Chapter 9. Network Threat Modeling
In the past 10 years , we have witnessed an incredible rise in the general awareness and interest level in information security. For instance, there are now approximately 50,000 Certified Information Systems Security Professionals (CISSPs). Security problems have gone from a niche story of interest to a small community to front-page news read by millions. However, even after all this interest, we still face a dearth of holistic knowledge, of skilled people who can understand and analyze the core problems. Far too may people are still trying to implement "security by settings." If we just make more security changes to the OS and applications, turn on all the tweaks that look related to security, we must be better off, right? No, not really. Without a threat model, you have no way to assess which settings are useful; nor do you have any way to measure their effectiveness. As you hopefully realize by now, we are not big fans of making security changes for the sake of making security changes. Every security measure you implement needs to correlate to some realistic threat that you face, some realistic threat that your policy says is unacceptable, or at least less acceptable than the countermeasure. The threat model needs to tell you what threats the environment poses to your network. When you understand the threats, you can map them back to the security policy and decide which threats are worth mitigating and which you should accept. You will never be able to eliminate all threats, at least not if you want a functional network. You have to focus on the threats that are meaningful to your environment, and which will cause harm in excess of the cost of the mitigation.
Network threat modeling is about understanding the network and the threats it is facing . In this chapter, we look at how it can help you understand the structure of your network, how an attacker can use the structure to exploit your network, and how to use that structure to protect your network. Threat modeling is a methodical approach used to develop a clear picture of the posture of a network. This is then used to identify the threats your network will face, quantify the risk, and focus discussion on the options (process and technical) to mitigate or manage them. It helps you to think about those threats and about your options to mitigate them. It is all about communication in a sense. You use the model to communicate the current structure of the network and the threats created because of it. Then you use the threat model to analyze the possible countermeasures and finally to document the proposed design. In the end, the threat model helps you design a resilient network, with protective measures in place at multiple levels of the defense- in-depth model. Such a network follows a segmentation model where systems are grouped according to sensitivities, as shown in Figure 9-1. The systems in each layer may be protected as a group , or each layer may be further subdivided, as is shown by the dashed lines in the figure.
Figure 9-1. A network segmentation groups systems into layers according to sensitivity.
In this chapter, we are basing our analysis on an existing network, or an idea of one. However, you can also use this approach in a design of a new network after you have developed an initial idea of the requirements, and how you will design the network to meet them.