Scientists begin experiments with a hypothesis. Researchers begin their papers with a thesis statement. It is similarly useful to begin a threat analysis with a threat statement. The threat statement establishes the scope of the threat and guides the analyst in his threat research. Consider this threat statement, “Unauthorized disclosure of sensitive data.” Partially mapping out the scope of this statement, it looks something like this diagram shown below.
This scope of analysis is a bit large. Consider how large it would be for an enterprise with sensitive information spread across hundreds of systems! However, it is not unapproachable. Every journey, however long, begins with a single step. In this case, that step is to define the threat into a series of more narrow threat statements, such as this one, “Unauthorized disclosure of sensitive data through theft or loss of off-site stored data backup tape by outsider.” The map of this statement is much narrower.
This threat statement, unauthorized disclosure of sensitive data through theft of off-site stored data backup tape by outsiders, is narrowly scoped. It identifies the threat agent (outsider); it specifies the assets in question (data backup tapes; and the method through which the threat may be realized (theft and loss). This narrowly scoped threat analysis can be completed quickly and compared with other related threats analyses for decision-making.
Analyzing narrowly defined threats does not preclude solving larger scope threat questions such as the first one stated above, unauthorized disclosure of sensitive data. The solution is necessary to protect sensitive information assets. However, the answer to these broad scope threats is the sum of the solutions to the more narrowly scoped threat statements.
A well-bounded threat statement consists of four key elements: the asset category that is the focus of the threat agent’s objective, the end state condition the threat agent seeks to achieve within the context of the asset, the threat agent’s privilege level as it relates to the target, and the compromise approach the agent will use to realize the threat.
Target Asset / Asset Category
The target asset is the focus of the threat agent’s objective. It is the system or category of systems the adversary seeks to compromise. By restricting the threat statement to a specific asset or asset category, we establish boundaries for analysis of attack methods and related controls. While the target may be a specific asset, modeling an asset category allows the analysis to be reused across multiple assets.
Other targets include Internet connection, core router, internal web application, Windows XP operating system, Oracle 10g database, Windows 2003 Server, a specific web application, such as wiremoneynow.abc, Active Directory, or even USB flash drives.
The end state is the condition the threat agent seeks to achieve within the context of the target asset. It is his goal as it relates to the system he is attacking. Including the end state in the threat statement narrows the analysis on attack vectors used to achieve the end state.
Some other end states include application administrator access, network denial of service, unauthorized operating system access, remote system control, physical possession of storage media, and access to internal network communications.
The threat statement should specify the threat agent’s privilege level as it relates to the target system. The types of attack methods available to a threat agent and the complexity and risk exposure of executing the attack methods are partially dependent on the agent and his privilege level as it relates to the target system. For example, physical compromise of a system within a secured data center is easier for an administrator with authorized access to the data center than for an outsider who has no data center access privileges.
Other privilege levels include an outsider with no access to non-public target resources, an insider who has access to the target system owner’s private network or physical facilities but no local area network or physical access to the target system, and a privileged insider who has direct physical or local network access to the target system.
The compromise approach specifies the category of methods the threat agent will use to realize the threat. The compromise approach in our example threat statement is theft of authentication credentials. This limits the scope of attack methods to those such as horizontal credential guessing, vertical credential guessing, keystroke logging, phishing, social engineering, and network communications intercept through CAM table flooding or ARP spoofing.