Course material

Background 

The main topic of this course is methods for analysing threats, risks, and defences of large-scale computer systems. Commonly such methods are gathered under the concept of threat modeling. The threat modeling domain contains a large number of diverse methods and approaches that feature some commonalities and some differences. Overall it is important to understand that the disciple is not mature enough to have a single commonly accepted truth or correct way of working. So, in order to adress this challenge, in this course we will use a framework called Yacraf Links to an external site.. Yacraf was developed at KTH in order to introduce all (well, most..) aspects of threat modeling and analysis and stitch them together in a consistent way. However, this means that Yacraf is not used practice (yet..). So, at the end of the course you hopefully have the confidence to choose parts you would need when engaging in particular and sharp threat modeling projects.

Organization of material 

All material about the Yacraf per se and material addressing the course assignments specifically is found in a shared folder, here:

--> course material <-- Links to an external site.

This is thus the main resource on the course.

In addition this page gathers complementary material on the topic of threat modeling. As you will learn the Yacraf per se does not contain practical information about all the different dimensions of threat modeling, it is only a mechanism for conceptualize and combine the different dimensions. So, in this page we provide this kind of material. It should be noted that this material is not necessarily consistent with Yacraf and some of it is also meant to provide a widened perspective and technical depth on threat modeling as a whole. Hence, all material must be approached with an active and critical mind. Moreover, the gathered material is by no means complete and should rather be seen as initial pointers for deeper studies. (If you find more material that you find useful, please share by a post to the whole course so that we can update this repository.) Consequently, do not read/look at all material from A to Z, instead use the material more like a dictionary and dig deeper where you feel a need to do so given the course assignment, or curiosity.   

Now, more concretely, in the course we divide the Yacraf in the following phases: 
1. Business Analysis 
2. System Definition and Decomposition 
3. Threat Analysis 
4. Attack and Resilience Analysis 
5. Risk Assessment and Recommendations 

In order to help relating the material to the Yacraf we have organized the complementary material according to these phases (even though not all material is a clear one-to-one match). And before coming to these phases we start with some pointers to important background material for the course. 

Preliminaries 

Most threat modeling, including Yacraf, follows the structure of conceptual modeling with class and object diagrams, for instance found in the Unified Modeling Language (UML). In brief, class models constitute a modeling language (aka meta model) and object diagrams are instance representations of some piece of the real world and follow the class model/language rules.  

If you are not familiar with conceptual modeling, UML object and class diagrams are described in the below videos (A note: UML is primarily used for software design meaning that it is designed to support code generation. However, in conceptual modeling this is not the case so not all of UML is relevant for conceptual modeling and often the examples found in UML material can feel a bit off. In these videos you e.g. have to think of the “frogger game” as the real world you want to model.) 

• Object diagrams: UML Class Diagrams - Object Diagrams Links to an external site. 
• Class diagram, part 1: UML Class Diagrams - Simple Class Diagram Links to an external site. 
• Class diagram, part 2: UML Class Diagrams - Complex Example Links to an external site. 

Phase 1 - Business Analysis 

• An article about business analysis canvas, which is often used to grasp the entire organization from a business centric point of view can be found here Links to an external site.
•  CATWOE Links to an external site. looks at what a company wants to achieve, and which solutions can influence the stakeholders   
• A short youtube video explaining CATWOE: What is CATWOE? Links to an external site. 

Phase 2 - System Definition and Decomposition 

In Phase 2, you will create a detailed technical specification of the considered system. Data flow diagrams (DFDs) are to be used to describe the system architecture. To know more about DFDs, you can use the link here Links to an external site..   

Two general tools for data modelling and writing diagrams, charts and data flows (similar to Visio): http://draw.io Links to an external site. and https://www.lucidchart.com Links to an external site.. Links to an external site. There are also tools developed specifically with threat modeling in mind, most famous Microsoft’s threat modeling tool Links to an external site. (which is not maintained however) and Threat Dragon Links to an external site..

ICT System Components 

It is beneficial to understand and review a number of key concepts around ICT systems and their security before you create DFDs. Various types of Information and Communication Technology (ICT) components like Database, Network, Cloud, Operating Systems, Identity and Access Management are used in an enterprise. Short introduction and link to some reading materials related to ICT components are provided in this section for interested candidates. Some standard books are also referred; if someone from non-IT background wants to go deeper in those topics, the books are available in KTH Library. 

Database 

Data has become the most valuable asset for a modern business concern. Safety and security of customer data, intellectual property data, log data, etc are of foremost importance for an enterprise. Databases are used to store data in a structured way for easy update and retrieval. Databases can be of different types like, hierarchical, relational, NoSQL, etc. To manage databases different database management systems are created like MySQL, Oracle, PostgreSQL, MongoDB, etc. 

To learn more on databases and database management systems one can look into the following resources:-Database programming tutorial: What are databases? | Linux Academy Links to an external site.

 

Links to an external site.Relational Database Concepts Links to an external site. 

Text: 

Fundamentals of database systems - Ramez Elmasri, Shamkant B. Navathe 

Database System Concepts - Abraham Silberschatz, Henry F. Korth, S. Sudarshan 

Network 

Connectivity is important for doing business and most of the IT or ITES businesses provide their solutions to the customer via internet. Knowing about the computer network and its components is a must for a security researcher who wants to secure an enterprise. 

To learn more about network and its components following resources can be useful:-

Computer Networks: Crash Course Computer Science #28 Links to an external site. 

Text: 

Computer Networking: A Top-Down Approach - by James Kurose, Keith Ross 

OS 

Operating system running in on a computer provides a software interface of the physical machine to a user. Modern-day operating systems are highly configurable and have many user-friendly features. Addition of many features makes these systems complex and hard to manage. Securing these complex collection of software modules, known as the operating system is a highly complicated task. 

To start learning about operating systems one can follow the following resources:-

Operating Systems 1 - Introduction Links to an external site. Text: 

Operating System Concepts - by A. Silberschatz, P.B. Galvin and G. Gagne 

Modern Operating Systems - by Andrew S. Tanenbaum 

Identity and Access Management (IAM) 

Business concerns implement identity and access management to provide security to their data, processes, and other assets. Identity management or access management ensure that only a subject with proper authorization on an object should get access to that object. For a huge enterprise, this management becomes a daunting task. 

To know more on identity and access management one can start with the following links:-

Identity Management 101: Unwrapping Identity Management Links to an external site. Identity and Access Management: Technical Overview Links to an external site. 

Cloud 

In today's time it would be a tedious job for an enterprise to maintain all the hardware, software, data, security, etc. There is one solution to get rid of these managerial hassles, it is to use the services provided by some third-party cloud provider. These third-party providers will maintain the infrastructure, platform, or software and also look after their security requirements. 

For an introduction to cloud computing following one can follow the resources given below:-

Cloud Computing In 6 Minutes | What Is Cloud Computing? | Cloud Computing Explained | Simplilearn Links to an external site. 

Security topics 

To protect their assets against attacks, organizations often deploy a number of security services and functions in their system. It is thus valuable to grasp some of these key security concepts and decide accordingly whether the organization you are modelling makes use of any of these techniques and functions. 

• The MITRE corporation maintains a popular overview of possible security mechanisms in their D3FEND matrix Links to an external site.. 
• A few of some more important security technologies are explained in this playlist here, Links to an external site. or as individual videos below:
  • Anti-Malware Anti-Malware Tools - CompTIA A+ 220-1002 - 2.4 Links to an external site.
  • IDS/IPS Network Intrusion Detection and Prevention - CompTIA Security+ SY0-501 - 2.1 Links to an external site. 
  • Firewalls Firewalls - CompTIA Security+ SY0-501 - 2.1 Links to an external site. 
  • Logging Capturing Network Traffic and Logs - CompTIA Security+ SY0-401: 2.4 Links to an external site. 
  • Encryption Vulnerability Scanning - CompTIA Network+ N10-006 - 3.1 Links to an external site. 
  • Honey pots An Overview of Honeypots - CompTIA Network+ N10-005: 5.6 Links to an external site. 

Phase 3 - Threat Analysis 

This phase deals with an assessment of the threats that your system might be exposed to. This includes identifying possible attackers and developing different attacker profiles and abuse cases to calculate contact frequency, probability of action, and the threat event probability.  

• To know more about the known hacker groups that might attack you, please check https://attack.mitre.org/groups/ Links to an external site. and the resource maintained by the homeland security in the US (https://www.us-cert.gov Links to an external site.). MITRE ATT&CK framework is described in the following video: What Is MITRE ATT&CK? Part 1 - Basic Terminology Links to an external site.  (A note to make here is that who are considered to be the threat is of course in the eye of the beholder. As MITRE is a U.S. organization this material presents a Western perspective and selection of threat actors. Even so, the material is a good source of inspiration for emulating and reasoning about any potential threat actor.)  
•  Another useful document that describes a way to create organization specific threat profiles is here. Links to an external site.
• Structured Threat Information Expression (STIX Links to an external site.) is an open language for describing attacker and attacker campaigns. It is quite close to languages for Threat modelling but with a slightly different focus.  

Phase 4 - Attack and Resilience Analysis 

In this phase, you will be assessing your system for potential vulnerabilities to create a list and devising attack trees/graphs to visualize the abuse cases from the previous phase. To help you create a list of vulnerabilities and know more about different security requirements of a system, vulnerabilities, attack patterns, or penetration testing, you can follow the links below. 

Security properties

• To maintain information security, one needs to protect the confidentiality, integrity, and availability of a system and data. You can watch a small video explaining these three terms:-Confidentiality, Integrity, and Availability of Computer Security Links to an external site.
•  There are related interesting topics in security like authentication, authorization. It is recommended to know about their differences. Interested students can search for other security aspects or security requirements. Authentication vs Authorization Links to an external site.

Vulnerabilities

•  IT-systems used for personal or corporate uses have different vulnerabilities in them. Coding errors, misconfiguration of devices, etc. are a few of the various causes from which these vulnerabilities are introduced. Different tools are available to analyse the vulnerabilities of a system viz. NMAP, Nessus, Nexpose. You can follow the video below to get an introduction to the vulnerability analysis. Vulnerability Scanning Links to an external site.
• These vulnerabilities are exploited by attackers to harm the system. To check the resilience of a system against an attacker, penetration testing can be done. Metasploit Links to an external site. framework is a well-known penetration testing tool.  
• The vulnerabilities and/weaknesses found in different standard softwares are listed by some of the organizations for public use:-  https://nvd.nist.gov/ Links to an external site., https://www.cve.org/ Links to an external site. , https://www.cvedetails.com/  Links to an external site.and  https://cwe.mitre.org/ Links to an external site..   
• Vulnerabilities are often related to a level of criticality. Criticality scores for vulnerabilities are also maintained in the databases. Common vulnerability scoring system (CVSS) provides a procedure to compute vulnerability criticalities. Some related links to vulnerabilities and their criticalities are https://www.first.org/cvss/,   Links to an external site.https://kb.cert.org/  Links to an external site. Links to an external site. Links to an external site.

Attacks

• How to exploit systems and vulnerabilities follow a number of different types of attacks. The most popular framework for attack categorization and enumeration is MITRE ATT&CK Links to an external site., which is a highly recommended resource for this course. Another older initiative is CAPEC Links to an external site.. 
• Exploiting a vulnerability (or executing an attack) opens up possibility of executing other attacks to a hacker. It is common to see examples of multi-hop attacks in real life hacking scenarios. The dependency of an attack on one or more other previous attacks can be formalised by using attack trees or attack graphs. For some background on attack trees, please follow the following link for Schneier’s original article on attack trees here Links to an external site. and a thesis describing a way to create attack trees here Links to an external site.. 
• OWASP Cheat Sheets on security related to web application development. Very useful for technical threat modeling: https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html Links to an external site. 

Phase 5 - Risk Assessment and Recommendations 

In this phase, you will be performing the overall risk assessment of the system you considered and suggest possible course of actions to reduce the risk and improve the security. This does not really require any additional external input for the assignment per se, but for a bit of a perspective this article Links to an external site. and this article Links to an external site. can be recommended.  

Yacraf calculation tool

To simplify calculation and modelling process, we recommend to use Yacraf calculation tool available on the Github Links to an external site.. Installation guidelines, usage examples and FAQs are also published on the Github. Tutorial videos, which can be useful for understanding how the tool works, can be found on play.kth website: 

• Video 1 - First launch & pre-installed models
• Video 2 - Workspace creation
• Video 3 - Creating attacker profiles & abuse cases
• Video 4 - Creating attack trees
• Video 5 - Metamodel editing

More related material

• A collection and summary of different threat modelling approaches: https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html Links to an external site.   
• Hybrid TMM: https://resources.sei.cmu.edu/asset_files/TechnicalNote/2018_004_001_516627.pdf Links to an external site. 
• Summarization of Threat Modelling Mindset: https://roberthurlbut.com/r/BSC2017TM Links to an external site.
• An example of YACRAF model calculated on Excel sheet: yacraf_calculations.xlsx Links to an external site.
•  Other books:
  • Securing Systems: Applied Security Architecture and Threat Models ISBN: 978-1482233971 
  • Threat Modeling: Designing for Security ISBN: 978-1118809990 

PASTA method 

• PASTA ebook (via KTH library): Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis https://learning.oreilly.com/library/view/risk-centric-threat/9780470500965/c08.xhtml#c8 Links to an external site.
•  Presentation of PASTA: Process for Attack Simulation and Threat Analysis (PASTA) Risk Centric Threat Models Links to an external site.  
• Another PASTA presentation Links to an external site. with examples.

Notes on Yacraf relation to PASTA

Yacraf Phase 1 relations:

• Stage 1, Activity 1 -list of business requirements/use cases
• S1, A2 -list how assets need to comply with rules and regulations. (An “inverse” loss, non-compliance lead to loss..)
• S1, A3 -describe the impact of confidentiality, integrity, and availability + compliance breaches per asset.
• S1, A4 -List People/process/technology vulnerabilities (inherent risk) -Quite unclear structure and purpose. Not really addressed in Yacraf.

Yacraf Phase 2 relations:

• Corresponds to stage 2 (Definition of Technical Scope) and stage 3 (Application Decomposition). Overall Yacraf and PASTA are well aligned here. 
• Step 1 -Listing data and functions corresponds to roughly to stage 2 activities 1, 3, 4, 5.
• Step 1 -Accounts and authorization corresponds roughly to stage 2 activity 2 and stage 3 activity 1.
• Step 2 -Corresponds to stage 3 activities 2 and 3.

Yacraf Phase 3 relations:

• Step 1 -corresponds roughly to stage 4 activities 1, 2, 3, 6. (Stage 4 activity 4 is not considered in Yacraf since it is more related to vulnerabilities and system. Phase 3 focus is on the attackers.)
• Step 2 -corresponds roughly to stage 4 activity 5 and partly stage 5 activity 3.

Yacraf Phase 4 relations:

• Step 1 -Corresponds roughly to stage 5 activity 1 and 2.
• Step 2 -Corresponds roughly to stage 5 activity 3 and stage 6 activities 1, 3, and 4 (However in 4 impact is not assigned in phase 1).
• S5;A4 -PASTA wants to make a risk weighted scoring. This is wrong in relation to Yacraf (since this depends on attack aggregations (coming in Phase 5). Only local difficulty is what should be assigned.
• S5;A5 -Scanning and pentest. out of scope -unless ethical hacking is included.
• S6;A2 -Build your own attack library. -Don’t (normally)! Use Attack libraries as source of inspiration rather than maintaining this yourself. S6;A5 -Counter measure testing is out of scope.
• S6;A6 –Pentest is out of scope (for this course).

Yacraf Phase 5 relations:

• S7;A1 -Calculate overall risk for base case. (This includes several abuse cases/threats that needs to be summarized).
• S7;A2 -Identify countermeasures. Component based and architecture based. (Removing vulnerabilities/weaknesses is a form of countermeasure. sometimes we explicitly give these countermeasures names a treat them as official countermeasure, e.g. patching, other times we just remove things, remove account.)
• S7;A3 -Devise a number of scenarios and calculate risk for them. (Defense effectiveness cannot be calculated in isolation, it depend on the attack vector. Thus defenses constitute different scenarios). Defenses are either architectural or component based.
• S7;A4 -The conclusion what is your recommendation in terms of future security development/implementation.

FAIR method

• FAIR ebook (via KTH library): Measuring and Managing Information Risk: A FAIR Approach https://learning.oreilly.com/library/view/measuring-and-managing/9780124202313/XHTML/contents.xhtml Links to an external site.
• FAIR overview ppt: https://cdn2.hubspot.net/hubfs/1616664/The%20FAIR%20Model_FINAL_Web%20Only.pdf Links to an external site.
• Open group risk taxonomy (Standardization of FAIR): https://www.opengroup.org/forum/security-forum-0/risk-management Links to an external site.

Notes on Yacraf relation to FAIR