Threat modeling and the CISSP
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
Today, many organizations face unprecedented cyber and insider threats to data and information that is being stored, processed and transmitted. Because of these threats, companies are approaching cybersecurity making it a necessary concept for the CISSP candidate.
Even companies that place great emphasis on securing their business processes can become victim of cybercrime. Compliance with narrowly focused standards may not be sufficient to prevent or detect a sophisticated cyberattack.
Earn your CISSP, guaranteed!
Where do we start when tasked to protect everything?
Before we can complete our strategy, we need to understand the components of how to address risk in our environment:
- Risk is based on threats to our organization.
- Threats are focused on valuable resources.
Threat modeling
Threat modeling is a structured approach to identifying, quantifying, and addressing threats. It allows system security staff to communicate the potential damage of security flaws and prioritize remediation efforts. The CISSP exam covers threat modeling in two domains. CISSP domain 1 has objective 1.11, which is "Understand and apply threat modeling concepts and methodologies." CISSP domain 3 has objective 3.1, which is "Research, implement and manage engineering processes using secure design principles" and that includes threat modeling.
In threat modeling, we cover the three main elements:
- Assets: What valuable data and equipment should be secured?
- Threats: What may an attacker do to the system?
- Vulnerabilities: What flaws in the system allow an attacker to realize a threat?
In an organization, there are different threats that are addressed to different layers of an organization framework and environment. The three main layers of a threat target are:
- Network: The threat includes spoofed, malicious packets, etc.
- Host: The threat includes Buffer overflow, malicious file, etc.
- Application: The threat includes SQL injection, XSS, input tampering, etc.
Who Do Threat Models and When
Ideally, threat models are created during system design before any deployment. In practice, threat models are often created for existing systems, making it part of maintenance. System designers with security experience are best equipped to identify the threats.
Steps to threat modeling
- Identify the Assets
- Describe the Architecture Describe the Architecture
- Break down the Applications
- Identify the Threats
- Document and Classify the Threats
- Rate the Threats
Identifying the Assets
In this step, we identify the assets that what are the potential assets that are valuable to the organization:
- Entry and exit points
- System assets and resources System assets and resources
- Trust levels (access categories)
Describe the architecture
In this process, we describe the architecture on which the valuable asset is being processed. It may include the software framework, version, and other architectural details.
Break down the application
In this step, we break down the application regarding its process. All the sub-processes that are running the application.
Identifying the threats
In this step, we list down the threat in a descriptive way, so that it can be reviewed to process further.
Categorizing and classifying the threats
In this step we categorize the threat in predefined classes that are:
- Spoofing Identity
- Tampering with Data
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
Rate the threats
In this step we rate the severity of the threat based on a scale developed by Microsoft:
- Damage Potential: How bad can an exploit hurt?
- Reproducibility: How reliably can the flaw be exploited? How reliably can the flaw be exploited?
- Exploitability: How easy is the flaw to exploit?
- Affected Users: How many users can be impacted by an exploit?
- Discoverability: How “visible” is the vulnerability?
Example
A Corporation has a data collection web application that allows users to login in and enter or change personal data.
The following information was collected on the application:
Architecture
- Web Application - ASP.Net
- Database - SQL Server 2000
Assets
- User Login Credentials
- User Personal Information
- Administrative Resources
- System Hardware
Microsoft threat reporting template
- ID – Unique ID # of the threat
- Name – Brief name of the asset threat
- Description – Detailed description of threat and its importance.
- STRIDE – How can we classify this threat?
- Mitigated– Is the application safe from this threat? Is the application safe from this threat?
- Known Mitigation – How can we protect against the threat?
- Investigation Notes – What do we know about this threat so far?
- Entry Points– What possible means does an adversary have?
- Assets – What assets could be damaged?
- Threat Tree – How can we visualize the threat? (Optional)
Threat description
ID: 1
- Name: Login Subversion
- Description: An adversary tries to inject SQL command through a request into the application to circumvent the login process.
- STRIDE Classification: Tampering with data, Elevation of privilege
- Mitigated: No
- Known Mitigation: Stored Procedures, Parameterized Queries
- Investigation Notes: The database calls to in the application were reviewed, and string concatenation was used on the login query.
- Entry Point: Login Page
- Assets: Access to the backed database
- Threat Tree: None
Categorizing Threats with STRIDE: A standardized short form created by Microsoft to help categorize threats.
- Spoofing Identity
- Tampering with Data
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
Rating threats with DREAD
A standardized short form was created by Microsoft to rate the severity of a threat. Each quality is rated based on a scale developed for each project. For most projects, a scale of 1– 3 is sufficient.
- Damage Potential – How bad can an exploit hurt?
- Reproducibility – How reliably can the flaw be exploited? How reliably can the flaw be exploited?
- Exploitability – How easy is the flaw to exploit?
- Affected Users – How many users can be impacted by an exploit?
- Discoverability – How “visible” is the vulnerability?
Damage Potential
- Attacker can retrieve extremely sensitive data and corrupt or destroy data
- Attacker can retrieve sensitive data but do little harm
- Attacker can only retrieve data that has little or no potential for harm
Reproducibility
- Work every time; does not require a timing window or specific extreme cases
- Timing-dependent; works only within a time window
- Rarely works
Exploitability
- Just about anyone could do it
- Attacker must be somewhat knowledgeable and skilled
- Attacker must be very knowledgeable and skilled
Affected Users
- Most or all users
- Some users
- Few if any users
Earn your CISSP, guaranteed!
Discoverability
- Attacker can easily discover the vulnerability
- Attacker might discover the vulnerability
- Attacker will have to dig to discover the vulnerability
Threat modeling helps organizations prioritize their processes with respect to threats and effective response. It is carried out through the complete life cycle of the process from initialization to deployment and also remains under consideration in the maintenance process. As far as CISSP training is concerned, the candidate must know all the processes of threat modeling and should also know how to mitigate the threats in the most effective manner using threat modeling technique.