Wednesday, October 21, 2015

What is Threat Modeling

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
….. Sun Tzu

Threat is an undesirable situation where a possibility exists that a threat agent or actor can intentionally or unintentionally exploit a vulnerability that exists in a system. The vulnerability can be technical or non-technical. Threat modelling is technique to visualise all such undesirable situations in a single frame in the ecosystem in which the system is supposed to function. In simple terms it is finding “what all can go wrong and why and how”.
Threat modeling is primarily used during systems development to anticipate and neutralize the threats. These threats are mostly technical and solutions expected would be technical. This type of modeling is also called application threat modeling. Microsoft’s STRIDE (Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service and Elevation of privilege) categorization used in SDLC is a popular model which starts off with the requirement of Data Flow Diagram(DFD) of the Application.  This is used by “Microsoft Threat Modeling Tool 2014”. This model can also be used for existing application to address threats in its working environment. Threat modeling will result in a comprehensive document of threat enumeration and analysis with mitigation solutions.
In relation to SDLC (software or system development life cycle), it does not avoid code review but helps in focusing on critical issues so that time and efforts are minimised. Therefore it is a Risk based approach. The process helps in systematically documenting the attack surface. Threat modeling is not a panacea for system compromise attempts and in no way it should be considered as an encouragement to develop complex systems with spaghetti code. In my opinion “KISS” (Keep It Simple Stupid) is the ultimate advice to avoid security problems. Simplicity dramatically reduces the attack surface.

Threat modelling is closely related to attack trees. Attack trees were actually popularised by Bruce Schneier in 1999. However the purposes for which they have evolved are quite different. These two have the following different approaches:

Threat Modelling
  • Application or system oriented. May be asset oriented. Extrapolated from characteristics of systems, their interfaces, connections and flow of data between themThreat modeling is the general term used in such cases and uses DFDs. This process is also termed as Tool assisted code review.
  • Primarily used for risk management during application or system development by enumerating attack surfaces.
Attack Trees
  • Attacks and attacker oriented. Extrapolated from predicted behavior of attackers and the multiple paths they can follow.  Attacker will focus on Intended and unintended behavior of the system. Attack trees, Threat trees or Misuse case or Abuse trees are generally used. In an Attack tree the whole attack process is synthesized and shown as set of possible steps. Attack trees have tree structure with child nodes using AND and OR operators and the parent node being a attackers ultimate goal.
  • Primarily used for risk management of a already deployed and in use application or a system. This can be done on periodical basis whenever there is a significant change in technology or threat landscape.
We all do threat modeling every day for risks associated with our daily activities.  We do it in our own creative way.  Then why do we need these models? These are organized, structured and documented activities.  How useful are these organized activities? Well the chances of some known attacks or compromises would reduce but would not make the system completely attack proof Threat Modeling should be holistic for best results. Brain storming and group discussions should be used over and above the analysis provided by a tool. 

Threat Categorization Frameworks
  • STRIDE - Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service and Elevation of privilege (high level categorisation)
  • DREAD - Damage, Reproducibility, Exploitability, Affected users and Discoverability (Attacker's point of view)
  •  ASF - Application Security Frame
  • CAPEC - Common Attack Pattern Enumeration Classification

Pros and Cons of Threat Modeling.
A systematic and recorded process
Will give a headway
Great for people who just initiated into the security world
A fast method to address known exploitation methods( Attack vectors)

False sense and confidence of having dealt with all possible threats, attack         vectors and vulnerabilities
May limit thinking boundaries and limit free flow of ideas to visualise all possible   bad scenarios 

A simple two tier web application threat modelling using Microsoft’s Threat modelling Tool which is based on STRIDE.

  • Trike framework and tool for risk management 
  • Microsoft Threat Modeling Tool 2014  
  • Seasponge
  • Seamonster  
  • SecurITree by Amenaza  
  • ThreatModeler by MyAppSecurity