WebApp Sec mailing list archives
RE: Threat Modeling
From: "Dan Morrill" <Dan.Morrill () PREMERA com>
Date: Thu, 20 May 2004 19:41:16 -0700
Interesting then in the long run. The basis of my e-mail was threat modeling the actual attacks that were coming in to the web server or other network object, not the possible threats that could be used during the development cycle. So working in real world data as to the object (say web server) and what attacks it is actually seeing, not working out the DREAD issues. However, real world can be used to determine statistics that can then be used to work in STRIDE and DREAD. Especially for home grown code that is developed by the company for their own use rather than a generic code set like apache, linux, windows, etc. STRIDE/DREAD in use with GP code (General purpose) is more valid in those instances in my opinion, than doing a detail analysis of the data coming into the network, and determining risk based on actual data. Depends on where you are, miss read the question (coming from a different background in IDS). Cheers/r/Dan -----Original Message----- From: Matthew Franz [mailto:mfranz () cisco com] Sent: Thursday, May 20, 2004 1:47 PM To: Dan Morrill Cc: 'aporia () tiscali co uk'; webappsec () securityfocus com Subject: Re: Threat Modeling I guess it all depends on what we mean by "threat modeling" and why we are doing it. What you are describing is different from (but could possibly inform) things like STRIDE/DREAD, attack trees, transaction paths, etc. which would be what I would consder threat modeling. I don't think there are any free/open source tools for doing something like that. For what it is worth, some random thoughts I put together on the topic earlier this month: http://www.io.com/~mdfranz/papers/unpub-may04-flexible-threat-modeling.pdf - mdf
Ok, Here is the odd ball question, why not grab a copy of any SNMP or Syslog listener, drop it to a database, send your firewall, IDS, and other data there, then do some data mining scripts to find out activity that is going on. At least then it would be relevant to where you are on the internet,
and
would develop a real baseline for your organization. (Don't mind me, did this already, and can be done using free ware and a good dba). For example want to know what day of the week you get the most attacks,
use
this MS-SQL script (can be easily rewritten for MySQL). select CASE datepart(dw,id_timestamp) WHEN 1 THEN 'Sunday' WHEN 2 THEN 'Monday' WHEN 3 THEN 'Tuesday' WHEN 4 THEN 'Wednesday' WHEN 5 THEN 'Thursday' WHEN 6 THEN 'Friday' WHEN 7 THEN 'Saturday' END AS DayOfWeek , count(*) as NumberOfEvents from event group by datepart(dw,id_timestamp) order by datepart(dw,id_timestamp) Want to know which ports are being scanned, use a script similar to this one. SELECT t_port, COUNT(*) AS [Count of TPort] FROM dbo.event GROUP BY t_port So software involved: Kiwi's syslog listener MySQL Some cut rate computer with about 1 gig of RAM Some serious storage space (unless you go to a "trend table" digest at the end of 48 hours of actual data on line) Your Operating system of Choice Just a thought, seen this idea done too many times lately. But the good
part
is that you can threat trend for yourself based on your data, based on
where
you are on the internet, and develop some really thought provoking threat modeling based on your company, not on what someone tells you is the right thing to model for. Cheers/r/Dan -----Original Message----- From: aporia () tiscali co uk [mailto:aporia () tiscali co uk] Sent: Thursday, May 20, 2004 9:22 AM Cc: webappsec () securityfocus com Subject: RE: Threat Modeling I've been looking for a free set of threat models, too - no luck, though - would be interested to know if you are successful. _However_ I can recommend a software product called CRAMM. I don't know
if
you've used it, but basically it's a tool developed by HMG in Cheltenham. The great thing about it, and the reason it costs 4,000 GBP is that it contains a database of over 3000 threats, vulnerabilities and countermeasures. It also follows a specific methodology (Crown Copyright), and is aligned
to
BS7799. Unfortunately, the cost is a significant barrier to using it. What about just buying the BS7799 (about 150 GBP) and ISO TR 13335: Guidelines for Management of IT Security (GMIT)? A reasonable starter pack. This isn't
fee
either, unfortunately. But it is American. --------------- Ian Ristic [ivanr () webkreator com]Any links to any free threat modeling tools out there ?Does anyone know what happened to the threat modeling tool Microsoft announced in late 2003? -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] __________________________________________________ Broadband from an unbeatable ?15.99! http://www.tiscali.co.uk/products/broadband/home.html?code=SM-NL-11AM
Current thread:
- RE: Threat Modeling, (continued)
- RE: Threat Modeling Mikael Brejcha (May 24)
- RE: Threat Modeling Michael Howard (May 20)
- RE: Threat Modeling aporia (May 20)
- RE: Threat Modeling Mark Curphey (May 20)
- Re: Threat Modeling Ivan Ristic (May 21)
- Re: Threat Modeling Frank O'Dwyer (May 21)
- Re: Threat Modeling Adrian Wiesmann (May 21)
- Re: Threat Modeling Adrian Wiesmann (May 21)
- RE: Threat Modeling Dan Morrill (May 20)
- Re: Threat Modeling Matthew Franz (May 20)
- RE: Threat Modeling Dan Morrill (May 21)
- RE: Threat Modeling Michael Howard (May 21)
- RE: Threat Modeling Harbar, Spencer J. (May 25)
- Re: Threat Modeling Chris Scott (May 26)