• Explore
  • Blog
  • Podcast
  • EIS Archive
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • EIS Archive
  • About
  • Services
  • Contact

Explore threat modeling risk management - Created with help from ChatGPT

Threat modeling risk management

February 15, 2024

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

In this post I want to talk about rating and prioritizing the discovered threats from a threat modeling session. We’ll get into the different methodologies and talk about some of the nuances of them.

Methodologies for Risk Management

Created with help from ChatGPT

DREAD

DREAD, an acronym for Damage, Reproducibility, Exploitability, Affected users, and Discoverability, is a risk assessment model used to prioritize threats. Although its use has declined due to its subjective nature and lack of business context alignment, some organizations may still find it useful for quick, high-level risk assessments.

This is what I use for threat modeling. If you read Adam Shostack’s book he calls it obsolete and recommends SDL Bug Bar. The reason is that the different categories can be a bit ambiguous, lack granularity, and context. I think it’s great for getting started and keeps threat modeling simple. As threat modeling matures there may be a need to mature the risk management and switch to something that provides more scaleability.

Using DREAD we would rate the threat by each theat on a 1-3 scale. This allowed for prioritizing low, medium, and high. The final number will help prioritize the threats discovered for follow up. Again, when dealing with other groups it’s important to keep the bar to entry low. As the program matures and people get a better idea on threat modeling advancing to something a bit more technical can be useful.

SDL Bug Bar

The Security Development Lifecycle (SDL) Bug Bar is a concept and a set of criteria used within Microsoft's SDL framework to classify and prioritize the handling of software bugs based on their security implications. The "bug bar" establishes a baseline for the security severity that a bug must meet or exceed to be considered a priority for fix before software can be released. It helps teams make consistent, informed decisions about which security vulnerabilities to fix and when to fix them.

There’s not really a lot available online for implementing the Bug Bar. There are some blog posts and the SDL Bug Bar PDF which doesn’t exactly give instructions on how to implement. It can be loaded as a template into other Microsoft tooling so that can be helpful and will help with streamlining some of the threat modeling process. Leave a comment below if you’ve had experience implementing the SDL Bug Bar.

OWASP Risk Rating Methodology

The Open Web Application Security Project (OWASP) offers a risk rating methodology that considers factors such as threat agents, attack vectors, technical impact, and business impact to prioritize vulnerabilities. This methodology is particularly useful for web application security and can be adapted to fit an organization's specific needs. This has more in-depth math and expanded categories for rating a threat. This could be another option for maturity.

CVSS (Common Vulnerability Scoring System)

CVSS provides an open framework for rating the severity of security vulnerabilities in software. It offers a standardized way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS scores can help organizations prioritize their response and remediation efforts based on the potential impact of each vulnerability. This is one of the standards for vulnerabilities.

FAIR (Factor Analysis of Information Risk)

FAIR is a quantitative risk analysis methodology that helps organizations understand, analyze, and quantify information risk in financial terms. FAIR differs from other models by focusing on the financial impact of risks, making it particularly useful for making informed, data-driven decisions about cybersecurity investments and risk management strategies. This methodology was created by Jack Jones with the intent of providing risk in financial terms for organization.

TARA (Threat Agent Risk Assessment)

TARA identifies potential threat agents and evaluates the risks they pose to an organization's critical assets. This methodology is useful for organizations that want to focus on the most likely sources of threats and tailor their defenses accordingly. Intel created TARA as part of its comprehensive security and risk management strategy to identify, assess, and prioritize risks based on the potential impact of various threat agents. This methodology was created by the Department of Defense (DoD) in 2010. It uses built in attacks to assist in the risk assessment process.

Summary

There are multiple options for rating and prioritizing the threats identified in a threat modeling session. I like DREAD because it’s simple but that might not be feasible for larger organizations. If you’re a Microsoft shop the SDL Bug Bar may be a better fit. OWASP Risk Rating Methodology is also another option. If you really want to go deep CVSS or another framework may be the best option. FAIR and TARA are two methodologies that look to provide specific context to risk management. FAIR from a financial standpoint and TARA has a DoD lean. Choosing the best risk management methodology will depend on the organization and it’s needs. Try multiple and see what works best for your organization.

Next we’ll get into tools and resources for threat modeling.

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!
In Experiences, Advice Tags Threat Modeling, Risk
Comment

Latest PoDCASTS

Featured
Nov 14, 2024
How to Pick a Whiskey Barrel With The Innocent Lives Foundation Charity
Nov 14, 2024
Nov 14, 2024
Nov 12, 2024
Exploring Legal Landmines in Incident Response with Thomas Ritter
Nov 12, 2024
Nov 12, 2024
Nov 5, 2024
[RERELEASE] What is the SANS Holiday Hack Challenge
Nov 5, 2024
Nov 5, 2024
Oct 29, 2024
[RERELEASE] ShowMeCon: What does Jayson E. Street, Dave Chronister, Johnny Xmas, April Wright, and Ben Brown think about security?
Oct 29, 2024
Oct 29, 2024
Oct 22, 2024
[RERELEASE] What is security awareness?
Oct 22, 2024
Oct 22, 2024
Oct 15, 2024
How to get a penetration test (pentest)
Oct 15, 2024
Oct 15, 2024
Oct 8, 2024
How to Avoid Election Scams
Oct 8, 2024
Oct 8, 2024
Oct 1, 2024
What is sober in cyber?
Oct 1, 2024
Oct 1, 2024
Sep 24, 2024
How Disinformation Will Impact The 2024 Election with Renee DiResta
Sep 24, 2024
Sep 24, 2024
Sep 17, 2024
How to Hack an Enterprise
Sep 17, 2024
Sep 17, 2024

Powered by Squarespace