Threat modeling involves identifying potential threats to a system from the defender's perspective in order to mitigate risks. It includes identifying system assets, potential threats using frameworks like STRIDE, and how threats could be realized. Attack modeling takes the attacker's perspective to show how an attacker would exploit vulnerabilities to compromise a system. It involves identifying vulnerabilities, rewards for attacks, and ways to exploit vulnerabilities. While threat modeling is important for protection, attack modeling helps understand attacks more fully to improve security.
2. What is the difference between threat modeling and
attack modeling in software system?
3. Let’s first try to understand
the difference between a threat and an attack?
guru
4. guru
A threat is the possibility of
something bad happening.
An example threat: sensitive
customer data getting exposed to
unauthorized parties.
In other words, a
potential
violation of
security.
A personal life example: there is a
possibility that your car get
hijacked.
5. guru
An attack is any action that exploit
a vulnerability to realize a threat.
There won’t be any attacks without
a threat.
Example attack: Exploiting SQL
injection vulnerability to access
sensitive customer data stored in
the database.
If there is
nothing to gain,
then there is
nothing to
attack.
In other words,
an event that
results in a
security violation.
A personal life example: Use a fake
key to hijack the car (fake key
works because of a vulnerability).
6. Attacks
Active Attacks
Passive Attacks
They do not alter
resources while
trying to learn
information.
E.g. wiretapping,
port scanning
They alter
resources.
E.g. spoofing,
DoS attacks,
buffer overflows
guru
There are two
types of attacks
based on the
intention of the
attacker.
7. Attacks
Outside Attacks
Inside Attacks
Attacks initiate
within the security
perimeter by an
authorized user.
E.g. Insider attacks
(A privileged DBA
copying customer
information.)
Attacks initiates
from the outside of
security perimeter
by an unauthorized
user.
E.g. An attacker
performing a SQL
injection attack via
a vulnerable app.
guru
Also, there are
two types of
attacks based on
the origin of the
attacker.
8. Now that we have a good grip on a threat vs. an attack,
Let’s go back to our original question: threat modeling
vs. attack modeling?
guru
9. guru
Threat modeling is thinking ahead
of time what could go wrong and
acting accordingly.
Threat modeling is done from the
defender’s perspective.
In formal terms, threat modeling is
the process of identifying your
system (assets), potential threats
against your system.
Defender
Attacker
Asset
10. Identify your system
Threat Modeling is a process…
System Architecture
Entities Processes
Data Data Flows
Identify the threats
Eg: STRIDE framework
Spoofing
Tampering
Repudiation Information
disclosureDoS
Elevation of
privileges Identify how the threats
could be realized
Quantify Risks associated
with the threats
Come up with mitigation
techniques
Eg: DREAD classification
Eg: Attack Trees
11. Identify your system
Identify the threats
Identify how the threats
could be realized
Quantify Risks associated
with the threats
Come up with mitigation
techniques
Three tier e-commerce
web site (browser, app
server, database)
User authentication
credentials get disclosed.
Wiretapping the
connection between
browser and app server.
High risk
Always use TLS between
browser and app server.
Let’s look at an example…
12. Now we understand what threat modeling is. Let’s
get our hands on attack modeling and identify how
it is different from threat modeling?
guru
13. guru
Attack modeling is thinking how the
system can be broken by exploiting
vulnerabilities.
Attack modeling is done from the
attacker’s perspective.
In other words, it shows how an
attacker would go about breaking
the system exploiting
vulnerabilities.
14. Identify the system to
be attacked
Attack Modeling is also a process…
Identify vulnerabilities
Quantify the rewards of
the attack
Learn about the
system by playing
with it and going
through
documentation.
E.g.: old version x of
a database
Study publicly
available vulnerability
database.
E.g. identify a
vulnerability in an
unpatched version of
database x that
allows to escalate
privileges.
E.g. use the escalated
privilege to infiltrate
sensitive customer
data.
Come up with ways to
exploit the vulnerabilities
E.g. gain access to
the database x as a
regular user and
escalate privilege
exploiting the
vulnerability.
As a defender, you will
be looking into counter
measurements. E.g.
Patch the database x.
15. As an architect/designer/developer/tester, you will most
likely be using threat modeling to protect your system.
However, it is important to think from the point of view
of attackers in order truly protect your system.
guru