Threat Modeling

Question 1

What is a vulnerability?

Answer 1

A flaw or weakness in a system’s design, or operation and management that could be exploited to violate the system’s security policy

Question 2

What is an attack?

Answer 2

An intentional act by which an entity attempts to evade security services and violate the security policy of a system

Question 3

What is an attacker?

Answer 3

A person who executes an attack

Question 4

What is a threat?

Answer 4

A potential for violation of security

Question 5

What is an asset?

Answer 5

A system resource that is

• required to be protected by a security policy
• intended to be protected by a countermeasure
• required for a system’s mission

Question 6

What is risk?

Answer 6

An expectation of loss expressed as the probability that a particular threat will exploit a vulnerability with a harmful result

Question 7

What is a countermeasure?

Answer 7

An action, device, procedure or technique that meets a threat, vulnerability or attack by preventing it, by minimizing its harmful effect or by reporting it

Question 8

Name and describe two attacker models for interaction protocols

Answer 8

Honest-but-curious users
- follow protocol honestly
- can collude to learn more than they should
- obey all rules
Malicious users
- break rules of the protocol to get information
- more powerful

Question 9

Name six more attacker models and their capabilities

Answer 9

Eavesdropping
- eavesdrop on a shared channel

Man-in-the-middle MITM

• eavesdrop
• modify
• delete
• inject

Man-at-the-end MATE
- has full control over a system

Malware
- can have different purposes and different powers / levels of privilege

Side-Channel
- learn about sensitive information indirectly by observing parameters of a system or its environment

Social Engineering

Question 10

What does STRIDE stand for?

Answer 10

The different threats considered in the model:

• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege

Question 11

What are the 5 steps of threat modeling with STRIDE?

Answer 11

1. Identify Security Objectives
2. Application Overview
3. Decompose Application
4. Identify Threats
5. Identify Vulnerabilities
   Repeat

Question 12

What are the different phases modeled in ATT&CK

Answer 12

Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact

Question 13

Name 4 questions that help identify security objectives

Answer 13

What data do you need to protect?
Do you have compliance requirements?
Do you have specific QoS requirements?
Are there intangible assets that you need to protect?

Question 14

What are the key components of an application overview?

Answer 14

• End-to-end deployment topology
• Logical layers
• Key components
• Key services
• Communication ports and protocols
• Identities
• External dependencies

Question 15

Which 4 steps help decompose an application?

Answer 15

• Identify Trust Boundaries
• Identify Data Flows
• Identify Entry Points
• Identify Exit Points

Question 16

Which steps help to identify threats / vulnerabilities to an application?

Answer 16

• Start with common threats and attacks
• Use a question-driven approach
  Topics:
• Authentication
• Authorization
• Input and Data Validation
• Configuration Management
• Sensitive Data
• Session Management
• Cryptography
• Exception Management
• Auditing and Logging
• Identify Threats Along Use Cases
• Identify Threats Along Data Flows