirements. Information security models are the procedures used to validate security policies as they are projected to deliver a precise set of directions that a computer can follow to implement the vital security processes, procedures and, concepts contained in a security program. These models can be intuitive or abstractive. Security models run the directions of the road for security in operating systems.

There are some security models that are most currently using for to explain the guidelines and rules that direct confidentiality, protection, and integrity of the information. The key reason and focus on the security model implementation are confidentiality over and done with access controls and Information integrity. With the help of these security models that are the main components that should be given attention to when developing information security policies and systems. These models talk about the access rules required to instantiate the defined policy and highlight the objects that are directed by the company’s policy.

Here some of the important models we are discussing below to understand the functions and importance of Information Security models in the current business world. Five popular and valuable models are as follows;

  • Bell-LaPadula Model
  • Biba Model
  • Clark Wilson Model
  • Brewer and Nash Model
  • Harrison Ruzzo Ullman Model

These models are used for maintaining goals of security, i.e. Confidentiality, Integrity, and Availability. In simple words, it deals with CIA Triad maintenance.

Security Modeling Process

Step 1: Identify Requirements on the External Interface
Step 2: Identify Internal Requirements
Step 3: Design Rules of Operation for Policy Enforcement
Step 4: Determine What is Already Known
Step 5: Demonstrate Consistency and Correctness
Step 6: Demonstrate Relevance

Threat Modeling Methodologies

Conceptually a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Based on volume of published online content, the four methodologies discussed below are the most well known.

STRIDE Methodology

The STRIDE approach to threat modeling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products' . STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to "the" Microsoft methodology commonly mean STRIDE.

P.A.S.T.A.

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.[10] It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

Trike

The focus of the Trike methodology[11] is using threat models as a risk-management tool. Within this framework, threat models are used to satisfy the security auditing process. Threat models are based on a “requirements model.” The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.

VAST

VAST is an acronym for Visual, Agile, and Simple Threat modeling.[12] The underlying principle of this methodology is the necessity of scaling the threat modeling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.

More threat modeling methods can be found from: Threat Modeling: 12 Available Methods

Linddun
CVSS
Attack Trees
Persona non Grata
Security Cards
hTMM

Quantitative Threat Modeling Method: This hybrid method consists of attack trees, STRIDE, and CVSS methods applied in synergy.

Summarize for 10 threat modeling methedologies: 
no Model Focus/perspective and implementation postability points
1 STRIDE is specifically designed to focus on IT related threat
2 PASTA is a widely used & adaptable applicable model, with threat simulation, focusing on Risks Centric methodology.
Reference: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
3 LINDDUN is focused more on Data and Privacy related model
4 OCTAVE is focused on Risk Management and organization related impact
5 VAST scales threat modeling process across infrastructure & is focused on attacker
6 TRIKE is a unified conceptual framework for security auditing from a risk management perspective, required a steady repeatable assessment model, is focused on Risks Measurement on calculating its stakeholders components (assets, roles, actions, risk exposure)
Reference: 8) Trike v.1 Methodology Document [Draft]
7 hTMM hybrid type threat model which is focused on Attacker/Defender models, melds features of: Security Cards, Persona non Grata, and STRIDE
8 qTMM quantitative type threat model which is focused on Attacker/Defender models, melds features of Attack Trees, STRIDE, and CVSS
9 (Attack) Trees is focused on Attacker’s scheme, works in any steady implemented production/business/process scheme, that is developed further to become the killchain nowadays
10 PnG (Persona non Grata) has focused on attacks that represent archetypal personnels who behave in unwanted behaviors. Works perfectly to measure insider threat assessments

Threat Modeling Process Steps

Typically, organizations conduct threat modeling during the design stage (but it can occur at other stages) of a new application to help developers find vulnerabilities and become aware of the security implications of their design, code, and configuration decisions. Generally, developers perform threat modeling in major four steps:

  • Diagram. What are we building/Working on?
  • Identify threats. What could go wrong?
  • Mitigate. What are we doing to defend against threats?
  • Validate. Have we acted on each of the previous steps?
The following four question framework can help to organize threat modeling:

  • What are we working on?  -Assess Scope
  • What can go wrong? - This can be as simple as a brainstorm, or as structured as using STRIDE, Kill Chains, or Attack Trees.
  • What are we going to do about it? - Decide what you’re going to do about each threat. That might be to implement a mitigation, or to apply the accept/transfer/eliminate approaches of risk management.
  • Did we do a good job? - Did you do a good enough job for the system at hand?

A threat modeling session typically consists of the following steps:

  • Pick a use case of your application
  • Draw a Data Flow Diagram of this use case, which shows how data flows through your system and which applications or databases are involved.
  • For each asset passing through your data flow, go through a checklist and discuss potential security risks. Rate each risk (e.g. by likelihood and impact)
  • Discuss and decide what you will do about each risk

Threat Modeling Tools

There are currently five tools available for organizational threat modeling:

  • Microsoft’s free threat modeling tool – the Threat Modeling Tool (formerly SDL Threat Modeling Tool). This tool also utilizes the Microsoft threat modeling methodology, is DFD-based, and identifies threats based on the STRIDE threat classification scheme. It is intended primarily for general use.
  • MyAppSecurity offers the first commercially available threat modeling tool - ThreatModeler It utilizes the VAST methodology, is PFD-based, and identifies threats based on a customizable comprehensive threat library.It is intended for collaborative use across all organizational stakeholders.
  • IriusRisk offers both a community and a commercial version of the tool. This tool focus on the creation and maintenance of a live Threat Model through the entire SDLC. It drives the process by using fully customizable questionnaires and Risk Pattern Libraries, and connects with other several different tools (OWASP ZAP, BDD-Security, Threadfix...) to empower automation.
  • securiCAD is a threat modelling and risk management tool by the Scandinavian company foreseeti. It is intended for company cyber security management, from CISO, to security engineer, to technician. securiCAD conducts automated attack simulations to current and future IT architectures, identifies and quantifies risks holistically including structural vulnerabilities, and provides decision support based on the findings. securiCAD is offered in both commercial and community editions. 
  • SD Elements by Security Compass is a software security requirements management platform that includes automated threat modeling capabilities. A set of threats is generated by completing a short questionnaire about the technical details and compliance drivers of the application. Countermeasures are included in the form of actionable tasks for developers that can be tracked and managed throughout the entire SDLC.
  • OWASP Application Threat Modeling
  • owasp.org/index.php/OWASP_Threat_Dragon

Attack Tree Modeling Tools

Several commercial packages and open source products are available.

Open Source

Commercial

Threat Modeling vs Threat Intelligence:

Threat Modeling vs Vulnerability Assessment

  • Their primary focus: Threats vs vulnerabilities
  • Proactive vs reactive processes
  • Threat intelligence-driven anaysis - Both threat modeling and vulnerability assessment use threat intelligence-driven data to fuel their processes.
    • Threat modeling uses CVSS and MITRE TTPs to identify vulnerabilities and threats and goes a step further to quantify threats and prioritize ways to remediate them.

Threat Modeling vs Pen Test

differences are between Threat Modeling and penetration testing:

  • Timing: Threat Modeling is preferably performed during the design phase of the system (although it is never too late to do it). Penetration testing is done during development or at least just prior to release (please don’t release first and then test on production).
  • Objectives: Threat Modeling prevents or manages design flaws from a ‘white box’ perspective. Pentesting tests the actual application’s resilience – usually from a black box perspective
  • Outcome: Threat Modeling leads to a list of design changes to consider, pentesting generates a list of bug fixes. Both expose risk which begs for risk management measures.

Design flaws are errors in design. They arise from a lack of security requirements (bad design), a lack of secure design knowledge (bad designer). To understand these flaws, you need contextual knowledge. That’s what you learn during a Threat Modeling workshop. Bugs are coding errors. The design might be good, but accidental errors (bad code) or a lack of secure coding practices (bad coders) can lead to vulnerabilities. 

Threat Modeling won’t expose coding errors. Pentesting won’t show design flaws. We need both tools in our toolbox.

Glossary

Some Other Terms:

  • Tactics, Techniques and Procedures (TTPs) : TTPs are the “patterns of activities or methods associated with a specific threat actor or group of threat actors,”
  • Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).
  • Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models.

The Glossary of the known and agreed Threat Models’ abbreviations:

no Model Abbreviation Description
1 STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and Associated Derivations
2 PASTA The Process for Attack Simulation and Threat Analysis
3 LINDDUN Linkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information, Unawareness, Noncompliance) method
4 OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation
5 VAST Visual, Agile, and Simple Threat Modeling
6 hTMM Hybrid Threat Modeling Method
7 qTMM Quantitative Threat Modeling Method
8 TRIKE Abbreviation is unknown, unified conceptual framework for security auditing automated concept from a risk management perspective
9 Trees Attack Trees
10 PnG Persona non Grata

References

https://blog.51sec.org

版权声明:
作者:倾城
链接:https://www.techfm.club/p/36731.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>