Friday, June 23, 2023

Threat modeling -- multiple methods

  • Concerned for threats to your project's intellectual property (IP)?
  • Tasked with a project to shore up the threat resistance of your business, or your client's businesses, to operational denials?
If the above, then you may benefit from one of the many modelling methods for addressing threats.
SEI at Carnegie Mellon has been looking at this for a number of years. There's posting from the SEI blog written a few years ago that explains a number of methods for threat modeling. 

From that posting, we are told that threat-modeling methods are used to create
  • An abstraction of the system
  • Profiles of potential attackers, including their goals and methods
  • A catalog of potential threats that may arise
One of the threat models among the dozen discussed in the SEI blog posting is PASTA, an acronym for "Process for Attack Simulation and Threat Analysis". 

According to SEI, PASTA aims to bring business objectives and technical requirements together. It uses a variety of design and elicitation tools in different stages. This method elevates the threat-modeling process to a strategic level by involving key decision makers and requiring security input from operations, governance, architecture, and development. 

Process v Asset
Widely regarded as a risk-centric framework, PASTA employs an attacker-centric perspective to produce an asset-centric output in the form of threat enumeration and scoring. This point is important for those who may see that it's not project or corporate assets that under threat, but rather project or business processes. In that event, a threat modelling method aimed more at processes than assets may be the better choice.

Attack Trees
For instance, 'attack trees' which is an older methodology derived from traditional risk assessment tree methods that is applicable to process threats. SEI describes attack trees this way: Attack trees are diagrams that depict attacks on a system in tree form. The tree root is the goal for the attack, and the leaves are ways to achieve that goal. Each goal is represented as a separate tree. Thus, the system threat analysis produces a set of attack trees.

Several steps in PASTA
Like many risk management paradigms, PASTA is process of several steps, beginning with a statement of objectives, and progressing through scope definition, and then into the nitty-gritty of decomposing the target under threat to identify vulnerabilities.

Stepping along through the PASTA process, analysis of the target components may show that there are multiple threat possibilities, wherein one threat may be directed at component A, and another different threat directed at component B. This stage is where the modeling comes in, threat by threat, to ascertain the component response and resilience. 

From the modeling data, and other observations and analysis, the impacts are evaluated and mitigations planned according to traditional risk management ROI assessments.

And there are others
If PASTA doesn't fit your situation, check out the other modelling methods on the SEI blog.

Like this blog? You'll like my books also! Buy them at any online book retailer!