The definition of threat modeling is a process by which potential threats, such as structural vulnerabilities, can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view.
The topic of "Threat Modelling" provoked a great deal of interest from the participants. A few different approaches and perspectives were discussed. The suggestion is that the topic is explored in stages.
Reference: OWASP - Category Threat Modeling - Generic Steps
Before we consider the details of known threat modes and the verticals they apply to, we refine the generic steps used for the basics of threat modeling. We can also recommend these basic steps as a good practice for entities that do not currently employ threat modeling.
1. Assessment Scope: It's to understand what's on the line. The checkpoints breakdown are identifying assets, understanding the capabilities provided by the application and valuing them. then examining less concrete things to measure like reputation and goodwill. From these checkpoints we can define the critical points as output of the assessment.
2. Threat Agents and Attacks definition: A key part of the threat model to define the different groups of people who might be able to attack your system, including insiders and outsiders, performing both inadvertent mistakes, malicious attacks and consequential impact for risk of leaks of data breach.
3. Understand the Countermeasures: Any model must include the existing countermeasures, we can not just define the (1) and (2) above flawless as per it is without a plan to improve it.
4. Identify exploitable vulnerabilities: After understanding the security measures in our systems , we can analyze new possible vulnerabilities as research. The research is for vulnerabilities that connect the possible attacks and negative consequences we've identified.
5. Prioritized identified risks: Prioritization is everything in threat modeling, as there are always lots of risks that simply don't rate any attention. We can estimate the number of likelihood for each threat and study its impact factors to determine an overall risk or severity level.
6. Work on plans to reduce threat: The last step is to identify countermeasures to reduce the risk to acceptable levels, by using results steps from 1 - 5 above.
Reference: Threat Modeling: 12 Available Methods
Understanding the existing Threat Modeling methods is also important to refine the best method fits to our organization. In this part we would like to summarize the ten methods of threat-modeling: (we had eliminated CVSS and Cards from the list)
The Glossary of the known and agreed Threat Models’ abbreviations:
|1||STRIDE||Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and Associated Derivations|
|2||PASTA||The Process for Attack Simulation and Threat Analysis|
|3||LINDDUN||Linkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information, Unawareness, Noncompliance) method|
|4||OCTAVE||Operationally Critical Threat, Asset, and Vulnerability Evaluation|
|5||VAST||Visual, Agile, and Simple Threat Modeling|
|6||hTMM||Hybrid Threat Modeling Method|
|7||qTMM||Quantitative Threat Modeling Method|
|8||TRIKE||Abbreviation is unknown, unified conceptual framework for security auditing automated concept from a risk management perspective|
|10||PnG||Persona non Grata|
Each models described above (10 agreed Models) can be summarized into simple description based on their focus (or perspective) and portability strength:
|no||Model||Focus/perspective and implementation postability points|
|1||STRIDE||is specifically designed to focus on IT related threat|
|2||PASTA||is a widely used & adaptable applicable model, with threat simulation, focusing on Risks Centric methodology.
Reference: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
|3||LINDDUN||is focused more on Data and Privacy related model|
|4||OCTAVE||is focused on Risk Management and organization related impact|
|5||VAST||scales threat modeling process across infrastructure & is focused on attacker|
|6||TRIKE||is a unified conceptual framework for security auditing from a risk management perspective, required a steady repeatable assessment model, is focused on Risks Measurement on calculating its stakeholders components (assets, roles, actions, risk exposure)
Reference: 8) Trike v.1 Methodology Document [Draft]
|7||hTMM||A hybrid type threat model which is focused on Attacker/Defender models, melds features of: Security Cards, Persona non Grata, and STRIDE|
|8||qTMM||A quantitative type threat model which is focused on Attacker/Defender models, melds features of Attack Trees, STRIDE, and CVSS|
|9||(Attack) Trees||is focused on Attacker’s scheme, works in any steady implemented production/business/process scheme, that is developed further to become the killchain nowadays|
|10||PnG||(Persona non Grata) has focused on attacks that represent archetypal personnels who behave in unwanted behaviors. Works perfectly to measure insider threat assessments|
The implementation of the threat models in for every Sectors and Infrastructures (further is called as “Verticals”) in our industrial scheme is different from one to another. In this chapter we will discuss what the Verticals we talked about and how it is correlated to the known Threat model in this discussion.
We will simulate a simple weight-matrix to make better visualization of which threat model methods are best applied to each vertical (applicability measures). For this purpose we will make several conventions to measure the weights and to simplify the items.
Below is the table to list up the Verticals categories we deducted in CTI meeting, and let’s simplify its names into “codes” for the matrix measurement purpose.
|1||Oil and Gas||OGS|
|4||Health / Pharma||HPH|
|16||Transportation and Logistics||TL|
As the weight values indicator on this matrix, the following scoring scheme table is used to each threat model’s applicability for per verticals.
|1||Minimum usability and applied only when other additional factors than- OT/production/process (non IT scope) is needed|
|2||IT (cyber or inter/intra-net) as extension capability to the OT/production/process made a model implementation is applicable|
|3||Very much applicable|
The weight-matrix is as per shown in the following table
Conclusion of the matrix:
Further Reference on Threat Model Measurements on Multiple Criteria
Other threat model comparison matrix exists also for better comprehension in their implementation on Cyber Security. There is a good reference that can be used for further measurement on strength, usability, applicability, portability, maturity and more criteria.
Reference: 6) Evaluating Threat-Modeling Methods for Cyber-Physical Systems