search

What are the different steps in identifying threats in information security?

1 years ago
Comments: 0
Views: 196

Threat modeling is a proactive strategy for evaluating cybersecurity threats. It involves identifying potential threats, and developing tests or procedures to detect and respond to those threats. This involves understanding how threats may impact systems, classifying threats and applying the appropriate countermeasures.

Show

A typical threat modeling process includes five steps: threat intelligence, asset identification, mitigation capabilities, risk assessment, and threat mapping. Each of these provides different insights and visibility into your security posture.

There are eight main methodologies you can use while threat modeling: STRIDE, PASTA, VAST, Trike, CVSS, Attack Trees, Security Cards, and hTMM. Each of these methodologies provides a different way to assess the threats facing your IT assets.

In this article:

Advantages of threat modeling

Threat modeling has the following key advantages:

  • Helps prioritize threats, ensuring that resources and attention are distributed effectively. This prioritization can be applied during planning, design, and implementation of security to ensure that solutions are as effective as possible.
  • Ensures defenses are in line with evolving threats. If not, new threats may remain undefended, leaving systems and data vulnerable.
  • Helps teams adopt or develop new tools or create software. It helps teams understand how tools and applications may be vulnerable in comparison to what protections are offered.
  • Helps development teams prioritize fixes to existing software, according to the severity and impact of anticipated threats.

What are the five main steps in the threat modeling process?

When performing threat modeling, several processes and aspects should be included. Failing to include one of these components can lead to incomplete models and can prevent threats from being properly addressed.

1. Apply threat intelligence

This area includes information about types of threats, affected systems, detection mechanisms, tools and processes used to exploit vulnerabilities, and motivations of attackers.

Threat intelligence information is often collected by security researchers and made accessible through public databases, proprietary solutions, or security communications outlets. It is used to enrich the understanding of possible threats and to inform responses.

2. Identify assets

Teams need a real-time inventory of components, credentials, and data in use, where those assets are located, and what security measures are in use. This inventory helps security teams track assets with known vulnerabilities.

A real-time inventory enables security teams to gain visibility into asset changes. For example, getting alerts when assets are added with or without authorized permission, which can potentially signal a threat.

3. Identify mitigation capabilities

Mitigation capabilities generally refer to technology to protect, detect, and respond to a certain type of threat, but can also refer to an organization’s security expertise and abilities, and their processes. Assessing your existing capabilities will help you determine whether you need to add additional resources to mitigate a threat.

For example, if you have enterprise-grade antivirus, you have an initial level of protection against traditional malware threats. You can then determine if you should invest further, for example, to correlate your existing AV signals with other detection capabilities.

4. Assess risks

Risk assessments correlate threat intelligence with asset inventories and current vulnerability profiles. These tools are necessary for teams to understand the current status of their systems and to develop a plan for addressing vulnerabilities.

Risk assessments can also involve active testing of systems and solutions. For example, penetration testing to verify security measures and patching levels are effective.

5. Perform threat mapping

Threat mapping is a process that follows the potential path of threats through your systems. It is used to model how attackers might move from resource to resource and helps teams anticipate where defenses can be more effectively layered or applied.

Top threat modeling methodologies and techniques

When performing threat modeling, there are multiple methodologies you can use. The right model for your needs depends on what types of threats you are trying to model and for what purpose.

STRIDE threat modeling

STRIDE is a threat model, created by Microsoft engineers, which is meant to guide the discovery of threats in a system. It is used along with a model of the target system. This makes it most effective for evaluating individual systems.

STRIDE is an acronym for the types of threats it covers, which are:

  • Spoofing — a user or program pretends to be another
  • Tampering — attackers modify components or code
  • Repudiation — threat events are not logged or monitored
  • Information disclosure — data is leaked or exposed
  • Denial of service (DoS) — services or components are overloaded with traffic to prevent legitimate use
  • Elevation of Privilege — attackers grant themselves additional privileges to gain greater control over a system

Process for Attack Simulation and Threat Analysis (PASTA)

PASTA is an attacker-centric methodology with seven steps. It is designed to correlate business objectives with technical requirements. PASTA’s steps guide teams to dynamically identify, count, and prioritize threats.

The steps of a PASTA threat model are:

  1. Define business objectives
  2. Define the technical scope of assets and components
  3. Application decomposition and identify application controls
  4. Threat analysis based on threat intelligence
  5. Vulnerability detection
  6. Attack enumeration and modeling
  7. Risk analysis and development of countermeasures

Common Vulnerability Scoring System (CVSS)

CVSS is a standardized threat scoring system used for known vulnerabilities. It was developed by the National Institute of Standards and Technology (NIST) and maintained by the Forum of Incident Response and Security Teams (FIRST).

This system is designed to help security teams assess threats, identify impacts, and identify existing countermeasures. It also helps security professionals assess and apply threat intelligence developed by others in a reliable way.

CVSS accounts for the inherent properties of a threat and the impacts of the risk factor due to time since the vulnerability was first discovered. It also includes measures that allow security teams to specifically modify risk scores based on individual system configurations.

Visual, Agile, and Simple Threat (VAST)

Visual, Agile, and Simple Threat (VAST) is an automated threat modeling method built on the ThreatModeler platform. Large enterprises implement VAST across their entire infrastructure to generate reliable, actionable results and maintain scalability.

VAST can integrate into the DevOps lifecycle and help teams identify various infrastructural and operational concerns. Implementing VAST requires the creation of two types of threat models: 

  • Application threat model — uses a process-flow diagram to represent the architectural aspect of the threat
  • Operational threat model — uses a data-flow diagram to represent the threat from the attacker’s perspective

Trike

Trike is a security audit framework for managing risk and defense through threat modeling techniques. Trike defines a system, and an analyst enumerates the system’s assets, actors, rules, and actions to build a requirement model. Trike generates a step matrix with columns representing the assets and rows representing the actors. Every matrix cell has four parts to match possible actions (create, read, update, and delete) and a rule tree — the analyst specifies whether an action is allowed, disallowed, or allowed with rules. 

Trike builds a data-flow diagram mapping each element to the appropriate assets and actors with the requirements defined. The analyst uses the diagram to identify denial of service (DoS) and privilege escalation threats.

Trike assesses attack risks using a five-point probability scale for each CRUD action and actor. It also evaluates actors based on their permission level for each action (always, sometimes, or never).

Attack Trees

Attack trees are charts that display the paths that attacks can take in a system. These charts display attack goals as a root with possible paths as branches. When creating trees for threat modeling, multiple trees are created for a single system, one for each attacker goal.

This is one of the oldest and most widely used threat modeling techniques. While once used alone, it is now frequently combined with other methodologies, including PASTA, CVSS, and STRIDE.

Security Cards

The Security Cards methodology is based on brainstorming and creative thinking rather than structured threat modeling approaches. It is designed to help security teams account for less common or novel attacks. This methodology is also a good way for security teams to increase knowledge about threats and threat modeling practices.

The methodology uses a set of 42 cards, which help analysts answer questions about future attacks, such as who might attack, what their motivation could be, which systems they might attack, and how they would implement an attack. Analysts can deal the cards in a type of table-top game, to simulate possible attacks and consider how the organization might respond.

Hybrid Threat Modeling Method (hTMM)

hTMM is a methodology developed by Security Equipment Inc. (SEI) that combines two other methodologies:

  • Security Quality Requirements Engineering (SQUARE) — a methodology designed to elicit, categorize and prioritize security requirements
  • Persona non Grata (PnG) — a methodology that focuses on uncovering ways a system can be abused to meet an attacker’s goals

hTMM is designed to enable threat modeling which accounts for all possible threats, produces zero false positives, provides consistent results, and is cost-effective.

It works by applying Security Cards, eliminating unlikely PnGs, summarizing results, and formally assessing risk using SQUARE.

Threat modeling with Exabeam’s Next-generation SIEM platform

Threat modeling is a complex process that requires real-time data collection and analysis, as well as a quick (if not real-time) response.

Next-generation SIEM platforms, like Exabeam’s Security Management Platform, can help you effectively create, manage, maintain, and automate the threat modeling process of your choice.

Exabeam offers the following modules that you can use to perform threat modeling:

  • Advanced analytics — using behavioral analytics to identify anomalous behavior that might indicate an attack, and correlating with threat analytics data to identify the type and source of the attack
  • Smart forensic analysis — collecting all relevant information about a security incident, across multiple users, IP addresses, and IT systems, combining it with threat intelligence data, and laying it out on an incident timeline
  • Incident response automation — gathering data from hundreds of tools, automatically identifying incidents, referencing them with threat intelligence data, and even automatically orchestrating containment and mitigation steps
  • Threat hunting — using threat intelligence data, combined with free exploration of internal security data, to identify new and unknown threats that might be affecting your organization

Exabeam Threat Hunter is especially helpful during the threat modeling process. It helps analysts outsmart attackers by simplifying threat detection. Here’s what you can do with Exabeam Threat Hunter:

  • Easy to use interface — Point-and-click interface makes it simple to query data.
  • Context-aware data — enables complex searches
  • Automatic incident timelines — Automation makes gathering evidence simpler and faster than maintaining logs.
  • Provides visual aid — represents relationships, revealing hidden correlations between data

In addition to these tools, Exabeam also offers a Threat Intelligence Service, which provides a cloud-based solution with proprietary threat intelligence technology. This system collects and analyzes threat indicators from multiple feeds.

The Threat Intelligence Service is free for Exabeam customers as part of the Exabeam Security Management Platform, and can also integrate with TIP vendors for a broader source of IOCs.

Learn more about the Exabeam Security Management Platform.

Q&A What

Related Posts

How many grams of ammonia are produced when 3.5 moles of hydrogen reacts with excess nitrogen?
How many grams of ammonia are produced when 3.5 moles of hydrogen reacts with excess nitrogen?

What is the theoretical yield of ammonia that can be obtained from the reaction of 10.0 g of h2?
What is the theoretical yield of ammonia that can be obtained from the reaction of 10.0 g of h2?

At what rate percent will a sum of rupees 8000 amount to rupees 15625 in 3 years if the interest is compounded annually?
At what rate percent will a sum of rupees 8000 amount to rupees 15625 in 3 years if the interest is compounded annually?

What are the 3 categories of STDs?
What are the 3 categories of STDs?

Why do I hear scratches in my room?
Why do I hear scratches in my room?

What is a disadvantage of the geographic region organizational structure group of answer choices?
What is a disadvantage of the geographic region organizational structure group of answer choices?

At what rate of compound interest per annum will a sum of ₹ 2000 amount to ₹ 2332.80 in 2 years interest being compounded annually?
At what rate of compound interest per annum will a sum of ₹ 2000 amount to ₹ 2332.80 in 2 years interest being compounded annually?

If f(x) = 2x + 1, what is f(-3)?
If f(x) = 2x + 1, what is f(-3)?

What is the amount on a sum of Rs 32000 at the rate of 20% for the 9 months when the interest is compounded quarterly?
What is the amount on a sum of Rs 32000 at the rate of 20% for the 9 months when the interest is compounded quarterly?

A person who is leaning back in his chair with his arms folded across his chest is displaying
A person who is leaning back in his chair with his arms folded across his chest is displaying

What brand of castor oil is best for hair?
What brand of castor oil is best for hair?

What are control charts based on?
What are control charts based on?

Vscode No server install found in WSL, needs x64
Vscode No server install found in WSL, needs x64

How do you get to Motion settings on iPhone?
How do you get to Motion settings on iPhone?

How long is a furlong in horse?
How long is a furlong in horse?

Replace the underlined word with the correct form
Replace the underlined word with the correct form

How many spinach plants per person
How many spinach plants per person

Bread clip in wallet when traveling
Bread clip in wallet when traveling

What aisle is heavy cream on?
What aisle is heavy cream on?

How do you play Roblox on a Chromebook without downloading it
How do you play Roblox on a Chromebook without downloading it

Advertising

LATEST NEWS

How fast does hair grow per day
1 years ago . by TranquilBabbling
Which of the following allows different operating systems to coexist on the same physical computer?
1 years ago . by UnmarkedDuchess
What is being defined as the degree to which something is related or useful to what is happening or being talked about?
1 years ago . by ComingCarcass
Which of the following is NOT a pathway in the oxidation of glucose
1 years ago . by ScarredAccreditation
Juan is the person employees go to when knowledge of a topic was needed. juan holds ________ power.
1 years ago . by AmbitiousExamination
Which of the following is not a standard mounting dimension for an electric motor? select one:
1 years ago . by MiserableSweepstakes
Which set of characteristics will produce the smallest value for the estimated standard error?
1 years ago . by GenerousIntercourse
Is a program that assesses and reports information about various computer resources and devices.
1 years ago . by SeriousBondage
How much energy is needed to move one electron through a potential difference of 1.0 102 volts
1 years ago . by CrackedKnocking
Includes procedures and techniques that are designed to protect a computer from intentional theft
1 years ago . by UneasyInvasion

Advertising

Populer

Advertising

About

Legal

Help

Social

Copyright © 2024 SignalDuo Inc.