Threat model

From Wikipedia, the free encyclopedia

Jump to navigation Jump to search

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like “Where am I most vulnerable to attack?”, “What are the most relevant threats?”, and “What do I need to do to safeguard against these threats?”.

Conceptually, most people incorporate some form of threat modeling in their daily life and don't even realize it. Commuters use threat modeling to consider what might go wrong during the morning drive to work and to take preemptive action to avoid possible accidents. Children engage in threat modeling when determining the best path toward an intended goal while avoiding the playground bully. In a more formal sense, threat modeling has been used to prioritize military defensive preparations since antiquity.

Contents

• 1 Evolution of IT-based threat modeling
• 2 Threat modeling methodologies for IT purposes
  • 2.1 STRIDE methodology
  • 2.2 P.A.S.T.A.
  • 2.3 Trike
  • 2.4 MAL
• 3 Generally accepted IT threat modeling processes
  • 3.1 Visual representations based on data flow diagrams
  • 3.2 Creating threat models based on available data
• 4 Further fields of application
• 5 Systematic literature review
• 6 References

Evolution of IT-based threat modeling[edit]

Shortly after shared computing made its debut in the early 1960s individuals began seeking ways to exploit security vulnerabilities for personal gain.[1] As a result, engineers and computer scientists soon began developing threat modeling concepts for information technology systems.

Early IT-based threat modeling methodologies were based on the concept of architectural patterns[2] first presented by Christopher Alexander in 1977. In 1988 Robert Barnard developed and successfully applied the first profile for an IT-system attacker.

In 1994, Edward Amoroso put forth the concept of a “threat tree” in his book, “Fundamentals of Computer Security Technology.[3]” The concept of a threat tree was based on decision tree diagrams. Threat trees graphically represent how a potential threat to an IT system can be exploited.

Independently, similar work was conducted by the NSA and DARPA on a structured graphical representation of how specific attacks against IT-systems could be executed. The resulting representation was called “attack trees.” In 1998 Bruce Schneier published his analysis of cyber risks utilizing attack trees in his paper entitled “Toward a Secure System Engineering Methodology.[4]” The paper proved to be a seminal contribution in the evolution of threat modeling for IT-systems. In Schneier's analysis, the attacker's goal is represented as a “root node,” with the potential means of reaching the goal represented as “leaf nodes.” Utilizing the attack tree in this way allowed cybersecu