Skip to content

Threat Modeling

Threat Modeling

Questions about:
1. What are you building?
2. What can go wrong? What are the threats?
- What are the Trust Zones? What are the violations of the trust zone?
- What is the encryption between trust zones
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?

Types:
ATT&CK
STRIDE

Who should be involved

Security Archetect
Project lead and engineers
Dev ops

Diagrams

External Entity:

Process:

Data Flow:

Data Store:

Trust Boundary:
- From internet
- From Networks
-

STRIDE

Steps:
1. Find the scope of the Application or change
- Make Diagrams for trust boundaries of the application. (This is where a change in authentication/access is needed to move from one side to another)
- Entry Points:
- Login Page, status page, ports, services
- Assets:
- Admin Login, User Login, Personal Data, Database access, Audit Access
- Find all of the services/data that interact with the application. What Trust levels is necessary to access certain data/assets/information
2. Find Threats
- Third party Libraries
- Services Running and Where
- Entry Points:
- Connection between Devices
- Firewall, TLS, Credentials, Limited Network
- Exit Points:
- XSS, Information disclosure, SQL injection, User Enumeration
3. Determine Countermeasures and Mitigation
- Accept: decide that the business impact is acceptable, and document who has chosen to accept the risk
- Eliminate: remove components that make the vulnerability possible
- Mitigate: add checks or controls that reduce the risk impact, or the chances of its occurrence
- Transfer: Transfer risk to an insurer or customer.

Spoofing: Pretending to be something or someone other than yourself
- Strengths: Authentication, Multi-Factor Authentication, SSL/TLS, Client Certificates, CSRF
- Weaknesses: Secrets Stored Insecurely, password stuffing, token stealing

Tampering: Modifying something on disk, on a network, or in memory
- Strengths: Integrity, Authorization, Hashes, MAC, Digital Signatures, Tamper resistant protocols
- Weakness: Business Input Validation, Log Tampering

Repudiation: Claiming that you didn’t do something, or were not responsible. With evidence
- Strength: logging user actions, Timestamps, Signatures
- Weakness: No audit Trail,

Information Disclosure: Providing information to someone not authorized to see it
- Strengths: Authorization, Encryption,
- Weaknesses: Basic Auth Credentials, Database Leak,

Denial of Service: Absorbing resources needed to provide service
- Strengths: Backup ISP, WAF, Scaling Service, PoW
- Weaknesses: Lack of Throttling, Filtering

Escalation of Privileges: Allowing someone to do something they’re not authorized to do
- Strengths: Least Privilege Model, Firewall, patched systems, sandboxed, selinux/apparmor,
- Weaknesses: No network Isolation, Bad AWS Configuration, command injection, memorysafe and typesafe languages, linux/windows security compile flags