Prerequisite – Threat Modelling
DFD based Threat Modelling is one of the method to visually represent the system being modelled with other being Process Diagram based Threat Modelling. By using this approach threat modelling team will be able to identify the key processes in the system and threats to those processes by systematically following the flow of data through the system. This approach has following steps:
- View System as an adversary
- Characterize the system
- Identify the threats
Let’s discussing these steps in detail one by one.
1. View System as an adversary:
This is the first and the foremost thing to do while modelling a system using DFD Based approach.
This step involves analyzing the system from the eyes of adversary. Which processes and functions are visible and accessible to the attacker. Using these exposed services adversary formulates the goals to attack the system.
Following are the series of steps:
- Identify the Entry/Exit points – Entry point means the point from where the data enters the application and Exit point means the point from where the data leaves the application. For the purpose of threat modelling following things need to be recorded for Entry/Exit point:
- Numerical ID: Assign a numerical id to each entry point and to each exit point for cross referencing with threats and vulnerabilities.
- Name: Each entry and exit point should assigned a name and also identify its purpose.
- Description: write a description explaining what exactly happens at that entry/exit point and also identify the trust levels that exits at that point.
- Identify the assets – The main goal of an adversary is to gain access to an asset. Assets also act a pass through point for an adversary, as one assets often interact with other assets in the system. Thus it is important to identify the assets that need to protected in a system from an unauthorized access. This task is done by a team of security experts. In order to document the list of assets they collect following data:
- Numerical Id: Each asset should be assigned a numerical Id for cross-referencing with threats and vulnerabilities.
- Name: Assign a name to asset identified.
- Description: Write an explanation about why an asset need protection.
- Identify the trust levels – Each entry/exit points are assigned trust values in order to define the privileges that an external entity has to access and affect the system.Following data need to recorded while identifying trust levels:
- Numerical Id: A numerical Id should be assigned to each trust level for cross referencing with threats and vulnerabilities.
- Name: Assign a name to each trust level.
- Description: Write a description explaining trust levels in more detail with outlining its purpose.
2. Characterize the system:
Characterizing the system means to gather background information about the system and to identify the areas that need to be addressed. Following background information need to be gathered:
- Use scenarios – Identifying use scenarios is very important as neglecting these can result in a vulnerability. Use scenarios are generally identified by architects and end users. These can be used by security testing team for security testing and identifying the attack paths. Use scenario means the situation/ environment that how a system will be used or not used or not used on terms of configuration and security goals and non goals. Following data need to be recorded for use scenarios:
- Numerical Id: Each use scenario should be given a unique identification number.
- Description: write a description explaining following two points. First a description of use scenario and second is to mention whether use scenario is supported or not.
- External dependencies – External dependencies means the dependencies on outside resources and security policies. Identifying these is very important as if a threat from a external dependency is ignored it may become a valid vulnerability. Following data need to be recorded:
- Numerical Id: Each external dependency should be assigned a numerical id.
- Description: write a description giving details about a external dependency.
- External Security notes reference: External security notes from one component can be cross referenced with external dependencies from other components within the application.
- External security notes – External security notes act as a means to provide users information about the security and integration for the system. External security notes are used to validate external dependencies and can be used as a mitigation against a threat
. Following information need to be recorded in case of an external security note:
- Numerical Id: Each security note should be assigned a unique identification number.
- Description: Write a description explaining details about the note.
- Internal security notes: These explains the compromise made while designing and implementing system security. Following information needs to be recorded while identifying internal security notes:
- Numerical Id: Each identified internal security note should be assigned a unique numerical id.
- Description: Write a description explaining what security compromise was done and why compromise has been done
- Implementation assumptions – These are collected during the design phase, listing the details of features that will be implemented later. Following data need to be recorded while identifying internal implementation assumptions:
- Numerical Id: Each identified internal implementation assumption
- Description: Write a description explaining procedure to implement the features.
- Modelling the system – Most important point to keep in mind while threat modelling a system is to view the system through adversary’s eyes. Visual representation allow to view the operation of subsystems and how they work together. This section deals with how to model a system using a Data Flow Diagram (DFD).