RE: Threat Modeling

["Dan Morrill" <Dan.Morrill () PREMERA com>]

Interesting then in the long run.

The basis of my e-mail was threat modeling the actual attacks that were
coming in to the web server or other network object, not the possible
threats that could be used during the development cycle. 

So working in real world data as to the object (say web server) and what
attacks it is actually seeing, not working  out the DREAD issues. However,
real world can be used to determine statistics that can then be used to work
in STRIDE and DREAD. Especially for home grown code that is developed by the
company for their own use rather than a generic code set like apache, linux,
windows, etc. 

STRIDE/DREAD in use with GP code (General purpose) is more valid in those
instances in my opinion, than doing a detail analysis of the data coming
into the network, and determining risk based on actual data. Depends on
where you are, miss read the question (coming from a different background in
IDS).

Cheers/r/Dan


-----Original Message-----
From: Matthew Franz [mailto:mfranz () cisco com]
Sent: Thursday, May 20, 2004 1:47 PM
To: Dan Morrill
Cc: 'aporia () tiscali co uk'; webappsec () securityfocus com
Subject: Re: Threat Modeling



I guess it all depends on what we mean by "threat modeling" and why we
are doing it.

What you are describing is different from (but could possibly inform)
things like STRIDE/DREAD, attack trees, transaction paths, etc. which
would be what I would consder threat modeling. I don't think there are
any free/open source tools for doing something like that.

For what it is worth, some random thoughts I put together on the topic
earlier this month:

http://www.io.com/~mdfranz/papers/unpub-may04-flexible-threat-modeling.pdf

- mdf

> Ok,
>
> Here is the odd ball question, why not grab a copy of any SNMP or Syslog
> listener, drop it to a database, send your firewall, IDS, and other data
> there, then do some data mining scripts to find out activity that is going
> on. At least then it would be relevant to where you are on the internet,
and
> would develop a real baseline for your organization. (Don't mind me, did
> this already, and can be done using free ware and a good dba). 
>
> For example want to know what day of the week you get the most attacks,
use
> this MS-SQL script (can be easily rewritten for MySQL).
>
> select CASE datepart(dw,id_timestamp)
>  WHEN 1 THEN 'Sunday'
>  WHEN 2 THEN 'Monday'
>  WHEN 3 THEN 'Tuesday'
>  WHEN 4 THEN 'Wednesday'
>  WHEN 5 THEN 'Thursday'
>  WHEN 6 THEN 'Friday'
>  WHEN 7 THEN 'Saturday' END AS DayOfWeek
>  , count(*) as NumberOfEvents from event
> group by datepart(dw,id_timestamp)
> order by datepart(dw,id_timestamp)
>
> Want to know which ports are being scanned, use a script similar to this
> one.
>
> SELECT     t_port, COUNT(*) AS [Count of TPort]
> FROM         dbo.event
> GROUP BY t_port
>
> So software involved:
>
> Kiwi's syslog listener
> MySQL
> Some cut rate computer with about 1 gig of RAM
> Some serious storage space (unless you go to a "trend table" digest at the
> end of 48 hours of actual data on line)
> Your Operating system of Choice
>
> Just a thought, seen this idea done too many times lately. But the good
part
> is that you can threat trend for yourself based on your data, based on
where
> you are on the internet, and develop some really thought provoking threat
> modeling based on your company, not on what someone tells you is the right
> thing to model for. 
>
> Cheers/r/Dan 
>
> -----Original Message-----
> From: aporia () tiscali co uk [mailto:aporia () tiscali co uk] 
> Sent: Thursday, May 20, 2004 9:22 AM
> Cc: webappsec () securityfocus com
> Subject: RE: Threat Modeling
>
> I've been looking for a free set of threat models, too - no luck, though
> - would be interested to know if you are successful.
>
> _However_ I can recommend a software product called CRAMM.  I don't know
if
> you've used it, but basically it's a tool developed by HMG in Cheltenham.
>  The great thing about it, and the reason it costs 4,000 GBP is that it
> contains a database of over 3000 threats, vulnerabilities and
> countermeasures.
>
> It also follows a specific methodology (Crown Copyright), and is aligned
to
> BS7799.
>
> Unfortunately, the cost is a significant barrier to using it.  What about
> just buying the BS7799 (about 150 GBP) and ISO TR 13335: Guidelines for
> Management of IT Security (GMIT)? A reasonable starter pack.  This isn't
fee
> either, unfortunately.  But it is American.
>
> ---------------
> Ian Ristic [ivanr () webkreator com]
>
> > Any links to any free threat modeling tools out there ?
>
>    Does anyone know what happened to the threat modeling tool
>    Microsoft announced in late 2003?
>
> --
> ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web
> applications ]
>
> __________________________________________________
> Broadband from an unbeatable ?15.99!
>
> http://www.tiscali.co.uk/products/broadband/home.html?code=SM-NL-11AM