Presentation by Charl der Walt and Francesco Geremla at The ITweb security summit in 2009. This presentation is about the methodology behind version 2 of Sensepost's threat modeling tool, the corporate threat modeller.

1. 1

2. 2

3. 3

4. 4

5. 5

6. 6

7. 7

8. Single loss expectancy (SLE) is the value you expect to lose each time a risk
occurs. You calculate SLE by using the following formula: SLE = AV x EF
8

9. Single loss expectancy (SLE) is the value you expect to lose each time a risk
occurs. You calculate SLE by using the following formula: SLE = AV x EF
9

10. Annual loss expectancy (ALE) is the value you expect to lose to a given risk
each year. You calculate ALE by using the following formula: ALE = SLE x
ARO
10

11. Annual loss expectancy (ALE) is the value you expect to lose to a given risk
each year. You calculate ALE by using the following formula: ALE = SLE x
ARO
11

12. Annual loss expectancy (ALE) is the value you expect to lose to a given risk
each year. You calculate ALE by using the following formula: ALE = SLE x
ARO
12

13. 13

14. 14

15. 15

16. 16

17. 17

18. 18

19. Microsoft says:
Provides a consistent methodology for objectively identifying and evaluating
threats to applications.
Translates technical risk to business impact.
Empowers a business to manage risk.
Creates awareness among teams of security dependencies and assumptions.
19

20. 20

21. Step 1: Identify security objectives.
Clear objectives help you to focus the threat modeling activity and determine
how much effort to spend on subsequent steps.
Step 2: Create an application overview.
Itemizing your application's important characteristics and actors helps you to
identify relevant threats during step 4.
Step 3: Decompose your application.
A detailed understanding of the mechanics of your application makes it easier
for you to uncover more relevant and more detailed threats.
Step 4: Identify threats.
Use details from steps 2 and 3 to identify threats relevant to your application
scenario and context.
Step 5: Identify vulnerabilities.
Review the layers of your application to identify weaknesses related to your
threats. Use vulnerability categories to help you focus on those areas where
mistakes are most often made.
21

22. 22

23. 23

24. 24

25. 25

26. 26

27. Would prefer to use a diagram here
27

28. 28

29. 29

30. 30

31. 31

32. 32

33. 33

34. 34

35. 35

36. 36

37. Define Locations, Interfaces & Users (Trust Levels) But not “assets”, as
organizations are too complex
Create a map showing how Locations, Users and Interfaces relate
Users are restricted to locations
Interfaces are exposed to locations
37

38. Risks are gleamed from three sources
Analyst Experience
Organizational History
Group Brainstorming
Each Risk has key elements
Likelihood
Impact
Use an iterative process to describe the Risk, apply it to an Interface, then
refine as required
A new Risk is added if:
Likelihood or Impact differs
The required defense is likely to differ
38

39. This creates a Threat Vector
Directly linked:
What Interfaces could this Risk Impact?
Indirectly linked:
What Trust Level is required?
At which location would such Users be found?
39

40. The Threat Vector therefore becomes a 4-Tuple
Risk, Interface, Location, User
A many-to-many relation means the number of Threat Vectors scales
linearly
40

41. Tests could be any of
Focused Technical Tests
E.g. Penetration Test
Sample Data
Drawn from existing monitoring systems e.g. Incident Logs or
previous assessments
Interviews
Conducted with relevant individuals or teams
Policy and procedure reviews
Research
Drawing on external sources
The more tests are conducted the more certainty we have
However, the most ‘efficient’ tests are easily calculated by considering the
Weights of all the Threat Vectors
impacted
41

42. 44

43. 45

44. 46

45. 47

46. 48

47. 49

48. 50

49. 51

50. 52

51. 53

52. 54

53. 55

54. 56

55. 57

56. 58

57. 59

58. 60

59. 61

60. 62

61. 63

62. 64

63. 65

64. 66