Over the past years that I’ve been involved with threat modeling in the ACE Team, one of things I learnt is the fact that the term “threat modeling” is an overloaded term. Some methodologies claim to be “threat modeling” methodologies while they are more like “attack modeling” or “risk modeling”. Granted, one can call something “foo modeling” if they want as long as they make their definitions clear. So let’s do just that…
We’ll define a threat as the possibility of something bad happening - an event that has some sort of negative impact. Examples are loosing your driver’s license or a bank having the confidentiality of their customer’s credit card information compromised.
An attack is a means though which a threat is realized – in other words, the attack is an exploit. An attack could be physical attack of some sort or SQL injection, for example.
It’s important to be clear on the difference between a “threat” and an “attack”. One of the ways in which I like to look at this is to say that an attack is simply a means to an end – which is the threat. If you’re looking for ways to break something from an adversarial perspective, you’re “attack modeling”. If you looking for ways in which to defend the potential realization of certain events from a defender’s perspective, you’re “threat modeling”.
An attack can only take place if there are certain vulnerabilities existing. In case of a physical attack, it may be because you didn’t take self-defense classes and couldn’t appropriately defend a physical attack or, in the case of SQL injection, the technology implementation used dynamic SQL and no input validation.
A vulnerability is something that is mitigated with a countermeasure. Example could be taking self-defense classes or using stored procedures with embedded SQL that are invoked securely through strong-typed parameterized queries. J
So we have the following assertion:
Threats are realized through attacks which can materialize through certain vulnerabilities if they have not been mitigated with appropriate countermeasures.
One last thing… what is “risk”? Think of a threat as a qualitative attribute of a system and think of risk as a quantitative attribute of a threat used to quantify it. I’ll talk more about risk as appropriate.
More to come soon…