Threat models are frequently utilized by security professionals to identify weaknesses in the application environment, by specifically exploiting apps (mobile, IoT, etc.) for security reasons. Threat modeling lets you identify security risks and develop adequate countermeasures prior to being utilized by hackers. Threat modeling is a method of identifying security risks and implementing appropriate countermeasures. Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric approach to threat modeling that offers a step-by-step method to incorporate the analysis of risk and its context into the security plan from the very beginning. PASTA promotes collaboration among all stakeholder groups and creates an environment that is that is focused on security.
About PASTA threat Modeling
It is the Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling method founded in 2015 . by VerSprite Chief Executive Officer Tony UcedaVelez and security leader Marco M. Morana. All over the world, organizations including GitLab have adopted PASTA as their own internal threat modeling standard due to its risk-focused approach, collaborative nature and evidence-based threat intelligence and the focus on the probabilities of every attack.
PASTA facilitates collaboration between the developer and business users to better know the application’s risk as well as its vulnerability to attack, and its impact on your business if there is the possibility of a breach. Other frameworks for threat modeling are often focused on a single element, for example, code as well as the attack itself. For example The STRIDE (Spoofing Tampering, Repudiation Information Disclosure and Denial of Service (DoS) and Elevation Privilege) is an acronym that is used and recommended by numerous. It’s simple to use because it’s an inherently static framework. With ever-changing threat landscapes, it does not seem sensible to create static threats that span a range of sectors. PASTA has many advantages over other threat modeling techniques.
The benefits from PASTA Risk Modeling
Contextualized approach that is always tied back to the business context
Tests the viability of threats based on facts
The perspective is that of an attacker
Make use of existing processes within the company
Collaboration process that can easily increase or decrease the size of the group.
The 7 Steps of PASTA
PASTA includes seven stages, each one acting as a building block to each other. This lets your threat model be a sequential process and make use of existing security testing processes in your company such as code review, third-party analyses of libraries, static and threat monitoring for your application infrastructure.
First Step: Define the Goals
The first step in the PASTA procedure is to determine the goals. These could be internal driven or externally driven and/or driven by your users. It is important to understand what the intention behind the application. How will it earn your business money? Maybe it’s some back-end process. What regulations have to be included? In contrast to static threat models in stage one, PASTA threat modeling offers the possibility to include governance into the discussions and incorporate it in from the beginning.
Governance and Compliance to Include in your Threat Model:
External Framework External Framework CoBit, ISO, NIST, SANS, CAG, CIS
Internal Standards for Crypto authentication, .NET security, JAVA security
External Regulations – PCI DSS, NERC CIP, FIPS 140-2, FedRAMP
Internal Process/Artifacts : risk assessments, vulnerability assessment SAST/DAST reports
Your company doesn’t want to be penalized. You don’t want an application that’s not resistant, or an application which could leak personal or credentials for reputational and liability reasons. Start by understanding your goals of your business first, then align the goals with your security needs.
Stage Two 2. Establish the scope of the technical requirements
Stage 2 in PASTA is to identify the attack surface of your organization by delineating the technical scope of what you’re protecting. A frequent concern for professionals working in applications security or product security has been that they are under-scoping due to the fact that we focus solely on the application realm.
When you’re defining an attack plan it is important to know the risks you face and what kind of dependencies that you may have with third-party services. These could include services developed by a developer or system maintained by engineers, or even components which are monitored within the infrastructure.
Attack Surface Component Examples:
API endpoints
Web-based application
Network infrastructure
OS Settings
DNS server
Certificate server
Mobile client
3rd party library and SW
Data storage device
Application Framework
Kubernetes configuration
Docker configuration
Configuration of services
PASTA is intended to be a collaboration initiative and encourages collaboration with engineers as well as cloud teams developers, architects, and developers to ask “What are you working on? What are you doing to support this context?” And then “What can you do to help align? What is the current technology environment?” This conversation will help you proceed to the third stage, which is application decomposition.
Third Stage: Break down the Application
The third stage of PASTA is the decomposition of applications. In the second stage we created the context of what we’re doing. Stage three is the next step in providing context about how everything communicatesand the way it all works together. The most important outcome from this phase is know whether you are able to trust models and the locations they’re located. It could include an IoT device that is communicating with the cloud and an embedded system communicating to an auto component. There could be unintentional trust models which could be a suitable channel for exploiting.
In this phase you must create diagrams of data flow. It is recommended that you collaborate with your structure to learn about the calls and integrations that you found in the second stage. Data flow diagrams on their own are not a threat model. A diagram of data flows shows the flow of information between users across trust boundaries however, it doesn’t provide a picture of threats. It doesn’t show to developers or an engineer what to be concerned about, but it only provides a diagram for analysis.
Stage Four: Examine the threats
Stage four involves analyzing the threats. The most important output from the fourth stage is know what the application is doing and what kind of threats are impacting your attack surface.
The scope of your project is determined by your choice of technology in the second stage. It is also important to think about the type of data you’re using as well as your data model and the model you use to consume data. What kind of threat is more prevalent depending on how you’re using data? As an expert in threat modeling and security advocate it is essential to understand the threats that are relevant to you . This is done by studying threats that could provide an understanding of the behavior of attackers against your business and technological footprint. Then, you can begin to create the threat model of your choice.
Traditional threat modeling methods don’t have the context of a threat. When we provide information about threats, we shouldn’t be able to incite fear among our users. If they’re product or developer owners, we must be able to provide credible, evidence-based threats that we can develop upon. Imagine cooking a real dish of pasta. If you’re a real pasta lover, then you should not serve pasta with a poor bland sauce. You need good evidence-based sauce. PASTA lets you create relevant threat information for your customers.
The Dos and Don’ts to follow in Threat consumption of intelligence & Analysis
Dos:
Create your own threat using intel using external or internal researchers, or internal logs
Find out the origins of your threat sources from, make sure it’s relevant and cross-validated
Don’ts:
Use only one source of threat intelligence data
Utilize your threat intelligence of competitors as a base for threats to your industry
Make sure the analysis of threats uncover the assets you did not consider in steps two and three (this implies that you took these steps incorrectly)”
Stage Five: Analysis of Vulnerability
Stage five relates the vulnerabilities of the application with the application’s strengths. What are the best ways to connect methods and best practices for example, volume management and dynamic analysis, volume assessments dynamic analysis and so on.? In the midst of all the noise you’re seeing during the vulnerability analysis, which are the most relevant to the threats that are within your library of threats? The main difference between PASTA and PASTA is that it is focused on the threats that have the greatest impact on the business , all built on the first stage.
In the next stage In stage five, you determine what’s wrong. What’s wrong with the application? It’s not just the vulnerabilities that may be present in my code base by static analysis however, what’s wrong in my design? What is wrong with my trust model I might have found in the third stage? There are a variety of reasons to put your trust model in the vulnerability bucket, such as vulnerabilities or weaknesses that were discovered in the course of security testing manually as well as weaknesses or vulnerabilities in your architecture that result from the diagram of your data flow, or different kinds of vulnerability scanners, to name some.
Stage Six: Analysis of Attack
The primary goal of phase six in PASTA is to demonstrate that the vulnerabilities we identified to be vulnerable in stage 5 are in fact viable. To design a reliable attack model it is recommended to employ attack trees. Attack trees allow you to connect vulnerabilities that are known to a particular node in the attack tree to assess its likelihood.
How to create an Attack Tree
The root node of your attack tree is usually the goal of your threat. For instance, if you’re a cybercriminal , you’d like to steal credit card data. The nodes that are the root of the attack should be the application component that has been affected, AKA the target – from which they can access this data. You will then have additional nodes taken from the attack library you had created earlier. The purpose is to develop the blueprint for exploiting. The best thing about attack trees is that they could be massive small, medium, or large and focus on either the entire application or just one asset in the Software Development Life Cycle.
Stage Seven Stage Seven: Risk and Impact Analysis
The end goal is that PASTA threat analysis is focused on reducing risk. The goal of stage seven is to create countermeasures that minimize the risks that are significant. In order to conclude this exercise of modeling threats we’ll need to use and build upon the data that we collected during the first six stages.
When you factor all of the information you have the mix, you’ll have access to the effects of attacks through simulations. Through increasing your understanding of the effects of exploits and weaknesses in countermeasures, it’s possible to make educated decision-making regarding risk management that will help your company save time and money.