Bard - Comptia Security+ https://pdfhost.io/v/ As1PbnrkQ _ CompTIA _ Security _ AllinOne _ Exam _ Guide _ Exam _ SY0601 Preparing for attacks is an important job that the entire security team is responsible for. Threat actors have many tools they can use depending on their target. For example, attacking a small business can be different from attacking a public utility. Each have different assets and specific defenses to keep them safe. In all cases, anticipating attacks is the key to preparing for them. In security, we do that by performing an activity known as threat modeling. Play video starting at ::33 and follow transcript 0 : 33 Threat modeling is a process of identifying assets, their vulnerabilities, and how each is exposed to threats. We apply threat modeling to everything we protect. Entire systems, applications, or business processes all get examined from this security-related perspective. Play video starting at ::51 and follow transcript 0 : 51 Creating threat models is a lengthy and detailed activity. They're normally performed by a collection of individuals with years of experience in the field. Because of that, it's considered to be an advanced skill in security. However, that doesn't mean you won't be involved. Play video starting at :1 : 8 and follow transcript 1 : 08 There are several threat modeling frameworks used in the field. Some are better suited for network security. Others are better for things like information security, or application development. Play video starting at :1 : 19 and follow transcript 1 : 19 In general, there are six steps of a threat model. The first is to define the scope of the model. At this stage, the team determines what they're building by creating an inventory of assets and classifying them. Play video starting at :1 : 33 and follow transcript 1 : 33 The second step is to identify threats. Here, the team defines all potential threat actors. A threat actor is any person or group who presents a security risk. Threat actors are characterized as being internal or external. For example, an internal threat actor could be an employee who intentionally expose an asset to harm. An example of an external threat actor could be a malicious hacker, or a competing business. Play video starting at :2 : 3 and follow transcript 2 : 03 After threat actors have been identified, the team puts together what's known as an attack tree. An attack tree is a diagram that maps threats to assets. The team tries to be as detailed as possible when constructing this diagram before moving on. Play video starting at :2 : 18 and follow transcript 2 : 18 Step three of the threat modeling process is to characterize the environment. Here, the team applies an attacker mindset to the business. They consider how the customers and employees interact with the environment. Other factors they consider are external partners and third party vendors. Play video starting at :2 : 36 and follow transcript 2 : 36 At step four, their objective is to analyze threats. Here, the team works together to examine existing protections and identify gaps. They then rank threats according to their risk score that they assign. Play video starting at :2 : 49 and follow transcript 2 : 49 During step five, the team decides how to mitigate risk. At this point, the group creates their plan for defending against threats. The choices here are to avoid risk, transfer it, reduce it, or accept it. Play video starting at :3 : 4 and follow transcript 3 : 04 The sixth and final step is to evaluate findings. At this stage, everything that was done during the exercise is documented, fixes are applied, and the team makes note of any successes they had. They also record any lessons learned, so they can inform how they approach future threat models. Let's finish exploring threat modeling by taking a look at real-world scenarios. This time, we'll use a standard threat modeling process called PASTA. Play video starting at ::11 and follow transcript 0 : 11 Imagine that a fitness company is getting ready to launch their first mobile app. Before we can go live, the company asks their security team to ensure the app will protect customer data. The team decides to perform a threat model using the PASTA framework. Play video starting at ::26 and follow transcript 0 : 26 PASTA is a popular threat modeling framework that's used across many industries. PASTA is short for Process for Attack Simulation and Threat Analysis. There are seven stages of the PASTA framework. Let's go through each of them to help this fitness company get their app ready. Play video starting at ::42 and follow transcript 0 : 42 Stage one of the PASTA threat model framework is to define business and security objectives. Before starting the threat model, the team needs to decide what their goals are. The main objective in our example with the fitness company app is protecting customer data. The team starts by asking a lot of questions at this stage. They'll need to understand things like how personally identifiable information is handled. Answering these questions is a key to evaluate the impact of threats that they'll find along the way. Play video starting at :1 : 12 and follow transcript 1 : 12 Stage two of the PASTA framework is to define the technical scope. Here, the team's focus is to identify the application components that must be evaluated. This is what we discussed earlier as the attack surface. For a mobile app, this will include technology that's involved while data is at rest and in use. This includes network protocols, security controls, and other data interactions. Play video starting at :1 : 37 and follow transcript 1 : 37 At stage three of PASTA, the team's job is to decompose the application. In other words, we need to identify the existing controls that will protect user data from threats. This normally means working with the application developers to produce a data flow diagram. A diagram like this will show how data gets from a user's device to the company's database. It would also identify the controls in place to protect this data along the way. Play video starting at :2 : 5 and follow transcript 2 : 05 Stage four of PASTA is next. The focus here is to perform a threat analysis. This is where the team gets into their attacker mindset. Here, research is done to collect the most up-to-date information on the type of attacks being used. Like other technologies, mobile apps have many attack vectors. These change regularly, so the team would reference resources to stay up-to-date. Play video starting at :2 : 29 and follow transcript 2 : 29 Stage five of PASTA is performing a vulnerability analysis. In this stage, the team more deeply investigates potential vulnerabilities by considering the root of the problem. Play video starting at :2 : 40 and follow transcript 2 : 40 Next is stage six of PASTA, where the team conducts attack modeling. This is where the team tests the vulnerabilities that were analyzed in stage five by simulating attacks. The team does this by creating an attack tree, which looks like a flow chart. For example, an attack tree for our mobile app might look like this. Customer information, like user names and passwords, is a target. This data is normally stored in a database. We've learned that databases are vulnerable to attacks like SQL injection. So we will add this attack vector to our attack tree. A threat actor might exploit vulnerabilities caused by unsanitized inputs to attack this vector. The security team uses attack trees like this to identify attack vectors that need to be tested to validate threats. This is just one branch of this attack tree. An application, like a fitness app, typically has lots of branches with a number of other attack vectors. Play video starting at :3 : 40 and follow transcript 3 : 40 Stage seven of PASTA is to analyze risk and impact. Here, the team assembles all the information they've collected in stages one through six. By this stage, the team is in position to make informed risk management recommendations to business stakeholders that align with their goals. Traits of an effective threat model Threat modeling is the process of identifying assets, their vulnerabilities, and how each is exposed to threats. It is a strategic approach that combines various security activities, such as vulnerability management, threat analysis, and incident response. Security teams commonly perform these exercises to ensure their systems are adequately protected. Another use of threat modeling is to proactively find ways of reducing risks to any system or business process. Traditionally, threat modeling is associated with the field of application development. In this reading, you will learn about common threat modeling frameworks that are used to design software that can withstand attacks. You'll also learn about the growing need for application security and ways that you can participate. Why application security matters Applications have become an essential part of many organizations' success. For example, web-based applications allow customers from anywhere in the world to connect with businesses, their partners, and other customers. Mobile applications have also changed the way people access the digital world. Smartphones are often the main way that data is exchanged between users and a business. The volume of data being processed by applications makes securing them a key to reducing risk for everyone who’s connected. For example, say an application uses Java-based logging libraries with the Log4Shell vulnerability ( CVE-2021-44228 ). If it's not patched, this vulnerability can allow remote code execution that an attacker can use to gain full access to your system from anywhere in the world. If ● ● ● ● ● ● ● ● ● ● exploited, a critical vulnerability like this can impact millions of devices. Defending the application layer Defending the application layer requires proper testing to uncover weaknesses that can lead to risk. Threat modeling is one of the primary ways to ensure that an application meets security requirements. A DevSecOps team, which stands for development, security, and operations, usually performs these analyses. A typical threat modeling process is performed in a cycle: Define the scope Identify threats Characterize the environment Analyze threats Mitigate risks Evaluate findings Ideally, threat modeling should be performed before, during, and after an application is developed. However, conducting a thorough software analysis takes time and resources. Everything from the application's architecture to its business purposes should be evaluated. As a result, a number of threat-modeling frameworks have been developed over the years to make the process smoother. Note: Threat modeling should be incorporated at every stage of the software development lifecycle, or SDLC. Common frameworks When performing threat modeling, there are multiple methods that can be used, such as: STRIDE PASTA Trike VAST ● ● ● ● ● Organizations might use any one of these to gather intelligence and make decisions to improve their security posture. Ultimately, the “right” model depends on the situation and the types of risks an application might face. STRIDE STRIDE is a threat-modeling framework developed by Microsoft. It’s commonly used to identify vulnerabilities in six specific attack vectors. The acronym represents each of these vectors: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. PASTA The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling process developed by two OWASP leaders and supported by a cybersecurity firm called VerSprite. Its main focus is to discover evidence of viable threats and represent this information as a model. PASTA's evidence-based design can be applied when threat modeling an application or the environment that supports that application. Its seven stage process consists of various activities that incorporate relevant security artifacts of the environment, like vulnerability assessment reports. Trike Trike is an open source methodology and tool that takes a security-centric approach to threat modeling. It's commonly used to focus on security permissions, application use cases, privilege models, and other elements that support a secure environment. VAST The Visual, Agile, and Simple Threat (VAST) Modeling framework is part of an automated threat-modeling platform called ThreatModeler®. Many security teams opt to use VAST as a way of automating and streamlining their threat modeling assessments. Participating in threat modeling Threat modeling is often performed by experienced security professionals, but it’s almost never done alone. This is especially true when it comes to securing applications. Programs are complex systems responsible for handling a lot of data and processing a variety of commands from users and other systems. One of the keys to threat modeling is asking the right questions: What are we working on ? What kinds of things can go wrong ? What are we doing about it ? Have we addressed everything ? Did we do a good job ? It takes time and practice to learn how to work with things like data flow diagrams and attack trees. However, anyone can learn to be an effective threat modeler. Regardless of your level of experience, participating in one of these exercises always starts with simply asking the right questions. Key takeaways Many people rely on software applications in their day to day lives. Securing the applications that people use has never been more important. Threat modeling is one of the main ways to determine whether security controls are in place to protect data privacy. Building the skills required to lead a threat modeling activity is a matter of practice. However, even a security analyst with little experience can be a valuable contributor to the process. It all starts with applying an attacker mindset and thinking critically about how data is handled.