Threat Modelling

Summary Notes

The definition of threat modeling is a process by which potential threats, such as structural vulnerabilities, can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view.

The topic of "Threat Modelling" provoked a great deal of interest from the participants. A few different approaches and perspectives were discussed. The suggestion is that the topic is explored in stages.

Generic Threat Model Steps (A Quick Start)

Reference: OWASP - Category Threat Modeling - Generic Steps

Before we consider the details of known threat modes and the verticals they apply to, we refine the generic steps used for the basics of threat modeling. We can also recommend these basic steps as a good practice for entities that do not currently employ threat modeling.

1. Assessment Scope: It's to understand what's on the line. The checkpoints breakdown are identifying assets, understanding the capabilities provided by the application and valuing them. then examining less concrete things to measure like reputation and goodwill. From these checkpoints we can define the critical points as output of the assessment.

2. Threat Agents and Attacks definition: A key part of the threat model to define the different groups of people who might be able to attack your system, including insiders and outsiders, performing both inadvertent mistakes, malicious attacks and consequential impact for risk of leaks of data breach.

3. Understand the Countermeasures: Any model must include the existing countermeasures, we can not just define the (1) and (2) above flawless as per it is without a plan to improve it.

4. Identify exploitable vulnerabilities: After understanding the security measures in our systems , we can analyze new possible vulnerabilities as research. The research is for vulnerabilities that connect the possible attacks and negative consequences we've identified.

5. Prioritized identified risks: Prioritization is everything in threat modeling, as there are always lots of risks that simply don't rate any attention. We can estimate the number of likelihood for each threat and study its impact factors to determine an overall risk or severity level.

6. Work on plans to reduce threat: The last step is to identify countermeasures to reduce the risk to acceptable levels, by using results steps from 1 - 5 above.

Known Threat Models

Overview format:

Reference: Threat Modeling: 12 Available Methods

Understanding the existing Threat Modeling methods is also important to refine the best method fits to our organization. In this part we would like to summarize the ten methods of threat-modeling: (we had eliminated CVSS and Cards from the list)

The Glossary of the known and agreed Threat Models’ abbreviations:

no Model Abbreviation Description
1 STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and Associated Derivations
2 PASTA The Process for Attack Simulation and Threat Analysis
3 LINDDUN Linkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information, Unawareness, Noncompliance) method
4 OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation
5 VAST Visual, Agile, and Simple Threat Modeling
6 hTMM Hybrid Threat Modeling Method
7 qTMM Quantitative Threat Modeling Method
8 TRIKE Abbreviation is unknown, unified conceptual framework for security auditing automated concept from a risk management perspective
9 Trees Attack Trees
10 PnG Persona non Grata

Table 1

Each models described above (10 agreed Models) can be summarized into simple description based on their focus (or perspective) and portability strength:

no Model Focus/perspective and implementation postability points
1 STRIDE is specifically designed to focus on IT related threat
2 PASTA is a widely used & adaptable applicable model, with threat simulation, focusing on Risks Centric methodology.
Reference: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
3 LINDDUN is focused more on Data and Privacy related model
4 OCTAVE is focused on Risk Management and organization related impact
5 VAST scales threat modeling process across infrastructure & is focused on attacker
6 TRIKE is a unified conceptual framework for security auditing from a risk management perspective, required a steady repeatable assessment model, is focused on Risks Measurement on calculating its stakeholders components (assets, roles, actions, risk exposure)
Reference: 8) Trike v.1 Methodology Document [Draft]
7 hTMM A hybrid type threat model which is focused on Attacker/Defender models, melds features of: Security Cards, Persona non Grata, and STRIDE
8 qTMM A quantitative type threat model which is focused on Attacker/Defender models, melds features of Attack Trees, STRIDE, and CVSS
9 (Attack) Trees is focused on Attacker’s scheme, works in any steady implemented production/business/process scheme, that is developed further to become the killchain nowadays
10 PnG (Persona non Grata) has focused on attacks that represent archetypal personnels who behave in unwanted behaviors. Works perfectly to measure insider threat assessments

Table 2

Sectors and Infrastructure (Verticals) Implementation for the Threat Models

The implementation of the threat models in for every Sectors and Infrastructures (further is called as “Verticals”) in our industrial scheme is different from one to another. In this chapter we will discuss what the Verticals we talked about and how it is correlated to the known Threat model in this discussion.

We will simulate a simple weight-matrix to make better visualization of which threat model methods are best applied to each vertical (applicability measures). For this purpose we will make several conventions to measure the weights and to simplify the items.

Below is the table to list up the Verticals categories we deducted in CTI meeting, and let’s simplify its names into “codes” for the matrix measurement purpose.

No Vertical (Sectors/Infrastructure) Code
1 Oil and Gas OGS
2 Power Supply POW
3 Chemical CHE
4 Health / Pharma HPH
5 Manufacture (Industry) MAN
6 Energy ENE
7 Water WAT
8 Financial Services FIN
9 Communications/Telecommunication COM
10 Internet INT
11 Insurance (Actuarial) INS
12 Education EDU
13 News/Media/TV/Radio NWS
14 Gaming GAM
15 Entertainment ENT
16 Transportation and Logistics TL
17 Agriculture AGC

Table 3

As the weight values indicator on this matrix, the following scoring scheme table is used to each threat model’s applicability for per verticals.

Score Definition
0 Not applicable
1 Minimum usability and applied only when other additional factors than- OT/production/process (non IT scope) is needed
2 IT (cyber or inter/intra-net) as extension capability to the OT/production/process made a model implementation is applicable
3 Very much applicable

Table 4

The weight-matrix is as per shown in the following table

1 OGS 1 3 2 2 1 3 2 2 3 3
2 POW 1 3 2 2 1 3 2 2 3 3
3 CHE 1 3 2 2 1 3 2 2 3 3
4 HPH 1 3 2 2 2 3 2 2 3 3
5 MAN 1 3 2 2 1 3 2 2 3 3
6 ENE 1 3 2 2 1 3 2 2 3 3
7 WAT 1 3 2 2 1 3 2 2 3 3
8 FIN 2 3 3 2 3 3 3 3 2 3
9 COM 2 3 2 2 2 3 2 3 2 3
10 INT 3 3 3 3 3 3 2 3 2 2
11 INS 2 3 3 3 3 3 3 3 2 3
12 EDU 2 3 3 2 2 3 3 3 2 2
13 NWS 3 3 2 3 3 3 3 3 2 2
14 GAM 2 3 3 3 2 3 2 2 3 3
15 ENT 1 3 3 3 3 3 2 2 2 3
16 TL 1 3 2 2 1 3 2 2 3 3
17 AG 1 3 2 2 1 3 2 2 3 3
Total All 24 45 36 35 30 45 34 36 38 42

Table 5

Matrix explanation:

Conclusion of the matrix:

  1. The most applicable threat models for Verticals listed in the matrix are PASTA and TRIKE.
  2. The verticals that are used most of the threat models are Insurance, followed by Financial and Internet.

Further Reference on Threat Model Measurements on Multiple Criteria

Other threat model comparison matrix exists also for better comprehension in their implementation on Cyber Security. There is a good reference that can be used for further measurement on strength, usability, applicability, portability, maturity and more criteria.
Reference: 6) Evaluating Threat-Modeling Methods for Cyber-Physical Systems


Direct References: