Thread modelling is a process used to systematically identify potential threats to products, applications or any other system. It helps to figure out the possible vulnerabilities of a system that are most desired by attackers. There is hardly any product which who threat modeling can´t be used. It helps with the security of software, applications, networks, IoT, business processes and many more.
The reasons to use threat modeling are mainly to build secure design and to document threats and mitigations. It helps to identify threats and compliance requirements and to evaluate their risks to the system as well as is helps to efficient invest given resources. An important part is to document the threats and mitigations found.
The methodology mostly always includes a description, design or model of the potential problem, a list of assumptions that can be checked or challenged and of potential threats, a list of actions to be taken against this threats and a way of validating the output and the action taken.
When to perform
It is never to late to perform Threat Modelling actions but the earlier the better. It is to consider that, if the systems architecture isn´t changing, there are no new processes or dataflows and no changes to the data structure than it is unlikely that there will be new threats that are to be considered. But if some of them change, it is useful to examine what could go wrong in the current change. If something has already happened, it is important to have a look again at the system and check the threat models to find out what was going wrong and what was left out.
The four questions
What are we building? This includes the scope of the Threat Model and requires an understanding of the subject to be tested. For that purpose, it can help to have a look at or make yourself a architecture diagram, dataflow transitions or data classifications.
What can go wrong? Manly the research activity to find the main threats that appear to the system or the application. It helps to use a structure to think it through or to brainstorm about the possibilities.
What are we going to do about it? Turn the findings to action using the most fitted method.
Did we a good enough job? Check the quality, feasibility, progress and the planning of the process you developed. If not satisfied, start everything again with a better concept.
STRIDE is the threat modeling methodology from Microsoft that aligns with their Trustworthy Computing directive of January 2002. It mainly helps Microsoft Windows software developers assure the security during the design phase. The goal is that the application meets the CIA (Confidentiality, Integrity and Availability) security properties and as well Authorization, Authentication and Non-Repudiation. The six threat categories are:
- Spoofing identity: assuming or taking on the identity of another person to accomplish a certain goal.
Example: Using another person’s username and password to login.
- Tampering with data: The malicious modification of data.
Example: The unauthorized changes to persistent data and alteration of data in a dataflow.
- Repudiation: Users who deny performing an action without other parties having any way to prove otherwise.
Example: An illegal action of a user in a system without the possibility to trace the operation.
- Information disclosure: The exposure of information to unauthorized individuals.
Example: If a user can read files, he should not have access to or if an attacker can read transit between computers where he is not supposed to.
- Denial of service: A DoS attack denies service to a valid user.
Example: Making a Webserver unavailable by creating a lot of fake requests.
- Elevation of privilege: An unprivileged user gains enough privileged access to destroy the entire system.
Example: An Attacker has effectively penetrated system defense to the point where he becomes part of the trusted system.
OCTAVE stand for “Operationally Critical Threat, Asset and Vulnerability Evaluation and is developed at the Carnegie Mellon University´s Software Engineering Institute (SEI) and is heavy weighted on assessing organizational risks that result from data asset breaches. It was one of the first specifically for cybersecurity developed threat modeling methods. Since it is mostly used in companies, it is normally performed in small teams composed of people from the business unit as well as from the IT department to address the security needs. It is driven by the operational risks more than by the theology risks and allows an organization to direct and manage information security risk assessments, communicate key security information as well as focus on protecting key information and to find the best practice and decisions based on the unique risk of their department and thus provides a highly customizable security option.
There are eight processes that are broken in three (or four with phase 0) phases:
Phase 0: Exploratory phase that determine criteria used.
Phase 1: Develop initial security strategies
Phase 2: Technological view to identify infrastructure vulnerabilities
Phase 3: Risk analysis to develop security strategy and plans
The Trike Threat Modeling is an open source process that provides a risk-based approach and risk modeling processes. It is based on a requirement model which ensures that the assigned levels of risk are acceptable to the stakeholders. This means that the modeling process is focused on satisfying the security auditing process from a cyber management perspective. There are two attack types in the Trike model, an elevation of privilege attack or a denial of service attack and the actions taken are divided into one of four groups called CRUD: Create, Read, Update, Delete. The threats are rated in a rating chart that shows the risk of either attack type to a five-point scale for each CRUD action. Trike starts with the creation of a requirements model and continues with the creation of a DFD, a Data Flow Diagram. From this point on the risk values are assigned to the threats and an attack graph is created. The Trike model requires a view of the entire system, therefore it can be hard to scale it for larger systems.
The P.A.S.T.A. methodology is a new application threat modeling methodology and stands for Process for Attack Simulation and Threat Analysis. It works with a seven step process:
- Define business and security objectives
- Define the technical scope
- Decompose the application
- Threat analysis
- Weakness and Vulnerabilities Analysis
- Attacks/Exploits Enumeration and modeling
- Risk and impact analysis
The steps combine an attacker centric perspective with risk and impact analysis. It combines the business impact, application risk, trust boundaries amongst application components, correlated threats and attack patterns.
The Open Web Application Security Project is a NGO whose aim is to improve the security of software. Their main focus are applications within the World Wide Web, to enable organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. The programm includes:
- Community-led open source software projects
- Over 275 local chapters worldwide
- Tens of thousands of members
- Industry-leading educational and training conferences
OWASP Projects split in two main categories: Development- and Documentationprojects. The documentation project currently consists of:
- OWASP ASVS: threat modeling standard to verify applications
- The Guide: Guidelines for implementing secure webapplications
- Top Ten Most DotNet: Toolkit to improve .net security
- Enigform: Testplatform for OpenPGP-related webprojects
- ESAPI: Free and public methods to secure webapplications
- AntiSamy: Tool to validate user input in webapplications
- XSSer: Automatic system to detect Cross-Site-Scripting vulnerabilities
- Webgoat: Dummy webapplication (e.g. how not to do it)
- WebScarab: Transparent Webproxy
- Mantra Security Workframe: Pentesting Toolkit based on Mozilla Firefox
- OWASP Threat Dragon: Tool to create threat model diagrams
Top 10 Web Application Security Risks
The OWASP Top 10 is a standard awareness document for developers and web application security.
- Injection : SQL, OS or LDAP injection occur when untrusted data is sent to an interpreter. It is possible ot trick the interpreter into executing malicious code.
How to prevent: Usage of safe API's, Whitelists or escaping spezial characters
- Broken authentication : Authentication and session management is often poorly implemented, leading to compromised passwords, keys or session tokens.
How to prevent: Multifactor authentication, no default credentials, weak-password checks, usage of service-side and secure session managers
- Sensitive Data Exposure : Many Applications and APIs do not protect sensitive data, leading to credit card fraud, identify theft or other crimes.
How to prevent: Identify and protect data processing of sensitive data, encryption with secure cipher suites or hash functions, disable caching for sensitive data
- XML Enternal Entities : Poorly configured XML processors evalute external entity references.
How to prevent: Use complex data formats such as JSON, Upgrade old XML processors, use whitelisting or disable XML external entity and DTD processing
- Broken Access Control : Poor restrictions on what authenticated users are allowed to do within an application.
How to prevent: Log access control failures and create admin alerts, rate limit APIs, Deny everything by default, implement access controll mechanisms once and use it throughout the application
- Security Misconfiguration : Most commonly issue. Result of default or incomplete configurations like web- or ftp services.
How to prevent: Minimal plattform - only use what you really need on public systems, review and audit application configurations, use diffrent credentials
- Cross-Site Scripting: Occur whenever an application includes untrusted data without proper validation, leading to defaced websites, redirection to malicious sites or complete hijacking of user sessions.
How to prevent: Use frameworks which escape XSS like React JS, Escaping untrusted HTTP requests, applying context-sensitive encoding
- Insecure Deserialization : Leads to remote code execution, replay and injection attacks or user privilege escalation
How to prevent: Implementing integrity checks, Isolating and running code in low privilege environments, log and monitor deserialization failures and exceptions
- Using Components with Known Vulnerabilities : Libraries, frameworks or other software modules may undermine application defenses and enable various attacks and impacts.
How to prevent: Usage of minimal plattforms, remove unused dependencies, features and components. Only obtain components from official sources over secure links - also check their hashes. Patch regularly.
- Insufficient Logging & Monitoring : Allows attackers to silently operate within hijacked networks or applications.
How to prevent: Log and inform admins about access control failures, use centralized log management solutions, establish an incident response and recovery plan
OWASP Threat Dragon
Threat Dragon is a free and open-source threat modeling application which is available on multiple plattforms including linux and windows. The application can also be used as a web platform. Threat Dragon is capable of:
- designing data flow diagrams
- automatic determining and ranking threats
- suggests mitigations
- entry of mitigations and counter measures
To install it on windows proceed as follows:
- Download and install node.js latest lts version: https://nodejs.org/en/download/
- Download and install git for windows: https://gitforwindows.org/
Open a powershell (with administrator privileges) and run:
cd C:\ git clone https://github.com/mike-goodwin/owasp-threat-dragon-desktop cd .\owasp-threat-dragon-desktop\ npm install
To start the application run:
npm run start
To get familiar with the threat modeling process with Threat Dragon you can open a Demo Model and start to edit it:
- Introducing OCTAVE Allegro:Improving the Information Security Risk Assessment Process"; Richard A. Caralli
- "Real World Threat Modeling Using the PASTA Methodology"; Tony Uceda Valez