For those who have been reading a while, you may know that this is the sixth article in this series which I originally planned to give a year’s worth of topics.
I hope you have found these articles interesting, relevant, and useful (if you have, please let the great team at Circuit Magazine know). If there are also any other topics in cyber you would like to see covered, please let them know as well.
This article focuses on threat modelling. Threat modelling is widely in use, whether knowingly or not, across every walk of life – and has been used since time immemorial to prioritise security defences. The only difference between the well-known risk assessments carried out by everyone and threat modelling in cyber security is the attempt to document and systemise it. I am hoping that this idea of formal threat modelling will be a useful tool for you to use in your future arsenal of available resources as a CP operator.
Seeing the Trees for the Forest
The first, and in some ways simplest, method brought into cyber security is the idea of attack trees, or threat trees. Independently developed by Edward Amoroso and a collaboration between the NSA and DARPA, the approach is goal-oriented and works backwards. The downside is that it runs the danger of being overly focused on one particular attack motivation, or having to repeat the exercise many times. But it can’t be beat as a quick and effective approach where you are trying to prevent attackers from reaching a single target.
With an attack tree you begin with the goal of the threat. An an example, we can take the goal of getting backstage at a concert for an enthusiastic fan. Then we work backwards on what would enable them to do this, the requirements to get to that point, and so on. Below is a simple example of a worked tree, and the next stage would be to put mitigations in place to prevent those sub-goals (for example, locking the staff entrance, alarming the fire escape, requiring photo ID for VIP fans, etc).
Attack trees are one of the most open threat modelling techniques and the most broadly applicable. Some of the others, such as STRIDE which I will cover below, are focused on technological threats.
Personae non Grata (PnG)
A second fairly open approach looks at all potential threats from the point of view of a motivated attacker. In this instance, both the goal and the means are undefined initially and instead we build a fictional hostile (or in some cases non-hostile but negligent) threat actor. These profiles can consist of anything from detailed dossiers with life histories and capability assessments, down to a few short sentences. Taking the same example as with attack trees, we would build the enthusiastic fan’s profile, and then work out what goals they might try to achieve and how.
As a standalone exercise the PnG approach is not much use – but when combined with another model such as attack trees it narrows the options and limits the choices when brainstorming. This means it can add significant value and help with more comprehensive, thoughtful threat modelling. With the attack tree shown earlier, the profile might help to expand or narrow possibilities (in this case, having previously worked at the stadium a higher weighting might be given to attacks around impersonation or stealth, and some of the existing security measures could be assumed to be compromised). Of course, such profiles do not need to be fictional where a known threat can be fed into the model instead.
An example of a simple profile which might apply to the situation being modelled above is “A Fan is a huge fan of Boys ‘R’ Us, and was recently fired from their job at Concert Stadium after trying to fraudulently order VIP tickets to an upcoming concert. They still have several good friends who work at the stadium, and have not yet returned their access badge or work uniform. While working at Concert Stadium they had long hair, but have recently had it cut and dyed and their new hairstyle/appearance is unknown.” They can be much more extensive, and often include pictures and other materials to help those running through the threat model understand motivations and capabilities.
While STRIDE is a technical threat model designed for software development, some of the techniques involved are invaluable for any form of threat modelling to help you see the threats before it happens.
The name comes from an acronym for six attack vectors considered common in software engineering:
- Information disclosure
- Denial of service
- Escalation of privilege
Microsoft, who developed the system, no longer strictly apply STRIDE. Other variations have been developed such as STRIPED (which reshuffles the acronym to cram Privacy in). It is widely recognised that the categories overlap and are highly subjective. Despite this, the methods used to apply those categories are still ones I consider among the most useful for any form of formal threat modelling.
To apply STRIDE, we start with a dataflow diagram – an abstraction of a software system which focuses on the way information flows through and around rather than technical detail. We then add trust boundaries, arbitrary lines designating areas of greater or lesser trust. They cannot pass through the ‘blocks’ of the system, and must form boundaries around them – the boundaries are shown in red on the attached diagram.
Once we have listed all our information flows (easier to do in IT than when dealing with people, but possible either way) and designated our boundaries, it’s a relatively simple case of highlighting every point where an information flow crosses a trust boundary. These are our vulnerabilities, or attack points. When applying to technology we take each one and run through the STRIDE acronym, brainstorming any relevant attacks against each. Technically infeasible attacks can be listed and then discarded later – we are simply trying to be reasonably comprehensive at this point.
Once we have enough attacks against our vulnerabilities, it becomes a case of risk management against each where we need to consider the likelihood of an attacker exploiting a particular vulnerability, and the impact of them managing. While the example here is for a simple, high-level system (a smart heating system for a house) to identify the potential attack surface rather than delve into vulnerabilities, the STRIDE methodology can be a general approach that can be adapted for very complex systems as well as non-technical, physical environments. <STRIDE.png>
These threat modelling techniques are most effective when they are tailored to the system being considered, and can draw appropriate techniques from any source where they are useful. It also gains more value the more effort is put into it. The examples provided are very quick, simplified threats to purely to illustrate the techniques. At the very least, they will provide a few nuggets of information that you may find useful in your next threat assessment.
Threat Modelling – Ways to See the Threat Before it Happens
By: James Bore
James Bore is a Jack of all trades in cyber security by vocation and choice. He has been speaking and writing to build awareness of cyber security for several years, and now provides consultancy to companies looking to mature their own security to better protect their customers and employees. His hobbies include lockpicking, beekeeping, and homebrewing and in occasional spare time he maintains a blog at https://coffeefueled.org.