Evaluation of Threat Models

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

Volume 8, Issue 2, February – 2023 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

Evaluation of Threat Models


Kelkar Siddhi Suhas,
Pursuing BTech in Electronics Engineering - DJSCE

Abstract:- Information system security is the integrity


and safety of its resources and activities. In the cyber
world, it can be almost impossible to trace sophisticated
attacks to their true source. The anonymity enjoyed by the
malicious user or cyber attackers pose a grave threat to
the global information society.

Cyber threat modelling is an analytical process that


is used to identify the potential threats against a system or
an organization. It is a core activity and a fundamental
practice in the process of building trusted technology.
Threat modelling has been identified as one of the best
"return on investment" activities in order to identify and
Fig. 1: Steps of threat modelling
address design flaws. Some threat model methods focus
on identifying threats and security issues while some
 Threat Assessment
methods also perform assessment of the resulting risk.
A threat assessment analyses your system to find out
what attacks are currently happening or which attacks are
I. INTRODUCTION being threatened. Threat assessments can gather knowledge
on attacks before they happen, which can help determine the
 Threat Modelling extent and danger of a threat and how it might affect an
A threat model is a structured representation of all the enterprise. It’s more of a reactive approach to IT security, and
information that can affect the security of the system. a helpful option for companies who need to know what’s
Identification of security requirement, pointing out security going on in their system and what issues need to be resolved
threats potential vulnerabilities, qualifying threat and right away.
vulnerability and prioritizing solutions are the objectives of
threat modelling. Threat modelling is a process for capturing, Threat assessments can catch digital threats like:
organizing, and analysing all of this information. Applied to
 Vulnerabilities in applications that can be used to attack
software, it enables informed decision-making about
your network
application security risks. In addition to producing a model,
 Malware or viruses present
typical threat modelling efforts also produce a prioritized list
of security improvements to the concept, requirements,  Current phishing attacks that put your enterprise at risk
design, or implementation of an application. for a breach
 Misuse of information (especially relevant to financial
Threat modelling works by identifying the types of threat and health sectors)
agents that cause harm to an application or computer system. It  Employee, vendor, and individual risks (detecting anyone
adopts the perspective of malicious hackers to see how much with malicious intent)
damage they could do.
II. MISCONCEPTIONS OF THREAT
Threat modelling technique furnishes security teams and MODELLING
organizations in a way to distinguish potential threats and can
be see equivalent balance on a functional level. When Threat modelling is an important practice in the field of
conducting threat modelling, organizations perform a thorough information security, but there are some common
analysis of the software architecture, business context, and misconceptions about it. Some of the most common
other artifacts (e.g., functional specifications, user misconceptions include:
documentation). Generally, developers perform threat
modelling in five steps:

IJISRT23FEB1378 www.ijisrt.com 1948


Volume 8, Issue 2, February – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
 Threat Modelling is too Complex and Time-Consuming Table 1. STRIDE Threat Categories
While it is true that threat modelling can be a complex Types of What was How was it violated?
process, it doesn't have to be overly time-consuming or Threat violated?
difficult. There are many different frameworks and Spoofing Authenticity Pretending to be
methodologies that can be used to perform threat modelling, someone you are not.
and organizations can choose the approach that works best for Unauthorized user.
their needs and resources. Tampering Integrity Manipulating the data
to achieve malicious
 Threat Modelling is a One-Time Activity goals.
Threat modelling is not a one-time activity, but rather an Repudiation Non- Claiming not to be
ongoing process that should be integrated into an organization's repudiation responsible for an
overall security management program. Threats are constantly action.
evolving, and organizations need to regularly reassess their Information Confidentiality Leaking protected
security posture and adjust their strategies accordingly. disclosure credential to
unauthorized entities.
 Threat Modelling is Only for Technical Experts Denial of Availability Denying access to
While technical expertise can certainly be helpful in Service resources needed to
performing threat modelling, it is not necessary for everyone (DoS) provide service.
involved in the process. Threat modelling can involve a range Elevation of Authorization Allowing someone to
of stakeholders, including business managers, risk management Privilege do something they are
professionals, and other non-technical experts. not authorized to do.

III. TYPES OF THREAT MODELS B. OCTAVE (Practiced Focused):


The OCTAVE method (Operationally Critical Threat,
Almost all software systems or organizations today face Asset, and Vulnerability Evaluation) is a security framework
a variety of threats, and more are being added constantly as for determining risk level and planning defence against cyber
there is change in technology. These threats can come from assaults. It is a risk based strategic assessment and planning
outside or within organizations, and their impact has the technique developed by Computer Emergency Response
potential to be devastating. Systems could be prevented from Team (CERT). OCTAVE is self-directed approach, meaning
working entirely or sensitive information could be leaked, that people from an organization assume responsibility for
which would impact consumer trust in the system provider. setting the organization’s security strategy.
To prevent threats from taking advantage of system flaws,
threat modelling methods can be used to think defensively. Octave method focuses on three phases:
 Phase 1: Identifying critical assets of the organization and
Threat modelling methods are used to create an the threats to those assets.
abstraction of the system; profiles of potential attackers,  Phase 2: Identifying the vulnerabilities, both organizational
including their goals and methods; and a catalogue of and technological, identifying risk to the organization.
potential threats that may arise. Some threat modelling  Phase 3: Developing a practiced based protection strategy
methods discussed in this paper come from variety of sources and risk mitigation plans.
and target different parts of the process:
The framework has gone through several evolutionary
A. STRIDE (Developer Focused): phases, but the basic principles and goals have remained the
It is the oldest methodology developed by Microsoft. same.
Currently STRIDE is the most mature threat modelling
method. It includes full breakdown of processes, data stores, Two versions exist:
data flows and trust boundaries. Its goal is to get an
 OCTAVE-S, a simplified methodology for smaller
application to meet the security properties of Confidentiality,
organizations or those with single level structures.
Integrity and Availability (CIA), along with Authorization,
 OCTAVE Allegro, a more comprehensive version for large
Authentication and Non-Repudiation. This is an easy method
organizations or those with multilevel structures.
to adopt but it can be time consuming. Its main issue is that
as the system complexity increases the number of threats can
Though OCTAVE threat model method provides a
grow rapidly. STRIDE is an acronym for the types of threat
robust, asset-centric view, and organizational risk awareness,
it addresses.
the documentation can become voluminous. OCTAVE lacks
scalability – as technological systems add users, applications,
and functionality, a manual process can quickly become
unmanageable.

IJISRT23FEB1378 www.ijisrt.com 1949


Volume 8, Issue 2, February – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
This method is most useful when creating a risk-aware Beyond its more systematic methodology, TRIKE is
corporate culture. The method is highly customizable to an different from other existing approaches to threat modelling in
organization’s specific security objectives and risk that it focuses on modelling threats from a defensive
environment. perspective, not that of an attacker. It has automated
components to implement. It has vague, insufficient
C. P.A.S.T.A. (Attacker Focused): documentation. It also has built-in prioritization of mitigation.
PASTA stands for Process for Attack Simulation and
Threat Analysis. PASTA threat models have some qualities, E. LINDDUN (Privacy Focused):
first of all it is risk centric. That is threat model is performed LINDDUN was created to provide support for a
with the aim of identifying risks, classifying risks and thorough, systematic privacy threat assessment. It has helped
focusing on the highest risks for the organization. Then it is the user through each step and ensures exhaustive coverage
capable of simulations that means simulations can be and documentation of the privacy threat modelling process,
performed using identified threats, collected evidences, etc. and includes an extensive knowledge base of potential
PASTA has seven different stages. Each stage adds privacy threats. The LINDDUN privacy framework enables
information known about the object in scope, its technical organizations to analyse privacy threats based on 7 threat
environment. categories. These categories from its acronym:

 Likability:
An unauthorized user can link two items of interest even
if they do not know the authorized user’s identity.

 Identity:
Through an item of interest, an unauthorized user can
identify a particular data subject from a set.

 Non-repudiation:
The data subject cannot deny a particular claim.

 Detectability:
An unauthorized user can detect data subject and
distinguish whether an item of interest about that subject
exists.

 Disclosure of information:
An unauthorized user can learn the contents of an it of
interest.
Fig 2: Pasta threat modelling stages
 Unawareness:
The output of each stage acts as the input of the next The authorized user is unaware that their personal data
stage. is being collected, processed, stored or shared.

D. TRIKE (Acceptable Risk Focused):  Non-compliance:


TRIKE is an open-source threat modelling The handling or storage of personal data does not
methodology. It is an improved version of STRIDE and it is comply with relevant laws or policies.
mainly used when security auditing is the concern from a risk
management perspective. It is the combination of two models The LINDDUN methodology consists of 3 main steps:
namely – Requirement model and implementation model.  Model the system.
The Requirement model is the base of the TRIKE model that
the security characteristics and assigns acceptable risk to each  Elicit threats.
asset. It also co-ordinates among different security teams.  Map DFD elements to threat categories
Whereas, in Implementation model a Data flow Diagram  Elicit and document threats
(DFD) is created which illustrates the of data and the user  Document threats
performs actions within a system. TRIKE differs from other
threat models because it uses risk-based approach with  Manage threats
distinct implementation, threat and risk models.  Prioritize threats
 Select suitable mitigation strategy
 Select privacy enhancing solution

IJISRT23FEB1378 www.ijisrt.com 1950


Volume 8, Issue 2, February – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
In the example below, the high-level DFD of a simplistic The third criteria is Applicability. Methods must be able
social networking system is shown. In the Data Flow to be applied recursively and account for the relationship
Diagram, the user is represented as an entity to interact with among sub systems. They must also address hardware-
the system. The social network application contains two software dependencies and safety-security
processes that is the portal and the service and one data store interdependencies.
that contains all the personal information of the users.
V. CONCLUSION

Threat modelling can help to make organization more


secure and trustworthy. Desired output should govern an
organization’s choice of threat model method. While all threat
model methods, maybe capable of identifying potential threat
and the type of threats identified vary significantly. This paper
consists of five threat model methods. Some can be used alone
while some can be used in conjunction with others.

PASTA modelling method can be used in the basis of


framework. Whereas the components STRIDE and LINDDUN
can be used. PASTA also mitigates the threat explosion
weakness of STRIDE and LINDDUN by utilizing risk and
Fig 3: Data Flow Diagram (DFD) of a simple social impact analysis. PASTA also uses Attack Tree and CVSS
networking application (Common Vulnerability Scoring system). Choosing what
method is best for a project depends upon the specific areas
IV. EVALUATION CRITERIA where the user wants to target that target can be risk, security or
privacy or how long the user can perform threat model, how
The first criteria is Strengths and Weaknesses. Although much experience the user has with threat model.
there are many threat model methods, there is no perfect
method. Each method was developed with different REFERENCES
perspective and each has different priorities. Some methods
focus on assets whereas some focus on attackers or on risks. [1]. N. Shevchenko, B. Frye, C. Woody, “THREAT
Each method has its own strengths and weaknesses. MODELING: EVALUATION AND
RECOMMENDATIONS”, September 2018
Table 2. Strengths and weaknesses [2]. J. Brown-White, L. Cobb, J. DelGrosso, E. Foroughi, A.
Perspective Mitigation Consistent Ganjali, S. Moghnie, N. Ozmore, R. Padmanabhan, B.
Result Schoenfield, I. Taradach, “Tactical Threat Modeling”,
STRIDE Defender Yes No SAFECode, 2017
OCTAVE Risk Yes Yes [3]. McGraw, Gary, and John Viega. Building Secure
PASTA Risk Yes Not clear Software: How to Avoid Security Problems the Right
TRIKE Risk Yes No Way. San Francisco: Addison-Wesley, 2002, 0-201-
LINDDUN Assets Yes No 72152-X.
[4]. Swiderski, Frank and Window Snyder. Threat Modeling.
Redmond, WA: Microsoft Press, 2004, 0-7356-1991-3
The second criteria is Adoptability. Availability of or
[5]. Alberts, Christopher J. and Audrey J. Dorofee.
absence of good documentation and support can be critical
OCTAVESM Criteria, Version 2.0. Pittsburgh, PA:
for successful adapting a method.
Carnegie Mellon Software Engineering Institute, 2001,
http://www.cert.org/archive/pdf/01tr016.pdf.
Table 3. Adaptability
[6]. Common Criteria Development Board. Common Criteria
Easy to Easy to Documentation
for Information Technology Security Evaluatio2005,
learn use
http://www.commoncriteriaportal.org/public/expert/inde
STRIDE Medium Medium Very good
x.php?menu=3.
OCTAVE No No Good [7]. Threatmodeler, “Security threat modeling methodologies:
PASTA No No Very good Comparing stride, vast & more,” ThreatModeler, 24-
TRIKE Medium Medium Good for v1 Aug-2022. [Online]. Available:
LINDDUN Medium No Good https://threatmodeler.com/threat-modeling-
methodologies-overview-for-your-business/. [Accessed:
25-Feb-2023].

IJISRT23FEB1378 www.ijisrt.com 1951


Volume 8, Issue 2, February – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
[8]. (PDF) threat modeling methodologies for network
security Available at:
https://www.researchgate.net/publication/350891779_Th
reat_Modeling_Methodologies_for_Network_Security
(Accessed: February 25, 2023).
[9]. Omar A. Turner, C.I.S.S.P. Privacy threat modeling with
the linddun framework, LinkedIn. Available at:
https://www.linkedin.com/pulse/privacythreat-modeling-
linddun-framework-omar/ (Accessed: February 25, 2023).
[10]. Linddun LINDDUN. Available at:
https://www.linddun.org/linddun (Accessed: February 25,
2023)

IJISRT23FEB1378 www.ijisrt.com 1952

You might also like