Scribd
Upload
1 views7 pages

Ethical Hacking - UNIT 2-9

The document outlines various threat modeling methodologies including STRIDE, VAST, PASTA, DREAD, OCTAVE, and TRIKE, each with distinct approaches to identifying and mitigating vulnerabilities. It emphasizes the importance of assessing risks through countermeasures such as acceptance, elimination, mitigation, or transfer. Additionally, it highlights the need for thorough documentation and evaluation of threat models to ensure effective risk management.

Uploaded by

Jesica D'cruz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1 views7 pages

Ethical Hacking - UNIT 2-9

The document outlines various threat modeling methodologies including STRIDE, VAST, PASTA, DREAD, OCTAVE, and TRIKE, each with distinct approaches to identifying and mitigating vulnerabilities. It emphasizes the importance of assessing risks through countermeasures such as acceptance, elimination, mitigation, or transfer. Additionally, it highlights the need for thorough documentation and evaluation of threat models to ensure effective risk management.

Uploaded by

Jesica D'cruz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

EXAMPLE OF THREAT TREE

Step 3: Determine Countermeasures and Mitigation


● A vulnerability may be mitigated with the implementation of a countermeasure. Such
countermeasures can be identified using threat-countermeasure mapping lists.
Frequently included factors are likelihood of attack, damage from an attack, and
complexity or cost of fix.
● The risk mitigation strategy might involve evaluating these threats from the business
impact they pose. Once the possible impact is identified, options for addressing the risk
include:
1. Accept: decide that the business impact is acceptable, and document who has chosen to
accept the risk
2. Eliminate: remove components that make the vulnerability possible
3. Mitigate: add checks or controls that reduce the risk impact, or the chances of its
occurrence
4. Transfer: Transfer risk to an insurer or customer.

Step 4: Assess your work


First, determine if you’ve done the work. Are there records showing a diagram, a threats list
and a control list.
Threat Modeling Methodologies
● STRIDE
Developed by Microsoft, STRIDE (spoofing, tampering, repudiation, information
disclosure, denial of service, elevation of privilege) is one of the oldest and most
widely used frameworks for threat modeling.
STRIDE is a free tool that will produce DFDs and analyze threats.
● VAST
VAST refers to Visual, Agile, and Simple Threat modeling. VAST is a foundational
element of a threat modeling platform called ThreatModeler.
VAST integrates within workflows designed using the principles of DevOps.
Consists of methods and processes that can be easily scaled and adapted to any
scope or part of an organization.
Threat Modeling Methodologies
● PASTA
➔ PASTA (process for attack simulation and threat analysis) is a framework
designed to elevate threat modeling to the strategic level, with input from all
stakeholders, not just IT or security teams.
➔ PASTA is a seven-step process:
1. Definition of your objectives
2. Definition of the technical scope of the project
3. Decomposition
4. Analysis of threats
5. Analysis of weaknesses and vulnerabilities
6. Attacks modeling
7. Analysis of the risk and impact on the business
Threat Modeling Methodologies
● DREAD
DREAD stands for damage potential, reproducibility, exploitability, affected
users, and discoverability.
1. Damage potential outlines how much damage can result from a negative
event
2. Reproducibility determines how easy it is to replicate an attack
3. Exploitability refers to the ease with which an actor can launch an attack
4. Affected users involve detailing the percentage of users affected by the
event
5. Discoverability examines how easy it is to locate the vulnerability
Threat Modeling Methodologies
● OCTAVE
➔ OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
is an approach to identify, assess, and manage risks to IT assets.
➔ This process identifies the critical components of information security and
the threats that could affect their confidentiality, integrity, and availability.
➔ This helps them understand what information is at risk and design a
protection strategy to reduce or eliminate the risks to IT assets.
➔ OCTAVE requires three different phases:
1. Building threat profiles based on specific assets
2. Identifying vulnerabilities in the infrastructure
3. Developing security strategies and plans
Threat Modeling Methodologies
● TRIKE
➔ Trike is an open-source framework that seeks to defend a system instead
of attempting to replicate how an actor may attack it.
➔ With the Trike framework, users make a model of the application or system
they are defending.
➔ You then use the acronym CRUD to see who can:
1. Create data
2. Read data
3. Update data
4. Delete data
➔ This is studied with the aid of a data flow diagram. The threats examined
include either elevations of privileges or denials of service.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy