Skip to main content

Threat Modeling

Supply Chain Risks

Modern service delivery often involves a chain of multiple entities. Even companies that aim to control as much production in-house as possible, such as Apple, rely on components from a diverse range of suppliers. For example, Apple uses screens manufactured by Samsung, one of its major competitors. The supply chain isn't limited to manufacturing; it also includes transport, managed by multiple companies.

Ensuring the security, reliability, and reputation of all vendors in this supply chain is crucial to maintain overall operational integrity.

Supply Chain Evaluation

Evaluating the vendors in your supply chain involves several methodologies, such as:

  • Onsite Assessment: This includes visiting the organization, interviewing people, and observing their operating habits to ensure they meet safety and security standards.
  • Document Exchange and Review: Analyze how an organization manages information exchange and conducts assessments and reviews.
  • Process/Policy Review: Request and review the vendor's security policies, processes, and procedures to ensure they align with your organization's standards.
  • Third-party Audit: Enlist an independent auditor to provide an unbiased review of the vendor's security infrastructure.

Threat Modeling 

Threat modeling is a security process where potential threats are identified, categorized, and analyzed. The aim is to eliminate or reduce these threats, either proactively or reactively. This approach can be based on:

  1. Assets: Uses asset valuation results to identify threats to the most valuable assets.
  2. Attackers: Identify potential attackers and threats based on the attackers' goals.
  3. Software: Considers potential threats against the software the organization develops.
Understanding these concepts and being able to apply them to real-world scenarios is key to mastering supply chain and risk management for your CISSP exam.

Security Content Automation Protocol (SCAP)

SCAP, given to us by NIST, is like a common language for the security world. It helps everyone talk about and check for security issues in the same way. Plus, it helps different security tools work together automatically. Some parts of SCAP are especially useful when trying to find vulnerabilities.

Component Description
CVE - Common Vulnerabilities and Exposures Naming system for security vulnerabilities.
CVSS - Common Vulnerability Scoring System Method to determine the severity of vulnerabilities.
CCE - Common Configuration Enumeration Naming system for system configuration issues.
CPE - Common Platform Enumeration Naming system for operating systems, applications, devices.
XCCDF - Extensible Configuration Checklist Description Format Language for defining security checklists.
OVAL - Open Vulnerability and Assessment Language Language to describe security testing processes.

Risk Management Frameworks (RMF)

NIST 800-37

NIST 800-37: By the National Institute of Standards and Technology, a non-regulatory US agency.

  1. Categorize Info Systems: Understand and label systems based on their security needs.

  2. Selecting Security Controls: Choose necessary controls to mitigate identified risks.

  3. Implement Security Controls: Put the selected controls into action within the systems.

  4. Assess Security Controls: Regularly check and validate the effectiveness of the controls.

  5. Authorize Security Controls: Ensure the controls adhere to organizational policies.

  6. Monitor Security Controls: Continuously oversee and report on the performance of security controls.

image.png

Image Source: Video https://www.youtube.com/watch?v=mLuLtIsDjK8&list=PL7XJSuT7Dq_XPK_qmYMqfiBjbtHJRWigD&index=9 

Some references include a 1st step: "Prepare to execute the RMF". However, this isn't part of the CISSP syllabus.

STRIDE

Developed by Microsoft, STRIDE primarily focuses on software. It aims to identify and classify the type of threats:

  • Spoofing: This involves falsifying identity, such as presenting as another user or system.
  • Tampering: This involves data manipulation or unauthorized changes in the system.
  • Repudiation: This is staging an attack in such a way that the attacker can deny their involvement.
  • Information Disclosure: This involves unauthorized access to information.
  • Denial of Service (DoS): This refers to attacks aimed at making a system unavailable or inaccessible.
  • Elevation of Privilege: This involves unauthorized increases in privilege or access within the system.

Spoofing is about false identity, while repudiation is the denial of actions post-attack.

PASTA

The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling approach focused on developing countermeasures based on asset value. It involves seven stages:

  1. Definition of Objectives: Establishing clear objectives for threat modeling.
  2. Definition of Technical Scope: Identifying the systems, applications, and data to be protected.
  3. Application Decomposition & Analysis: Breaking down the application into its components and analyzing each for potential vulnerabilities.
  4. Threat Analysis: Identifying potential threats to the system.
  5. Weakness & Vulnerability Analysis: Identifying and analyzing the weaknesses and vulnerabilities that can be exploited by the threats.
  6. Attack Modeling & Simulation: Modeling potential attack vectors and simulating their impacts.
  7. Risk Analysis & Management: Evaluating the risks posed by the identified threats and developing strategies to manage them.

VAST

Visual, Agile, Simple, Threat (VAST) is a threat modeling approach that integrates threat management into an agile programming environment. It's ideal for organizations that heavily use agile methodologies in their operations.

ATT&CK

The MITRE ATT&CK Matrix is different from kill chain models (e.g., Cyber Kill Chain) as it's not an ordered set of attacks but rather a matrix of TTPs. It is used to rate the severitytype  of a vulnerability. 

Reconnaissance Resource development
Initial access Execution
Persistence Privilege escalation
Defense evasion Credential access
Discovery Lateral movement
Collection Command and control
Exfiltration Impact
  • Each tactic in the matrix has associated techniques.
  • Techniques often have sub-techniques that dive deeper into specifics.
  • Clicking a tactic or technique leads to a detailed page with mitigation and detection methods.

Example: Under Reconnaissance, there's a technique named Active Scanning. Within this, there's a sub-technique called Vulnerability Scanning detailing how to spot unauthorized scans.

Remember: The matrix helps in understanding how attackers operate and how to counteract their methods!

DREAD

DREAD is a risk assessment model designed to answer five critical questions:

  1. Damage Potential: How severe could the damage be if the threat is realized?
  2. Reproducibility: How easy is it for attackers to reproduce the exploit?
  3. Exploitability: How difficult is it to perform the attack?
  4. Affected Users: What percentage of users (internal or external) are likely to be affected by the attack?
  5. Discoverability: How difficult is it for an attacker to discover this weakness? A significant weakness 7-8 layers deep with defense in depth may not be as big of a deal

A major weakness 7-8 layers deep with defense might not be as concerning.

TRIKE

TRIKE is an open-source threat modeling process focused on acceptable risk. It implements a requirements model, ensuring that the assigned level of risk for each asset is acceptable to stakeholders.

COBIT

Control Objectives for Information and Related Technology (COBIT) is an IT management and governance framework, based on five principles:

  1. Meeting Stakeholder Needs: Ensuring the organization meets the needs of stakeholders.
  2. Covering the Enterprise End-to-End: Considering the full scope of the enterprise.
  3. Applying a Single, Integrated Framework: Implementing a centralized, coordinated approach.
  4. Enabling a Holistic Approach: Taking into account all aspects of the organization.
  5. Separating Governance from Management: Differentiate oversight from daily operations.

For COBIT, this is all we need to know. CISSP does not go too far into depth with this topic.  

Third Party Auditing

Third-party audits are executed by another organization on behalf of a separate entity. The initiating body usually selects the auditors and determines the audit's scope. Service organizations often undergo third-party audits. However, frequent requests can be burdensome.

Standards:

  • SSAE 18 (US Standard): Set by the AICPA to provide a common auditing standard for service organizations, aiming to streamline external evaluations and share the results with clients.
  • ISAE 3402 (International Standard): Similar to SSAE 18 but applicable outside the U.S.

SSAE-18 does not follow a specific specific controls. It's purpose is only to review and audit

SOC Audits:

  • SOC 1: Focuses on controls affecting financial reporting.
  • SOC 2: Concentrates on controls about the system's security (confidentiality, integrity, availability), and privacy. Results are typically shared under an NDA.
  • SOC 3: Similar to SOC 2, but the results are meant for public consumption.

SOC Report Types:

  • Type I: Provides an opinion on management's control description and its design. It's a snapshot, reflecting a specific moment in time. Mainly a documentation review.
  • Type II: Offers an opinion on control effectiveness, encompassing at least six months. It's more like a traditional audit, verifying controls in operation. This report is deemed more reliable than Type I.

Audits offer insights into security controls and may be asked to participate actively in control evaluations. Auditors typically have unrestricted access to organizational info, with security staff expected to cooperate.

Back to top