As published in the November/December 2019 edition  of InfoSecurity Professional Magazine

By Naresh Kurada, CISSP

Threat modeling is gaining even more attention with today’s dynamic threat environment. The sophistication of threat actors and development of advanced tactics, techniques and procedures (TTPs) has put a brighter spotlight on the process of finding vulnerabilities by incorporating the attacker’s point of view.

There are several threat modeling approaches and techniques to consider. Often, these can be classified as asset-centric, system-centric, people-centric or risk-centric. For instance, Microsoft’s STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) is system-centric, while PASTA (Process for Attack Simulation and Threat Analysis) is risk-centric.

Regardless of the model, the primary objectives remain the same—identify threats and embed countermeasures at the outset and, preferably, during design. However, threat modeling for each of these approaches may not be comprehensive enough and could also be difficult to apply. More importantly, there are no formal frameworks to holistically identify threats from adversarial tactics. And there is often an over-reliance on the experience and expertise of security practitioners, software developers and systems engineers.

This was true until MITRE developed the Adversarial Tactics, Techniques and Common Knowledge framework, better known as ATT&CK. The even better news is that MITRE ATT&CK can also be used to holistically identify threats emanating from adversarial tactics or techniques to the widely used STRIDE approach. The system-centric STRIDE approach for threat modeling is usually leveraged during secure software and system development, or as an extension to DevSecOps. Here’s what you need to know before diving in.

THREAT MODELING FUNDAMENTALS

The underlying premise of threat modeling, as an exten-sion of reliability engineering, is that a system will always have an undefined vulnerability that could potentially be exploited through a sequence of steps or in a certain scenario. Simply put: A system will always have an undefined flaw waiting to be exploited.

Consequently, threat modeling is a systematic process to elicit potential threats and anticipate the exploitability of vulnerabilities. Some of the earliest works on threat modeling include the use of attack trees (https://www. researchgate.net/publication/234738557_Threat_ Modeling_Using_Attack_Trees) (as an extension of fault tree analysis) and numerous other academic pursuits as derivatives of mathematical stochastic processes. 

Most threat modeling approaches have four components:

• Actor or adversary

• System or subject

• Vulnerability

• Attack technique or method

Of the four, the attack techniques are largely similar and offer opportunities for attack pattern recognition. Ironically, the taxonomy related to attack techniques has not been formalized and linked back to the actor in the context of a system.

Also, in the context of inputs to threat modeling, the processes to maintain and report on vulnerabilities has matured over the years, and numerous publicly available vulnerability databases have evolved. For instance, the NIST National Vulnerability Database (NVD) offers a good source of known vulnerabilities across various technologies.

Also, security researchers have made deliberate attempts to capture and map out tactics as patterns used by adver-saries. Lockheed Martin’s Cyber Kill Chain is one such approach and describes the adversarial tactics as a sev-en-step process. These steps are reconnaissance, weapon-ization, delivery, exploitation, installation, command and control, and actions on objectives. While both the NVD and the Cyber Kill Chain offer valuable input, neither is holistic enough for effective threat modeling. The Cyber Kill Chain is a high-level adversarial framework of tactics, while vul-nerability databases are too low-level.

This is where the MITRE ATT&CK framework fits— to fill the gap and provide a succinct set of tactics with an appropriate depth and taxonomy of techniques.

A DEEPER DIVE INTO MITRE ATT&CK

The MITRE organization recognized the disparity in articulating the adversarial view of an attack lifecycle and created ATT&CK (https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philoso-phy.pdf). An attacker’s target platforms and the techniques and tactics detailed in ATT&CK is a community-driven knowledge base maintained and updated by MITRE.

In spirit, ATT&CK is similar to the Cyber Kill Chain, yet more defined with depth and actively updated (similar to how NVD is actively updated). At a high level, ATT&CK is organized as a matrix of adversarial patterns, capturing the progressive tactics (and intent) of cyber adversary behavior along with the corresponding techniques.

A sample of the MITRE ATT&CK matrix is illustrated in Figure 1, above. What differentiates ATT&CK from the Cyber Kill Chain is the depth of the techniques and the curated taxonomy of those techniques. Also, the organi-zation of the matrix presents use cases for cyber defense and protection. Some of the use cases for cyber defense are gap assessments in security operations based on specific exposure to threats and elicit opportunities for improving the protection. 

ATT&CK also presents as a plug-in or a second layer to other frameworks that lack the adversarial tactics and tech-niques. More specifically, it can be used as a second layer for STRIDE, which is often used to drive threat modeling in secure software development.

A DEEPER DIVE INTO MICROSOFT STRIDE THREAT MODELING

STRIDE is a popular system-centric threat modeling technique used to elicit threats in systems and the software development lifecycle (SDL) along the dimensions or mne-monics of spoofing, tampering, repudiation, information disclosure, denial-of-service and elevation of privilege.

The primary steps needed to apply STRIDE require:

• Identifying processes, data stores and dataflows.

• Establishing trust boundaries between systems and subsystems (such as data flow diagrams).

Subsequently, each of the systems or subsystems are systematically analyzed against each of the components of STRIDE, as well as the desired outcome to protect authenticity, integrity, non-repudiation, confidentiality, availability and authorization.

STRIDE is a robust process for high-level threat model-ing. It also offers the right amount of “shift left” (develop-ment of security countermeasures at the outset) required of security in SDL and as an extension to DevOps during design and Agile development—as opposed to a later stage (such as a software release).

What STRIDE doesn’t do, however, is account for how adversaries intend to exploit a system. What is their plan of attack? For instance, STRIDE doesn’t factor in the intent of the tactics, from “initial access” to “lateral movement,” or to maintain “persistence” within a system or subsystem.

Similarly, within each tactic, the taxonomy of tech-niques used to exploit vulnerabilities is not defined at the level required for modern advanced TTPs. All these factors are required for developing strong cyber protections during SDL. Also, the depth and breadth of threat modeling becomes an even more critical security concern in DevOps because of modern Agile-based development that includes continuous integration and development (CI/CD), as well as infrastructure and security developed as code.

Let’s also not forget the thoroughness of security needed to derive and develop the foundations for a golden image (blueprint of security countermeasures). The golden image must be in lockstep with the high-security risks of shorter release cycles (days or hours as opposed to months) in continuous integration/continuous delivery processes with automated security testing during development.

UNDERPINNING STRIDE WITH ATT&CK

Given all we’ve covered, the application of ATT&CK in the STRIDE process is a natural fit. This combined process for threat modeling is illustrated in Figure 2.

Like STRIDE, the first step is to identifythe systems, subsystems and more, then map out the dataflows and interactions between them and thetrust boundaries.

Second, for each of the subsystems, enumerate a STRIDE matrix listing the mnemonics. Third, the 12 ATT&CK tactics are tallied. Enumerated tactics are:

• Initial Access

• Execution

• Persistence

• Privilege Escalation

• Defense Evasion

• Credential Access

• Discovery

• Lateral Movement

• Collection

• Command and Control

• Exfiltration

• Impact

Each of these tactics is progressively sophisticated and, accordingly, the defense (protection) for each of them becomes more complicated.

In Step 4, for each of the tactics within each of the STRIDE mnemonics, the applicable techniques are evaluated. For instance, for the STRIDE mnemonic of spoofing, the 12 tactics are evaluated for ATT&CK threat techniques that could result in spoofing against authen-ticity. In other words, Steps 2 through 4 are a process of elimination. In the fifth and final step, this process is iterated against all subsystems to enumerate all the threats and ascertain defenses.

BETTER TOGETHER

The ATT&CK matrix offers a rich taxonomy of adversarial tactics with a curated enumeration of adversarial tech-niques readily available for various use cases. ATT&CK can be used as a tool to systematically evaluate adversar-ial tactics and techniques that are lacking in the STRIDE threat modeling process widely used during SDL. The result is an overall improvement in the effectiveness and efficacy of threat modeling. •

NARESH KURADA, CISSP, is director of security consulting at Avanade (a joint venture between Accenture and Microsoft). In the past 15 years, he has specialized in cybersecurity risk management on a variety of computing environments in financial services, power and utilities, and telecom industries.

WANT TO LEARN MORE?

Listen to the (ISC)2 Think Tank webcast The Power of 2: How Automated Threat Hunting & the ATT&CK Framework from MITRE Can Work Together

FEATURING: Brandon Dunlap, Moderator Jason Bevis, BlackBerry Cylance – VP Global Threat Hunting & International Services Alex Holden, Hold Security, LLC – CISO Douglas “Chip” Wagner, IBM – Security Analytics Leader, North America