Threat Modelling - Introduction - Part 1 | Lucideus Research

Threats can be said as a potential danger, and it can be to anything, anybody. Threats exist in our daily life for ex-theft, murder and many more, you cannot even imagine, and you do your best to protect from these threats and the way you protect it, is called as Threat Modeling.  In this document, we will talk about technical threats that exist to our infrastructure.

Threat modelling is a way to strategize security to protect your infrastructure from existing threats and vulnerabilities. Now, what is a vulnerability? A vulnerability is nothing but a weakness in the system, which will be utilized by the attacker to penetrate into our system. In information handling, hardware, software, or firmware weakness, or design deficiency, that leaves a system open to assault, harm, or unauthorized exploitation, either externally or internally, thereby resulting in unacceptable risk of information compromise, information alteration, or service denial.

So, we can say that the Threat modelling is a fundamental practice in the process of designing trusted technology for identifying and addressing weaknesses before their implementation. In this document, we will only cover basics of threat modelling and start going in depth from the next. So Before going through the threat modelling basics lets understand, vulnerabilities and threats in details.

How Vulnerability and Threats exist?
A vulnerability is said as a weakness which can be exploited by an attacker, to perform unauthorized actions within a computer system. Vulnerabilities are the mapping of three elements: a system flaw, attacker’s access to the weakness, an attacker’s capability to exploit the flaw. 

A computer system is made up of states describing the current configuration of the entities that make up the computer system. These configuration helps system to secure itself. A vulnerability exists when a configuration is mishandled, below are some of the examples, which can explain how a vulnerability in the system occurs.

  • Misconfiguration of settings
  • Using older versions of applications.
  • Missing operating level updates.
  • Not using updated or authorized antiviruses.
  • Open unwanted ports.
  • Improper hardening of the system
  • Lack of access control

A threat refers to the event wherein an attacker uses the vulnerability to get into the system. The threat itself will typically have an exploit involved, as it's a standard way attacker will make their move. An attacker may make multiple exploits at the same time to a vulnerability after assessing. Threats can include everything from viruses, trojans, backdoors to outright attacks from the attacker. Often, the term combined threat is more accurate, as the majority of threats involve multiple exploits. For example, an attacker might use a phishing attack to gain information about a network and break into a system.

Why do Threat Modelling?
It is an interesting question that why we have to do Threat Modelling? I will take one basic example given by Mr Adam Shostack in his book “Threat Modeling - Designing for security” of threat modelling to our house. To threat model your house, you might start by thinking about the precious things within it: your family, jewellery, photos, or perhaps your collection of signed movie posters. You might start thinking about the ways someone might break in, such as unlocked doors or open windows. And you might start thinking about the sorts of people who might break in, including neighbourhood kids, professional burglars, drug addicts, perhaps a stalker, or someone trying to steal your Picasso original. 

Threat Modeling aims to distinguish the attacks a system can resist and the defences that will lead the system to an aspired defensive state. These attacks might exploit potential weaknesses that will affect the operation and shows us that the system might be modelled in negative ways.
A System in this context is defined very broadly to include any computer system, including software functionality, discrete software applications, servers, complex integrations involving multiple hosts, different applications and runtime execution environments.

Threat modelling aims to identify and reduce design issues, to identify security weaknesses or arrive at a set of security requirements that needs to be implemented. We are using the term requirements in this document to determine the set of security issues that need to be addressed.
Once identified, the security requirements when implemented will bring a system or set of operations to the proposed security posture. Identifying likely threats and the consequences of a successful attack are the method of investigation to determine an appropriate set of defences. It is a best practice to validate the defences that were derived from the threat model.

As explained in the below diagram, it is essential to prioritize the threats to design a well-structured threat model. Threat prioritization requires the identification of our critical assets by prioritizing it and brainstorming threats and vulnerabilities that may or have existed in those assets and then determining the existing controls implemented for the protection of these assets. After evaluating the current posture, we will get the residual risk present in the infrastructure, and then we can determine the impact and likelihood of those risk, which will help us to prioritize the threats.

While there are some threat-modelling methods focuses on identifying threats and security issues, other ways also assess the resulting risks by rating the consequences (impacts) and the likelihood of threats. Such methods are also called Threat and Risk Analysis or Assessment Such a rating can be used to prioritize defences. ISO 27001:2013 also gives us the requirements for managing information security in our organization. It includes a set of 114 controls, which needs to be implemented to establish a defence in our system. We will also cover ISO 27001:2013 and map it with the threat modelling approach to understand the help ISO 27001:2013 provides to protect our infrastructure.

Threat Modeling Myths
Before designing any security mechanism into our organization, we first need to identify the consequences of the failure of our mechanism. It is essential to recognize how our threat model may fail as much as how it can succeed. It is not just about how weaknesses and threats might have been missed, but also about failures in the threat-modelling process itself. 
For instance, is it a failure to think threat modelling is not necessary because the product undergoes VAPT and Secure code reviews? Is it a failure to believe there is no reason to do threat modelling because the system is already deployed and no breaches have been detected. Mostly, Leaders in our industry tries to ignore the importance of implementing strong security mechanism by merely stating that “Nothing has happened till now.” Sometimes it feels like that they are doing it desperately to save themselves from the amount of work that will increase after designing a threat model. But security is not a show stopper; it is a business enhancer. Security provides the trust in the market that the information shared is secured.

But still, people in our industry have some myths related to the threat modelling. Let's visit some of the myth addressed by Mr Jim DelGrosso of Cigital and  Mr. Brook Schoenfield of Intel.
  • "We already do pen-tests with tools AND people ... we don't need to do threat modelling."
  • "The system is already built and deployed ... there's no reason to do threat modelling."
  • "We did a threat model when the system was built ... we don't need to do it again."
  • "Threat modelling is too complicated."
  • "We don't have software security experts, so we can't do threat modelling."
  • "I'm doing threat modelling at all the right times ... there's no reason to do pen tests or code reviews or <whatever> anymore."
In the above context, you can understand that how people ignore the security of their infrastructure. These might be classified as failures of mindset as they present a barrier to entry to threat modelling by trying to stop it from happening or justifying it away. 

On the other hand, we also have practical issues caused by failing to adhere to a proper methodology:
The issue in identifying and controlling scope to implement threat model. 
The issue in prioritizing the critical assets, and focusing only on areas that are understood well but not prioritizing it with the impact.

The issue in differentiating between the desired outcome and actual outcome.
Threat modelling is not only an art, but it is also an art with science. Like, in a war we build defences around our fort. Similarly, we need to build defences around our infrastructure to protect our information. However, we will not go deeper into this and let's move forward to updating the threat model.

Information is our very critical assets in our system, that needs to be protected. To protect these information Threat modelling is the best approach as it helps to strategize our requirements to develop a robust infrastructure. In this document, the basics of threat modelling are covered to get the understanding of the importance of threat modelling. In further to that, we will include various threat modelling approaches, which will provide the resources to build the secure architecture around our environment.

No comments:

Powered by Blogger.