Threat Modeling

Threat modeling involves determining who would be most likely to attack a system and what possible ways an attacker could compromise the system. The results of a threat modeling exercise help determine what risks the threats are to a system and what security precautions should be taken to protect the system. In Chapter 8 we will look at how threat profiling plays an integral part in the security development methodology.

Web applications and all computing systems use security procedures and tools to provide access to the system for legitimate users and to prevent unauthorized users from accessing the system. Different users are often allowed different types of access to a system. For example, a Web application may allow read-only access to the public and allow only authorized users to perform updates to data. A potential attacker wanting to compromise a system must look at what avenues are available in accessing the system, and then he must try to exploit any vulnerabilities. For example, if an attacker has only public read-only access, he can examine as much of the Web site as possible and try various attacks, such as malformed URLs, various FORM attacks, and so forth. Perhaps, after a thorough search, he may find the only attack he can perform is to fill up some customer service rep's mailbox. But if the attacker discovers a legitimate logon account, further possibilities for attack open up to him. Once logged in as an authorized user, he is allowed access to more of the Web site, which allows him to try attacks at more points in the application. Perhaps he can now deface the Web site or alter data in a database. A threat model allows an assessment of what damage can be inflicted by an attacker who has specific types of access.

Attack trees [Schneier01] can assist in modeling threats to a system. The root node of an attack tree is the goal of the attack; child nodes represent direct actions that can attain the attack's goal. These actions may or may not be directly achievable. If they are achievable, they are leaf nodes in the tree. If they are not achievable, the necessary preliminary actions are listed as child nodes under them. Figure 2-16 shows a simple example of an attack tree for reading someone's e-mail.

Figure 2-16. Example of an attack tree

Note that the root node represents the goal of the attack, to read some other user's e-mail. The nodes directly under the root node describe direct actions that can accomplish the goal. For example, the middle node under the root indicates that one can monitor the network on which the user is sending and receiving the e-mail. The nodes directly under that node describe possible methods of monitoring the target user's network traffic. The process continues until a leaf node is reached, which is an action that requires no prerequisite action. Ideally, the attack tree illustrates the possible avenues an attacker can follow, starting from any one of the leaf nodes and moving on up until the goal of the attack at the root node is accomplished.

Once an attack tree's nodes have been identified, each node can be assigned a cost. Looking over the shoulder of the target, for example, is less expensive than installing a hidden camera. However, the cost does not need to be monetary; perhaps looking over the target's shoulder carries too much risk of being caught for the attacker, and thus that risk is worth the price of installing a hidden camera. Various costs, or weightings, can be applied to each node. These include ease of execution, legality, intrusiveness, probability of success, and so forth [Schneier01].

As one applies costs to each of the nodes in the attack tree, one can start to see the path that has the least cost and is therefore more likely to be used by an attacker. The probability of likely paths and the risk value associated with the goal of the attack determine how much effort needs to be directed at securing those paths.