I would like to briefly introduce the Threat Modeling methodology in this blog post. This will be the initial part of the PASTA methodology, while the subsequent part will feature an example of Threat Modeling for the SAP Landscape (for on-premises and cloud).
Threat modeling is a structured approach to identifying, evaluating, and mitigating security risks in software systems, applications, or digital assets. It involves identifying potential security threats, assessing their likelihood and impact, and developing appropriate countermeasures to reduce the overall risk.
Threat modeling helps to identify potential security weaknesses early in the development lifecycle, so that they can be addressed before they can be exploited by attackers. It is an important part of the overall security strategy, as it helps organizations to understand the risks they face and develop effective security measures to protect against them.
The threat modeling process involves several steps, including identifying the assets to be protected, identifying potential threats to those assets, assessing the likelihood and impact of each threat, and developing countermeasures to address the identified risks. Different threat modeling methodologies, including PASTA, STRIDE, and DREAD, can be used.
Based on our expertise, the PASTA (Process for Attack Simulation and Threat Analysis) method is a comprehensive and effective approach to threat modeling in software systems, particularly for SAP landscapes, when compared to other methodologies like STRIDE and DREAD.
While all three methodologies share some common features, PASTA stands out because it emphasizes a structured and iterative approach that combines multiple threat modeling techniques. PASTA includes seven stages that cover everything from defining system boundaries and identifying assets, to analyzing threats and identifying mitigation strategies. The methodology is designed to be flexible, so that it can be tailored to specific organizational needs and system architectures.
PASTA also emphasizes the use of attack simulations, which can provide more realistic assessments of the effectiveness of mitigation strategies. This can help organizations to prioritize their security investments and identify areas where additional controls may be needed.
While both STRIDE and DREAD are useful methodologies, PASTA’s more comprehensive approach and emphasis on attack simulations make it a particularly effective choice for threat modeling in complex software systems like SAP landscapes.
As I said, the PASTA methodology has 7 steps:
- Define the objectives and scope.
- Define the technical scope.
- Decompose the application.
- Identify threats.
- Identify vulnerabilities.
- Analyze risks.
- Define and prioritize countermeasures.
Deep analysis of PASTA steps
Define the objectives and scope
The first stage of PASTA threat modeling involves defining objectives, which encompasses a range of factors related to the object being modeled, the threat modeling sessions, security governance, compliance objectives, and more.
To ensure that all relevant information is included in stage one, the objective scope should cover several areas, including general business requirements for the object being modeled, functional requirements, information security requirements (such as policies and baselines), compliance and regulatory requirements (such as industry-specific frameworks or standards), and data classification for any data related to the object being modeled.
Define the technical scope.
The second stage of PASTA threat modeling involves defining the technical scope and attack surface, which is crucial in determining the technical aspect of what needs protection, as opposed to people and processes.
The technical scope and attack surface encompass various components, such as relationships with other systems, dependencies, imports, and more. Some potential items in scope include the application code base, configuration, and connectors to other systems, the underlying database, cloud hosting configurations, networking components, operating systems, encryption and cryptography tools, SaaS connectivity, external service providers, and container technology.
It’s also essential to determine what is not in scope, as this helps to clarify what needs to be included in the threat modeling exercise and what should be deliberately excluded.
Decompose the application
The third stage of PASTA threat modeling involves decomposing the application, which entails delving into the internal workings of the application.
This stage provides valuable insights into the functioning of the application or system under scrutiny and sheds light on how key security concepts are currently implemented. It also helps to identify the trust boundaries and where it lies, internally and externally.
In this step, you need to create Data Flow Diagrams to understand the trust flows, which can be utilized in subsequent steps to analyze threats.
The fourth stage of PASTA threat modeling is analyzing threats, where potential threats are identified and assessed after gaining an understanding of the application environment and details in the previous steps.
The key output of this stage is to comprehend the threats and how they correspond to the attack surface.
Threat identification is based on general security knowledge, examining threat intelligence reports, known attack vectors, and referring to threat libraries. Notably, PASTA threat modeling also incorporates relevant threats, meaning that only the threats with concrete evidence of being exploited in the real world are taken into account.
The fifth stage of PASTA threat modeling is vulnerability analysis, which aims to link vulnerabilities with assets to gain an understanding of potential threats and risks.
In this stage, a vulnerability assessment is conducted to identify and evaluate any security weaknesses that can be exploited by attackers. The assessment includes various methods such as penetration testing, vulnerability scanning, and manual code review. By correlating vulnerabilities with assets, it becomes easier to determine the potential impact and likelihood of an attack, which can help prioritize the most critical vulnerabilities that need to be addressed first.
The sixth stage of PASTA threat modeling is attack analysis, where we connect the previously identified threats and vulnerabilities and demonstrate their feasibility using Attack Trees. This stage contributes to the understanding of the likelihood of an attack, which is an essential element in assessing and quantifying risk.
Define and prioritize countermeasures
The seventh stage of PASTA threat modeling is focused on risk and impact analysis.
PASTA is an all-encompassing threat modeling methodology, which means that risk reduction is incorporated into the process. This involves determining countermeasures that can mitigate threats that have been identified.