Threat Modeling

1. 什么是威胁建模

是一个可以识别和列举潜在威胁、漏洞或缺乏保护措施的过程。然后可以优先考虑缓解措施

通过安全性的视角查看应用程序及其环境。

2 . 威胁建模的目的

是为防御者提供分析，分析需要包含哪些控制或防御措施，考虑到系统的性质、可能的攻击者的概况、最可能的攻击向量以及攻击者最需要的资产。生活中威胁建模例子：识别威胁 ->防护措施

We identified the threat of infection from other people, or from surfaces we touch, or the threat of infecting other people. Then we thought about ways to thwart those threats by keeping social distance, washing our hands more, wearing masks. Every interaction we have is considered and measured for threats from the virus. That’s an example of threat modeling.

3. 威胁建模的组成

A threat model typically includes:

• Description of the subject to be modeled

• Assumptions that can be checked or challenged in the future as the threat landscape changes

• Potential threats to the system

• Actions that can be taken to mitigate each threat

• A way of validating the model and threats, and verification of success of actions taken

4.  STRIDE 方法论 

5. 威胁建模：四个问题框架

A possible threat exists when the combined likelihood of the threat occurring and impact it would have on the organization create a significant risk. The following four question framework can help to organize threat modeling:

• What are we working on?

• What can go wrong?

• What are we going to do about it?

• Did we do a good job?

6. 评估范围

What are we working on? This might be as small as a sprint, or as large as a whole system.

• Identify what can go wrong - This can be as simple as a brainstorm, or as structured as using STRIDE, Kill Chains, or Attack Trees.

• Identify countermeasures or manage risk - Decide what you’re going to do about each threat. That might be to implement a mitigation, or to apply the accept/transfer/eliminate approaches of risk management.

• Assess your work - Did you do a good enough job for the system at hand?

参考:

• https://owasp.org/www-community/Threat_Modeling

• https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling

• https://www.threatmodelingmanifesto.org/