Threat Modelling
Understanding what can go wrong with a system and the potential vulnerabilities, threats, breaches and attacks
Threat modelling steps
1. Enumerate your assets
- What assets and resources need to be protected
2. Determine the possible threats to the system
- Try to predict who the potential attackers are against a particular asset and what are the possible known attacks
3. Perform risk assessment
Risk assessment is first measuring the
- impact of an event (natural or human)
- probability of an event occurring (natural or human)
- probability of a threat actor taking advantage of a vulnerability
Risk assessment looks at
Total asset value (ex: 100 000$)
Single loss expectancy (ex: 50 000$)
The annualized rate of occurrence (ex: 10%)
Annualized loss expentancy = Single loss expentancy * Annualized rate occurence (ex: 10 000 * 0.1 = 5 000$)
The annualized cost of the security mechanism (ex: 2 000$)
Some terms to remember
- Exposure Factor (EF)
- Percentage of asset loss caused by the identified threat
- Single Loss Expectancy (SLE)
- Asset Value x Exposure Factor
- Annualized Rate of Occurrence (ARO)
- The estimated frequency of a threat will occur within a year
- Annualized Loss Expectancy (ALE)
- Single Loss Expectancy x Annualized Rate of Occurrence
Taxonomy (A system of classification)
- Asset - An asset is anything that has value
- Vulnerability - A weakness that can be exploited
- Threat
- Attacker
- Countermeasures - Countermeasures are designed to reduce or eliminate vulnerabilities that might come under threat
Quantitative approach
What are the expected losses for all successful potential known attacks?
- Pros:
- Objective, independent process
- Credibility for audit, management (especially corporate management)
- A solid basis for evaluating the cost/benefit of countermeasures
- Quantitative risk assessment is the basis for insurance, risk-managed portfolios, etc.
- Not reliable for "rare" events or "unthinkable" impacts
- Cons:
- In most cases, it's difficult to enumerate all types of events and get meaningful data on probability and impact
- Very time consuming, and costly to do right
- Many unknowns may give a false sense of control
- Not reliable for "rare" events or "unthinkable" impacts
Qualitative approach
More subjective, we categorize the levels of risks that we're undertaking in a low medium high ranking
Asset - An asset is anything that has value
Vulnerability - A weakness that can be exploited
Threat
Attacker
Countermeasures - Countermeasures are designed to reduce or eliminate vulnerabilities that might come under threat
4. Perform risk management
- Transferring the risk
- Mitigating the risk
- Removing the risk (Transferring the risk we own to a third party)
- Accepting the risk (We're not going to do much about it but we're still going to monitor it)
Threat Modelling Tools
Threat Tree
Threat trees can be used to calculate risk for any asset
- We start with an abstract threat, and then carefully refine its description with gradual iterations
Begin by asking questions like:
- Who are my potential adversaries?
- What are their goals?
- Why would they want to attack my organization's network?
- What kind of inside information might they have?
- How much funding do they have?
- Are they averse to risk?
By applying boolean logic, the relationship between threats can be conjunctive (AND) or disjunctive (OR)
- As decisions are made, boolean labels can be promoted upward from node-to-node
- INSERT IMAGE
Threat Matrix
A threat matrix is another tool that allows us to model and subjectively categorize potential threats by applying a structured ranking process
- Values across the x-axis can vary
- Threats can be ranked from low to severe (low, guarded, elevated, high, severe)
- INSERT IMAGE
Attack Tree
An attack tree is
- a brainstorming tool to visualize the security posture of a system and organize ideas about how attackers might attack
- a mind-mapping technique to help identify the most vulnerable areas of your system and determine where to apply resources
- a method to build a database which describes the security state of your system
Attack Trees Components
- Attack trees contain a root node at the top of the tree which is the goal of the attack and as you progress down through the branch, we see leaf nodes that represent the attack themselves
- Leaf nodes represent different possible ways of achieving the same goal, as well as the different steps are taken together to achieve one outcome (Assume a leaf node is an OR node unless it's marked as an AND node)
Attack Trees With Boolean Values
Any Boolean value can be assigned to a leaf node and then propagated up the tree structure (INSERT EXAMPLE IMAGE)
- Parent nodes inherit the value of their children
Attack Trees With Continuous Node Values
- Costs for each attack are assigned in the attack tree
- The most likely attack in a tree would be the cheapest that requires no special equipment
- Parent nodes inherit the value of their children
- Continuous Node Values ($$$) propagate upwards
- OR leaf nodes inherit the value of their cheapest child
- AND leaf nodes inherit the value of the sum of their children
Building an Attack Tree
Identify
- Each attack goal forms the root of a separate attack tree
Imagine
- Add possible attack nodes to the tree and repeat this process all the way down until you can't think of any more possibilities
Collaborate
- Pass your tree to a colleague and ask them to think about the process and imagine their own attack nodes
Research & Revise
- Node values will change over time and attack trees inevitably require regular revision (They're valuable resources because they capture scalable knowledge in a reusable form)
Determine System Vulnerabilities
- Use the attack tree to list the security assumptions of your system, recalculate nodes based on new information, compare and rank attack scenarios
Security Mindset
- First, we want to understand the vulnerabilities in the system and how it can be attacked.
- Then, we can understand how the system can be defended.
- Finally, we ask if the cost of the defence is even worth it.