This series applies “the STRIDE approach to threat modeling (which) was introduced in 1999 at Microsoft, providing a mnemonic for developers to find ‘threats to our products’. STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to “the” Microsoft methodology commonly mean STRIDE and Data Flow Diagrams.” (https://en.wikipedia.org/wiki/Threat_model ).
Factors Analysis of Information Risk (FAIR) is defined in the Open Risk Taxonomy and Open Risk Analysis Standards (https://www.opengroup.org/forum/security/riskanalysis ). Related Guides, White Papers and Tools are also available. This post relies on your previous knowledge of both FAIR and Threat Modeling.
FAIR is designed to analyze enterprise risks, such as theft of intellectual property or loss of revenue due to ransomware attacks affecting online services. By contrast, threat modeling is typically scoped to individual application systems. While threat modeling is helpful in identifying potential mitigations for expected threats given the current system design, it lacks a means to quantify the value of the mitigations’ risk reduction.
The following shows how threat modeling concepts relate to FAIR. This article introduces the idea of how threat modeling concepts can be related to enterprise risk analysis with FAIR.
The Microsoft Threat Modeling Tool contains a stencil for objects which have attributes with selections (often yes/no) that vary by attribute. Attribute labels (e.g., different communications protocols) have different attributes lists). The Tool scans the model to produce a Threat View based on analyzing the model. STRIDE is the acronym for the categories of attack techniques employed during Threat events on applications systems.
|Spoofing||Involves illegally accessing and then using another user’s authentication information, such as username and password||Intermediate step to loss event|
|Tampering||Involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet||Integrity|
|Repudiation||Associated with users who deny performing an action without other parties having any way to prove otherwise. Non-Repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package||Theft; intermediate step to loss event|
|Information Disclosure||Involves the exposure of information to individuals who are not supposed to have access to it||Information disclosure|
|Denial of Service||Denial of service (DoS) attacks deny service to valid users||Availability|
|Elevation of Privelege||An unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed||Intermediate step to loss event|
At the beginning of threat modeling, it is assumed that no Mitigations are in place. From a FAIR perspective, mitigations increase Resistance Strength thereby reducing Vulnerability (which is proportional to the Threat Capability).
The FAIR enterprise view begins with identifying the (few) risk scenarios. Each scenario identifies potential losses and the associated threat, leading to baseline calibrated estimates of Threat Event Frequency and Threat Capability along with Loss Magnitude, all stated as ranges of values.
Threat intelligence may help guide which STRIDE techniques are associated with a threat actor; it may also provide insight necessary to develop a calibrated estimate of Threat Capability which is recorded as a scalar value of 0-99. Also needed is a library of Mitigations with associated Resistance Strength, also recorded as a scalar value of 0-99.
Analyzing Example Enterprise Risk
The following are example brief risk titles followed by a structured description statement.
- PI Theft – Theft of propriety information resulting in loss of competitive advantage
- Online Disruption – Disruption of online service resulting in lost revenue and added PR costs
The risk analysist can work with appropriate business and technical experts to decompose the risk statements into calibrated FAIR estimates and STRIDE categories. The values in the following table illustrate the results but are examples not intended to represent calibrated estimates for a specific business scenario.
|PI Theft||5, 15, 20||I|
|$1M, $1.5M, $2M|
|Online Disruption||20, 25, 40||S|
|$10M, $15M, $20M|
The following shows PI Theft risk factor inputs to the FAIR Tool for an information disclosure STRIDE category. The values for Threat Capability and Resistance Strength are arbitrary 5% above and below the values from the table above. The analysis includes a proposed improvement that increases Resistance Strength by 1%.
The following shows the FAIR Tool risk analysis results. Notice the chance of loss exceeding $5M is 43% for the current situation and is reduced to 23% with the proposed control improvement. The average loss is reduced from about $5M per year to about $3M per year, and average risk reduction is about $1.8M annually. A business case can be made for the control improvement project in relation to this risk reduction.
Pingback: Introduction – Threat Modeling for Risk Quantification | How to Manage Cybersecurity Risk