Scientists begin experiments with a hypothesis. Researchers
begin their papers with a thesis statement. It is similarly useful to begin a
threat analysis with a threat statement. The threat statement establishes the
scope of the threat and guides the analyst in his threat research. Consider
this threat statement, “Unauthorized disclosure of sensitive data.” Partially
mapping out the scope of this statement, it looks something like this diagram
shown below.
This scope of analysis is a bit large. Consider how large it
would be for an enterprise with sensitive information spread across hundreds of
systems! However, it is not unapproachable. Every journey, however long, begins
with a single step. In this case, that step is to define the threat into a
series of more narrow threat statements, such as this one, “Unauthorized
disclosure of sensitive data through theft or loss of off-site stored data
backup tape by outsider.” The map of this statement is much narrower.
This threat statement, unauthorized disclosure of sensitive
data through theft of off-site stored data backup tape by outsiders, is
narrowly scoped. It identifies the threat agent (outsider); it specifies the
assets in question (data backup tapes; and the method through which the threat
may be realized (theft and loss). This narrowly scoped threat analysis can be
completed quickly and compared with other related threats analyses for
decision-making.
Analyzing narrowly defined threats does not preclude solving
larger scope threat questions such as the first one stated above, unauthorized
disclosure of sensitive data. The
solution is necessary to protect sensitive information assets. However, the answer to these broad scope
threats is the sum of the solutions to the more narrowly scoped threat
statements.
A well-bounded threat
statement consists of four key elements: the asset category that is the
focus of the threat agent’s objective, the end state condition the threat agent
seeks to achieve within the context of the asset, the threat agent’s privilege
level as it relates to the target, and the compromise approach the agent will
use to realize the threat.
Target Asset / Asset Category
The target asset is the focus of the threat agent’s
objective. It is the system or category
of systems the adversary seeks to compromise.
By restricting the threat statement to a specific asset or asset category,
we establish boundaries for analysis of attack methods and related controls. While the target may be a specific asset,
modeling an asset category allows the analysis to be reused across multiple
assets.
Other targets include Internet connection, core router,
internal web application, Windows XP operating system, Oracle 10g database,
Windows 2003 Server, a specific web application, such as wiremoneynow.abc,
Active Directory, or even USB flash drives.
The end state is the condition the threat agent seeks to
achieve within the context of the target asset.
It is his goal as it relates to the system he is attacking. Including the end state in the threat
statement narrows the analysis on attack vectors used to achieve the end
state.
Some other end states include application administrator
access, network denial of service, unauthorized operating system access, remote
system control, physical possession of storage media, and access to internal
network communications.
The threat statement should specify the threat agent’s
privilege level as it relates to the target system. The types of attack methods
available to a threat agent and the complexity and risk exposure of executing
the attack methods are partially dependent on the agent and his privilege level
as it relates to the target system. For example, physical compromise of a
system within a secured data center is easier for an administrator with
authorized access to the data center than for an outsider who has no data
center access privileges.
Other privilege levels include an outsider with no access to
non-public target resources, an insider who has access to the target system
owner’s private network or physical facilities but no local area network or
physical access to the target system, and a privileged insider who has direct
physical or local network access to the target system.
The compromise approach specifies the category of methods
the threat agent will use to realize the threat. The compromise approach in our
example threat statement is theft of authentication credentials. This limits the scope of attack methods to
those such as horizontal credential guessing, vertical credential guessing,
keystroke logging, phishing, social engineering, and network communications intercept
through CAM table flooding or ARP spoofing.