Threat Modelling
Summary Notes
The definition of threat modeling is a process by which potential threats, such as structural vulnerabilities, can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view.
The topic of "Threat Modelling" provoked a great deal of interest from the participants. A few different approaches and perspectives were discussed. The suggestion is that the topic is explored in stages.
- Requirements and Stakeholder management for threat models (Who are we building it for, and what are the agreed objectives for building the model)
- Creating examples of threat models that could be used for specific applications and industry verticals (e.g. ICS for Operation Technology used in the Oil Industry vs/ A threat model for medical devices and healthcare organizations vs/ A threat model examining the resilience of metropolitan transport systems to disruption from attack, etc.)
- An evaluation of Threat modelling methodologies that already exist such as PASTA (Marco Morana); OCTAVE; VAST; and STRIDE and suggestions for an evaluation of various approaches (may also include proposals for new approaches)
- Evaluation of modelling techniques for behavior such as MITRE ATT&CK, Courses of Action (CoA), Indicator enumeration.
- Measuring quality and consistency in threat models.
- Using Threat models to better inform incident management, requirements, drive intelligence outputs and improve detection and preventative controls.
- Using threat models to better identify gaps in detection and response strategies and effective mapping of campaigns to sectors, organizations.
- ISO 27005
Reference: Security techniques — Information security risk management (third edition)
Generic Threat Model Steps (A Quick Start)
Reference: OWASP - Category Threat Modeling - Generic Steps
Before we consider the details of known threat modes and the verticals they apply to, we refine the generic steps used for the basics of threat modeling. We can also recommend these basic steps as a good practice for entities that do not currently employ threat modeling.
1. Assessment Scope: It's to understand what's on the line. The checkpoints breakdown are identifying assets, understanding the capabilities provided by the application and valuing them. then examining less concrete things to measure like reputation and goodwill. From these checkpoints we can define the critical points as output of the assessment.
2. Threat Agents and Attacks definition: A key part of the threat model to define the different groups of people who might be able to attack your system, including insiders and outsiders, performing both inadvertent mistakes, malicious attacks and consequential impact for risk of leaks of data breach.
3. Understand the Countermeasures: Any model must include the existing countermeasures, we can not just define the (1) and (2) above flawless as per it is without a plan to improve it.
4. Identify exploitable vulnerabilities: After understanding the security measures in our systems , we can analyze new possible vulnerabilities as research. The research is for vulnerabilities that connect the possible attacks and negative consequences we've identified.
5. Prioritized identified risks: Prioritization is everything in threat modeling, as there are always lots of risks that simply don't rate any attention. We can estimate the number of likelihood for each threat and study its impact factors to determine an overall risk or severity level.
6. Work on plans to reduce threat: The last step is to identify countermeasures to reduce the risk to acceptable levels, by using results steps from 1 - 5 above.
Known Threat Models
Overview format:
- Summary of the model
- What are the key indicators scored
- Strong sides
- Omissions, deficiencies of the model
- How specific its application should be (e.g. is it only software, industry etc.)
Reference: Threat Modeling: 12 Available Methods
Understanding the existing Threat Modeling methods is also important to refine the best method fits to our organization. In this part we would like to summarize the ten methods of threat-modeling: (we had eliminated CVSS and Cards from the list)
The Glossary of the known and agreed Threat Models’ abbreviations:
| no |
Model |
Abbreviation Description |
| 1 |
STRIDE |
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and Associated Derivations |
| 2 |
PASTA |
The Process for Attack Simulation and Threat Analysis |
| 3 |
LINDDUN |
Linkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information, Unawareness, Noncompliance) method |
| 4 |
OCTAVE |
Operationally Critical Threat, Asset, and Vulnerability Evaluation |
| 5 |
VAST |
Visual, Agile, and Simple Threat Modeling |
| 6 |
hTMM |
Hybrid Threat Modeling Method |
| 7 |
qTMM |
Quantitative Threat Modeling Method |
| 8 |
TRIKE |
Abbreviation is unknown, unified conceptual framework for security auditing automated concept from a risk management perspective |
| 9 |
Trees |
Attack Trees |
| 10 |
PnG |
Persona non Grata |
Table 1
Each models described above (10 agreed Models) can be summarized into simple description based on their focus (or perspective) and portability strength:
| no |
Model |
Focus/perspective and implementation postability points |
| 1 |
STRIDE |
is specifically designed to focus on IT related threat |
| 2 |
PASTA |
is a widely used & adaptable applicable model, with threat simulation, focusing on Risks Centric methodology.
Reference: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis |
| 3 |
LINDDUN |
is focused more on Data and Privacy related model |
| 4 |
OCTAVE |
is focused on Risk Management and organization related impact |
| 5 |
VAST |
scales threat modeling process across infrastructure & is focused on attacker |
| 6 |
TRIKE |
is a unified conceptual framework for security auditing from a risk management perspective, required a steady repeatable assessment model, is focused on Risks Measurement on calculating its stakeholders components (assets, roles, actions, risk exposure)
Reference: 8) Trike v.1 Methodology Document [Draft] |
| 7 |
hTMM |
A hybrid type threat model which is focused on Attacker/Defender models, melds features of: Security Cards, Persona non Grata, and STRIDE |
| 8 |
qTMM |
A quantitative type threat model which is focused on Attacker/Defender models, melds features of Attack Trees, STRIDE, and CVSS |
| 9 |
(Attack) Trees |
is focused on Attacker’s scheme, works in any steady implemented production/business/process scheme, that is developed further to become the killchain nowadays |
| 10 |
PnG |
(Persona non Grata) has focused on attacks that represent archetypal personnels who behave in unwanted behaviors. Works perfectly to measure insider threat assessments |
Table 2
Sectors and Infrastructure (Verticals) Implementation for the Threat Models
The implementation of the threat models in for every Sectors and Infrastructures (further is called as “Verticals”) in our industrial scheme is different from one to another. In this chapter we will discuss what the Verticals we talked about and how it is correlated to the known Threat model in this discussion.
We will simulate a simple weight-matrix to make better visualization of which threat model methods are best applied to each vertical (applicability measures). For this purpose we will make several conventions to measure the weights and to simplify the items.
Below is the table to list up the Verticals categories we deducted in CTI meeting, and let’s simplify its names into “codes” for the matrix measurement purpose.
| No |
Vertical (Sectors/Infrastructure) |
Code |
| 1 |
Oil and Gas |
OGS |
| 2 |
Power Supply |
POW |
| 3 |
Chemical |
CHE |
| 4 |
Health / Pharma |
HPH |
| 5 |
Manufacture (Industry) |
MAN |
| 6 |
Energy |
ENE |
| 7 |
Water |
WAT |
| 8 |
Financial Services |
FIN |
| 9 |
Communications/Telecommunication |
COM |
| 10 |
Internet |
INT |
| 11 |
Insurance (Actuarial) |
INS |
| 12 |
Education |
EDU |
| 13 |
News/Media/TV/Radio |
NWS |
| 14 |
Gaming |
GAM |
| 15 |
Entertainment |
ENT |
| 16 |
Transportation and Logistics |
TL |
| 17 |
Agriculture |
AGC |
Table 3
As the weight values indicator on this matrix, the following scoring scheme table is used to each threat model’s applicability for per verticals.
| Score |
Definition |
| 0 |
Not applicable |
| 1 |
Minimum usability and applied only when other additional factors than- OT/production/process (non IT scope) is needed |
| 2 |
IT (cyber or inter/intra-net) as extension capability to the OT/production/process made a model implementation is applicable |
| 3 |
Very much applicable |
Table 4
The weight-matrix is as per shown in the following table
| No |
Verts. |
STRIDE |
PASTA |
LIND DUN |
OCTAVE |
VAST |
Trike |
hTMM |
qTMM |
Trees |
PnG |
| 1 |
OGS |
1 |
3 |
2 |
2 |
1 |
3 |
2 |
2 |
3 |
3 |
| 2 |
POW |
1 |
3 |
2 |
2 |
1 |
3 |
2 |
2 |
3 |
3 |
| 3 |
CHE |
1 |
3 |
2 |
2 |
1 |
3 |
2 |
2 |
3 |
3 |
| 4 |
HPH |
1 |
3 |
2 |
2 |
2 |
3 |
2 |
2 |
3 |
3 |
| 5 |
MAN |
1 |
3 |
2 |
2 |
1 |
3 |
2 |
2 |
3 |
3 |
| 6 |
ENE |
1 |
3 |
2 |
2 |
1 |
3 |
2 |
2 |
3 |
3 |
| 7 |
WAT |
1 |
3 |
2 |
2 |
1 |
3 |
2 |
2 |
3 |
3 |
| 8 |
FIN |
2 |
3 |
3 |
2 |
3 |
3 |
3 |
3 |
2 |
3 |
| 9 |
COM |
2 |
3 |
2 |
2 |
2 |
3 |
2 |
3 |
2 |
3 |
| 10 |
INT |
3 |
3 |
3 |
3 |
3 |
3 |
2 |
3 |
2 |
2 |
| 11 |
INS |
2 |
3 |
3 |
3 |
3 |
3 |
3 |
3 |
2 |
3 |
| 12 |
EDU |
2 |
3 |
3 |
2 |
2 |
3 |
3 |
3 |
2 |
2 |
| 13 |
NWS |
3 |
3 |
2 |
3 |
3 |
3 |
3 |
3 |
2 |
2 |
| 14 |
GAM |
2 |
3 |
3 |
3 |
2 |
3 |
2 |
2 |
3 |
3 |
| 15 |
ENT |
1 |
3 |
3 |
3 |
3 |
3 |
2 |
2 |
2 |
3 |
| 16 |
TL |
1 |
3 |
2 |
2 |
1 |
3 |
2 |
2 |
3 |
3 |
| 17 |
AG |
1 |
3 |
2 |
2 |
1 |
3 |
2 |
2 |
3 |
3 |
| Total |
All |
24 |
45 |
36 |
35 |
30 |
45 |
34 |
36 |
38 |
42 |
Table 5
Matrix explanation:
- Each column describes the Threat Model’s usability weight value (Table 4), that in the end will be summed up. Each row is describing the Vertical’s (Table 3) usability weight for each Threat Model to sum.
- The matrix shows the definition of models (Table 2) versus their usability to verticals (Table3). Some threat models have specific characteristics that are designed to support specific verticals only. For example STRIDE is primarily intended to identify computer security threats and underperforms for scenarios such as operational technology (OT) and automation. This explains why STRIDE has low scores on OT related verticals and high scores in IT related ones.
- However when STRIDE is combined with other approaches, for instance Security Cards or Persona non Grata (as in the hybrid model (hTMM)), or combined with Attack Trees with CVSS scores (qTMM) the reach expands. This explains why models that only cover IT fields are improving their reach to become more usable in non-IT verticals. Hence hTMM and qTMM have larger scores for OT-related verticals.
- There are verticals that can adopt any kind of threat model due to their wide risk coverage, attack definition, stakeholders for critical damage and wide range of threats. As an example, Insurance, Financial or Media can utilise a wide range of threat models with high applicability. This explains why they have a high score across different threat models.
- ICS related industry verticals such as Oil and Gas, Power, Chemical, Pharmaceutical, Manufacturing, Water, Energy and to some degree Transportation have a similar pattern for models that fit them. The nature of their processes rely on automation and industrial control that fit with similar threat models.
Conclusion of the matrix:
- The most applicable threat models for Verticals listed in the matrix are PASTA and TRIKE.
- The verticals that are used most of the threat models are Insurance, followed by Financial and Internet.
Further Reference on Threat Model Measurements on Multiple Criteria
Other threat model comparison matrix exists also for better comprehension in their implementation on Cyber Security. There is a good reference that can be used for further measurement on strength, usability, applicability, portability, maturity and more criteria.
Reference: 6) Evaluating Threat-Modeling Methods for Cyber-Physical Systems
Reference
Direct References:
