Miedo Reverencial

Microsoft’s revision of its Threat Modeling methodology, now named Microsoft Threat Analysis and Modeling, released by Microsoft in March 2006, provides two key features:

1. A new threat modeling methodology and process intended to be more user-friendly for software developers, architects, and other stakeholders who are not security experts to understand and execute 2. A completely reengineered Threat Modeling application tool.

To make threat modeling more user-friendly, Microsoft eliminated the STRIDE and DREAD tools from Threat Modeling Version 1 (v1) and shifted the perspective from the attacker to the defender. The user identifies closely with threats, rather than attacks, reflecting Microsoft’s belief that the defender can better understand threats to the system than the attacker.

As with Threat Modeling v1, the Threat Modeling and Analysis process is iterative process, adding layers of detail to an initial high-level threat model as the design progresses into subsequent phases of the life cycle. However, it more strictly defines a threat as an event that results in negative business or mission impact. The new threat model attempts to clarify the distinction between threats, attacks, and vulnerabilities. Microsoft Threat Analysis and Modeling also incorporates predefined attack libraries describing effective mitigations to each attack type associated with each threat, auto-generating threat models based on a defined application context. The model then maps those threat models to relevant countermeasures.

For Further Reading

“Threat Modeling”, MSDN Developer Center.

Available from: http://msdn2.microsoft.com/en-us/security/aa570411.aspx

“Microsoft Application Threat Modeling” [weblog].

Available from: http://blogs.msdn.com/threatmodeling/

“Microsoft Threat Analysis & Modeling” [download page].

Available from: http://www.microsoft.com/downloads/details.aspx?familyid=59888078-9daf-4e96-b7d1-9 44703479451&displaylang=en

5.2.3.1.2 PTA Practical Threat Analysis Calculative Threat Modeling Methodology

Practical Threat Analysis (PTA) Technologies developed Calculative Threat Modeling Methodology (CTMM), a risk management methodology aimed at refining and expanding on Microsoft Threat Modeling v1. PTA Technologies identifies the following as limitations:

u No support for relating threats to financial losses caused by attacks

u No ranking or prioritization of countermeasures according to their effectiveness in reducing risk

Software Security Assurance State-of-the-Art Report (SOAR) 14 Scope.9

Section 5 SDLC Processes and Methods and the Security of Software

u Reliance on “predefined” cases, making the tool difficult to adapt for modeling other threat scenarios

u No support for a complete system view for threat analysis or risk management

u Limited reporting and collaboration capabilities.

Note: Microsoft Threat Analysis and Modeling may render the need for CTMM’s enhancements to Threat Modeling v1 unnecessary.

To address shortcomings in Microsoft Threat Modeling v1, CTMM builds a body of knowledge through iterative interaction between threat analysts and software developers. It enables analysts to maintain a growing database of threats, create documentation for security reviews, and produce reports showing the importance of various threats and the priorities of

corresponding countermeasures. PTA automatically recalculates those threats and countermeasure priorities, and provides decision-makers with an updated action item list that reflects changes in the threat landscape.

For Further Reading

PTA Technologies, Practical Threat Analysis for Securing Computerized Systems.

Available from: http://www.ptatechnologies.com/

5.2.3.1.3 Threat Modeling Based on Attacking Path

USC’s Threat Modeling based on Attacking Path analysis (T-MAP) is a risk

management approach that quantifies total severity weights of relevant attacking paths for COTS-based systems. T-MAP’s strengths lie in its ability to maintain sensitivity to an organization’s business value priorities and Information Technology (IT) environment, to prioritize and estimate security investment effectiveness and evaluate performance, and to communicate executive-friendly vulnerability details as threat profiles to help evaluate cost efficiency.

The T-MAP framework is value driven, utilizing an attack path concept to characterize possible scenarios in which an attacker could jeopardize organizational values. It maintains two key assumptions:

1. The more security holes left open for an (IT) system, the less secure it is.

2. Different IT servers might have different levels of importance in terms of supporting the business’ core values.

With its awareness of a value’s relative importance, T-MAP calculates the severity weight of each attack path based on both technical severity and value impacts. T-MAP then quantifies the IT system threat with the total weight of all possible attacking paths.

T-MAP uses a graph analysis to define evaluate and attack scenario. The attack is based on Bruce Schneier’s “attack path” approach [190] and incorporates

Software Security Assurance State-of-the-Art Report (SOAR)

15 Assumptions and Constraints.0

Section 5 SDLC Processes and Methods and the Security of Software

a classic IT risk management framework consisting of Attacker, Asset, Vulnerability, and Impact. Attack tree nodes are structured into five layers:

1. Stakeholder values, e.g., productivity, privacy, reputation 2. IT hosts that uphold stakeholder values

3. COTS software installed on IT hosts 4. Vulnerabilities in the COTS software

5. Possible attackers, e.g., malicious insiders, external hackers, etc.

T-MAP defines a set of threat-relevant attributes for each of the above layers or nodes. These attributes can be classified as either probability-relevant, size-of-loss relevant, or descriptive. These class attributes are primarily derived from NIST SP 800-30, Risk Management Guide for Information Technology Systems, and the Common Vulnerability Scoring System (CVSS). [191]

T-MAP assigns estimated values to various attacker groups based on attributes such as skill level, group size, and motivation. T-MAP can then apply those attribute values to score the severity of the attack path with a numeric weight. Based on the classic risk calculation formula

Risk = Probability * Size of Loss

the user can calculate the weight of each attack path by multiplying its relevant attributes ratings together. This quantitative ranking enables security managers to prioritize the allocation of measures based on his/her ranking of vulnerabilities. Furthermore, the amount of manual effort required can be greatly reduced through use of the automated Tiramisu ranking tool.

T-MAP defines a formal framework to measure COTS system security based on attack path weights. Its strength lies in its three key features: distillation of technical details of published software vulnerabilities into

executive-friendly information, providing an automated ranking system, and generating prioritized outcomes. Note, however, that for maximum impact, the T-MAP requires comprehensive, accurate, and up-to-date vulnerability information.

Furthermore, it quantifies security threats only for published software vulnerabilities; the system is not sensitive to those that are unpublished.

For Further Reading

Yue Chen (University of Southern California), “Stakeholder Value Driven Threat Modeling for Off the Shelf Based Systems: 2006”, Presentation at the ACM International Conference on Software Engineering, December 11, 2006.

Available from: http://sunset.usc.edu/csse/TECHRPTS/2006/usccse2006-620/usccse2006-620.pdf Yue Chen, Barry Boehm and Luke Sheppard (University of Southern California), “Measuring Security Investment Benefit for COTS Based Systems—A Stakeholder Value Driven Approach”, 2006.

Presentation at the ACM International Conference on Software Engineering, September 8, 2006.

Available from: http://sunset.usc.edu/csse/TECHRPTS/2006/usccse2006-609/usccse2006-609.pdf

Software Security Assurance State-of-the-Art Report (SOAR) 15 Assumptions and Constraints.1

Section 5 SDLC Processes and Methods and the Security of Software

5.2.3.1.4 Trike

Trike is an open source conceptual framework, methodology, and toolset designed to autogenerate repeatable threat models. Its methodology enables the risk analyst to accurately and completely describe the security characteristics of the system, from high-level architecture to low-level implementation of details. Its consistent conceptual framework provides a standard language enabling communication among members of a security analysis team and between the security team other system stakeholders. It features three key tools:

1. Threat-Model Generation—Trike generates a threat model using the Trike toolset. The input to the threat model includes two additional Trike-generated models, a requirements model and an implementation model, along with notes on system risk and workflows. The tool also provides threat and attack graphs.

2. Automation—Trike provides high levels of automation. Unlike most offensive-based threat methodologies, it is based on a defensive perspective, imposing a greater degree of formalism on the threat modeling process.

3. Unified Conceptual Framework—Trike is a unified conceptual framework for security auditing. The unity of the framework enables team members to communicate with one another fluidly.

For Further Reading

“Trike: A Conceptual Framework for Threat Modeling”.

Available from: http://dymaxion.org/trike Demo Versions of Trike.

Available from: http://www.octotrike.org

5.2.3.1.5 Consultative Objective Risk Analysis System

The European Union (EU)-funded Consultative Objective Risk Analysis System (CORAS) project established an iterative framework for developing customizable, component-based roadmaps to aid the early discovery of security vulnerabilities, inconsistencies, and redundancies. It integrated existing risk assessment methods to yield six methodological results,

1. Model-Based Risk Assessment—The CORAS methodology for model-based risk assessment applies standard modeling technique ML to form input models to risk analysis methods used in a risk management process. The process is based on the Australian/New Zealand

Standard (AS/NZS) 4360:1999, and is aimed at assessment of security-critical systems. The CORAS model has been tested successfully on telemedicine and e-commerce systems.

Software Security Assurance State-of-the-Art Report (SOAR)

15 Assumptions and Constraints.2

Section 5 SDLC Processes and Methods and the Security of Software

2. UML Profile for Security Assessment—The CORAS UML profile allows nonexpert users to understand UML diagrams and preserve the well-defined nature of UML. The profile also provides rules and constraints for risk assessment relevant system documentation.

3. Library of Reusable Experiences Packages—The CORAS project

documented existing risk analysis processes to create a library of best practices.The library enables the user to recapture general practices from “experience elements” built into the library; examples of these practices include UML diagrams, checklists, and patterns. The experience elements also contain guidelines and recommendations derived from practices.

4. CORAS Integration Platform—The CORAS integration platform is the main computerized component of the CORAS framework. It stores results from ongoing and completed security analyses in two repositories: the Assessment Repository for analysis results and the Reusable Elements Repository for the reusable elements. The platform provides the end user with administrative functionality, such as creating new security analysis projects and applying the reusable elements and experience packages toward their own security goals.

5. CORAS Mark-Up for Security Assessment—The XML mark-up addressed the absence of a standardized meta-data format. Meta-data

descriptions of core risk assessments can be used for consistency checking between different items on repositories provided by the CORAS integration platform. The mark-up also facilitates integration of risk analysis tools with the CORAS integration platform.

6. Vulnerability Assessment Report—The CORAS Vulnerability Assessment Report Format aims to standardize data reporting formats for describing network vulnerabilities. The format addresses existing reporting differences on currently available tools.