Recommended approach to threat modeling of IT systems
2013/07/09 4 komentarzy
Threat modeling is the crucial process of finding potential security-related weaknesses on both technical and process level in each IT system. Threat modeling should be prepared at the beginning of the system lifecycle, but the model itself should be constantly updated throughout the whole lifecycle process, to reflect the new threats, which appear due to changes in both system and related processes. Threat modeling is particularly important to the security on initial stages of systems lifecycle, especially in the planning phase, due to the possibility for identification of various kind of architecture, technology, implementation and process related vulnerabilities, early enough to correct them and before the risks come into effect. Early prediction of potential weaknesses during designing of the system guarantees, that changes necessary to implement in order to effectively correct these vulnerabilities are relatively low-cost in comparison to correcting vulnerable solutions, that are already implemented, for the price that is usually much higher.
The results of threat modeling should be further used in risk analysis and planning the effective, while at the same time economically justifiable, corrective measures.
Threat model plays also a crucial role in the process of preparing effective security requirements specification, which will address the whole scope of the potential risks, that have to be mitigated.
Additional benefit from threat modeling is the ability to use its outcome to prepare security tests scenarios, which can be subsequently used during security accreditation, as an obligatory requirement to be fulfilled, before accepting the system production implementation.
Asset centric, system centric or attacker centric approach to threat modeling
The approach to threat modeling can be asset centric, flow centric or attacker centric, depending on the point of view used during the threat modeling.
Asset centric approach is focused primarily on assets and threats to their security attributes – confidentiality, integrity and availability.
System centric approach is based on the model of the system. All of the system components and data flows are analyzed in relation to the possible attacks against them.
In attacker centric approach the aggressors motivation is considered as the starting points to consequently analyze the possible way to achieve them.
The best way of threat modeling is to adopt the well thought hybrid approach, combining the best features of all of the three mentioned perspectives.
The threat modeling is always a multistage process, consisting of several important phases, which will be shortly described hereafter.
In the first stage of threat modeling, as a prerequisite, the (1) analysis of the principles and objectives in the area of security should be conducted. The analysis should cover both the system itself and its environment as well, for instance network infrastructure, dependent and interrelated systems (operating systems, application servers, runtimes, middleware, databases etc). Proper conducting of this threat modeling stage requires good level of understanding of business objectives, business logic of the system, users roles, system use cases, components, services, trust boundaries and dependencies – both between internal components and the relations to outside systems, infrastructure or even software modules.
In the second step, it is extremely important to prepare (2) the complete inventory of assets, that have to be protected in the systems, (3) identify all of the system modules or components, especially those critical from the security point of view, conduct (4) decomposition of the processes in which the systems take part, make (5) all of the major data flow recognition in terms of identification of all the places, in which data input and output occurs and examine data flows both within the system itself and between the system and external systems as well. The ultimate goal is to further make the asset, application and system centric threat analysis, covering all assets, modules, process, data flows and input-output places from the potential attacker point of view.
In the third stage of the process (6) the identification of threats are performed. Its purpose is to identify all potential threats, which may result in the materialization of any kind of financial, legal, reputation and other sort of risk.
For threat classification both any of available models or customized approach can be adopted. For example, the STRIDE model, in which threats are categorized according to alignment to the following groups:
- Identity Spoofing
- Tampering with Data
- Information Disclosure
- Denial of Service
- Elevation of Privilege
and any of its reasonable derivatives seems to be quite useful. The most important success criteria are the comprehensiveness of the threat modeling to avoid missing any significant risk.
Threats should be identified for all of the major information assets, critical components and ‘modus operandi’ of potential attacks. The best way to prepare the threat model visualization is to draw, so called, ‘attack trees’. Attack trees take the form of the multilevel graphs. In these graphs the conditions of successful attacks are located in the nodes and all nodes are logically related to the other nodes (leafs) in the tree. If all of the nodes on any path from root, down through all of the child nodes are satisfied, the vulnerability exists (the successful attack is possible).
It is important to remember, that during the construction of threat models, all potential risk materialization places should be taken into consideration. Among them are mainly these places in the system (and on the interfaces of the system to the external “world”), where any kind of interaction with users and contact with other processes, both external and external, takes place. One should be stressed, that threat modeling cannot be limited exclusively to the front-end of the system. Some serious threats of potential disastrous consequences may exist also on back-end as well.
The threat model prepared in this way should be – in the next steps – the foundation for risk assessment and further risk management decisions.
In brief, the major deliverable from threat modeling is set of models, preferably in the form of „attack trees”. Such graphs, reflecting the paths (called also aggressors ‘modus operandi’) of potential attacks should be prepared for all or – if not possible – for at least critical system components, especially those most relevant to application security, for assets critical from the risk standpoint and for security relevant data flows within the system business logic.
Recommended solutions for virtualized IT environments
The specific threats related to virtualization should be taken into consideration, covering the whole aspects of threats and risks inherent to virtualization technology, architecture type used and specific ways of implementation. It is very important, that threat modeling has to be performed, regardless of the applied approach, on the level not limited only to guest OS, but should be extended to hypervisor platform, to host OS (if used) and of course to shared resources (devices, storage, network, files and file systems etc).
The following threats, among others, have to be taken into account:
- Abusing local (both logical and physical) and remote access to virtual environments (including special case of administrative access to hypervisors and host OS)
- Malware infection
- Abusing of shared resources (shared files and filesystems, clipboards, network, drives, external devices, storage) and unprotected services.
- Abusing trust zones
- Elevation of Privileges
- Covert Channels
- Non-contingency and DoS/DDoS targeted at hypervisor or/and Host OS
- Sensitive information leakage (including images and snapshot)
- Causing the lack of integrity of systems images and snapshots.
In the process of the preparation of threat model, the threats for all of the elements of the virtualized architecture have to be considered as a consequence of using both system and asset approach. Additionally, all of the possible attacker motivation and the ways of achieving them should be also identified and analyzed as the result of involving attacker centric approach to threat modeling.