Skip to main content

Threat Modeling

Supply Chain Risks

Modern service delivery often involves a chain of multiple entities. Even companies that aim to control as much production in-house as possible, such as Apple, rely on components from a diverse range of suppliers. For example, Apple uses screens manufactured by Samsung, one of its major competitors. The supply chain isn't limited to manufacturing; it also includes transport, managed by multiple companies.

Ensuring the security, reliability, and reputation of all vendors in this supply chain is crucial to maintain overall operational integrity.

Supply Chain Evaluation

Evaluating the vendors in your supply chain involves several methodologies, such as:

  • Onsite Assessment:Assessment: This includes visitingVisit the organization,vendor's interviewingpremises, people,conduct interviews, and observingobserve their operatingdaily habitsoperations to ensureverify theyadherence meetto safety and security standards.

  • Document Exchange and Review:Review: AnalyzeAssess how ana organizationvendor manages information exchangeexchanges and conducts assessments andinternal reviews.

  • Process/Policy Review:Review: Request and reviewExamine the vendor's security policies, processes, and procedures to ensure they alignare in line with your organization'company's standards.

  • Third-party Audit:Audit: EnlistEngage an independent auditor to providefor an unbiasedimpartial reviewassessment of the vendor's security infrastructure.

  • Continuity Measures: Ensure contractual and liability controls are in place, diversify suppliers for sustained supply, and check the financial stability of vendors.

Threat Modeling 

Threat modeling is a security process where potential threats are identified, categorized, and analyzed. The aim is to eliminate or reduce these threats, either proactively or reactively. This approach can be based on:

  1. Assets: Uses asset valuation results to identify threats to the most valuable assets.
  2. Attackers: Identify potential attackers and threats based on the attackers' goals.
  3. Software: Considers potential threats against the software the organization develops.
Understanding these concepts and being able to apply them to real-world scenarios is key to mastering supply chain and risk management for your CISSP exam.

Security Content Automation Protocol (SCAP)

SCAP, given to us by NIST, is like a common language for the security world. It helps everyone talk about and check for security issues in the same way. Plus, it helps different security tools work together automatically. Some parts of SCAP are especially useful when trying to find vulnerabilities.

Component Description
CVE - Common Vulnerabilities and Exposures Naming system for security vulnerabilities.
CVSS - Common Vulnerability Scoring System Method to determine the severity of vulnerabilities.
CCE - Common Configuration Enumeration Naming system for system configuration issues.
CPE - Common Platform Enumeration Naming system for operating systems, applications, devices.
XCCDF - Extensible Configuration Checklist Description Format Language for defining security checklists.
OVAL - Open Vulnerability and Assessment Language Language to describe security testing processes.

Risk Management Frameworks (RMF)

NIST 800-37

NIST 800-37: By the National Institute of Standards and Technology, a non-regulatory US agency.

  1. Categorize Info Systems: Understand and label systems based on their security needs.

  2. Selecting Security Controls: Choose necessary controls to mitigate identified risks.

  3. Implement Security Controls: Put the selected controls into action within the systems.

  4. Assess Security Controls: Regularly check and validate the effectiveness of the controls.

  5. Authorize Security Controls: Ensure the controls adhere to organizational policies.

  6. Monitor Security Controls: Continuously oversee and report on the performance of security controls.

image.png

Image Source: Video https://www.youtube.com/watch?v=mLuLtIsDjK8&list=PL7XJSuT7Dq_XPK_qmYMqfiBjbtHJRWigD&index=9 

Some references include a 1st step: "Prepare to execute the RMF". However, this isn't part of the CISSP syllabus.

STRIDE

Developed by Microsoft, STRIDE primarily focuses on software. It aims to identify and classify the type of threats:

  • Spoofing: This involves falsifying identity, such as presenting as another user or system.
  • Tampering: This involves data manipulation or unauthorized changes in the system.
  • Repudiation: This is staging an attack in such a way that the attacker can deny their involvement.
  • Information Disclosure: This involves unauthorized access to information.
  • Denial of Service (DoS): This refers to attacks aimed at making a system unavailable or inaccessible.
  • Elevation of Privilege: This involves unauthorized increases in privilege or access within the system.

Spoofing is about false identity, while repudiation is the denial of actions post-attack.

PASTA

The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling approach focused on developing countermeasures based on asset value. It involves seven stages:

  1. Definition of Objectives: Establishing clear objectives for threat modeling.
  2. Definition of Technical Scope: Identifying the systems, applications, and data to be protected.
  3. Application Decomposition & Analysis: Breaking down the application into its components and analyzing each for potential vulnerabilities.
  4. Threat Analysis: Identifying potential threats to the system.
  5. Weakness & Vulnerability Analysis: Identifying and analyzing the weaknesses and vulnerabilities that can be exploited by the threats.
  6. Attack Modeling & Simulation: Modeling potential attack vectors and simulating their impacts.
  7. Risk Analysis & Management: Evaluating the risks posed by the identified threats and developing strategies to manage them.

VAST

Visual, Agile, Simple, Threat (VAST) is a threat modeling approach that integrates threat management into an agile programming environment. It's ideal for organizations that heavily use agile methodologies in their operations.

ATT&CK

The MITRE ATT&CK Matrix is different from kill chain models (e.g., Cyber Kill Chain) as it's not an ordered set of attacks but rather a matrix of TTPs. It is used to rate the type of a vulnerability. 

Reconnaissance Resource development
Initial access Execution
Persistence Privilege escalation
Defense evasion Credential access
Discovery Lateral movement
Collection Command and control
Exfiltration Impact
  • Each tactic in the matrix has associated techniques.
  • Techniques often have sub-techniques that dive deeper into specifics.
  • Clicking a tactic or technique leads to a detailed page with mitigation and detection methods.

Example: Under Reconnaissance, there's a technique named Active Scanning. Within this, there's a sub-technique called Vulnerability Scanning detailing how to spot unauthorized scans.

Remember: The matrix helps in understanding how attackers operate and how to counteract their methods!

DREAD

DREAD is a risk assessment model designed to answer five critical questions:

  1. Damage Potential: How severe could the damage be if the threat is realized?
  2. Reproducibility: How easy is it for attackers to reproduce the exploit?
  3. Exploitability: How difficult is it to perform the attack?
  4. Affected Users: What percentage of users (internal or external) are likely to be affected by the attack?
  5. Discoverability: How difficult is it for an attacker to discover this weakness? A significant weakness 7-8 layers deep with defense in depth may not be as big of a deal

A major weakness 7-8 layers deep with defense might not be as concerning.

TRIKE

TRIKE is an open-source threat modeling process focused on acceptable risk. It implements a requirements model, ensuring that the assigned level of risk for each asset is acceptable to stakeholders.

COBIT

Control Objectives for Information and Related Technology (COBIT) is an IT management and governance framework, based on five principles:

  1. Meeting Stakeholder Needs: Ensuring the organization meets the needs of stakeholders.
  2. Covering the Enterprise End-to-End: Considering the full scope of the enterprise.
  3. Applying a Single, Integrated Framework: Implementing a centralized, coordinated approach.
  4. Enabling a Holistic Approach: Taking into account all aspects of the organization.
  5. Separating Governance from Management: Differentiate oversight from daily operations.

For COBIT, this is all we need to know. CISSP does not go too far into depth with this topic.  

Back to top