WebApp Sec mailing list archives
Re: Threat Modeling
From: Matthew Franz <mfranz () cisco com>
Date: Thu, 20 May 2004 15:46:37 -0500
I guess it all depends on what we mean by "threat modeling" and why we are doing it. What you are describing is different from (but could possibly inform) things like STRIDE/DREAD, attack trees, transaction paths, etc. which would be what I would consder threat modeling. I don't think there are any free/open source tools for doing something like that. For what it is worth, some random thoughts I put together on the topic earlier this month: http://www.io.com/~mdfranz/papers/unpub-may04-flexible-threat-modeling.pdf - mdf
Ok, Here is the odd ball question, why not grab a copy of any SNMP or Syslog listener, drop it to a database, send your firewall, IDS, and other data there, then do some data mining scripts to find out activity that is going on. At least then it would be relevant to where you are on the internet, and would develop a real baseline for your organization. (Don't mind me, did this already, and can be done using free ware and a good dba). For example want to know what day of the week you get the most attacks, use this MS-SQL script (can be easily rewritten for MySQL). select CASE datepart(dw,id_timestamp) WHEN 1 THEN 'Sunday' WHEN 2 THEN 'Monday' WHEN 3 THEN 'Tuesday' WHEN 4 THEN 'Wednesday' WHEN 5 THEN 'Thursday' WHEN 6 THEN 'Friday' WHEN 7 THEN 'Saturday' END AS DayOfWeek , count(*) as NumberOfEvents from event group by datepart(dw,id_timestamp) order by datepart(dw,id_timestamp) Want to know which ports are being scanned, use a script similar to this one. SELECT t_port, COUNT(*) AS [Count of TPort] FROM dbo.event GROUP BY t_port So software involved: Kiwi's syslog listener MySQL Some cut rate computer with about 1 gig of RAM Some serious storage space (unless you go to a "trend table" digest at the end of 48 hours of actual data on line) Your Operating system of Choice Just a thought, seen this idea done too many times lately. But the good part is that you can threat trend for yourself based on your data, based on where you are on the internet, and develop some really thought provoking threat modeling based on your company, not on what someone tells you is the right thing to model for. Cheers/r/Dan -----Original Message----- From: aporia () tiscali co uk [mailto:aporia () tiscali co uk] Sent: Thursday, May 20, 2004 9:22 AM Cc: webappsec () securityfocus com Subject: RE: Threat Modeling I've been looking for a free set of threat models, too - no luck, though - would be interested to know if you are successful. _However_ I can recommend a software product called CRAMM. I don't know if you've used it, but basically it's a tool developed by HMG in Cheltenham. The great thing about it, and the reason it costs 4,000 GBP is that it contains a database of over 3000 threats, vulnerabilities and countermeasures. It also follows a specific methodology (Crown Copyright), and is aligned to BS7799. Unfortunately, the cost is a significant barrier to using it. What about just buying the BS7799 (about 150 GBP) and ISO TR 13335: Guidelines for Management of IT Security (GMIT)? A reasonable starter pack. This isn't fee either, unfortunately. But it is American. --------------- Ian Ristic [ivanr () webkreator com]Any links to any free threat modeling tools out there ?Does anyone know what happened to the threat modeling tool Microsoft announced in late 2003? -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] __________________________________________________ Broadband from an unbeatable ?15.99! http://www.tiscali.co.uk/products/broadband/home.html?code=SM-NL-11AM
Current thread:
- Re: Threat Modeling, (continued)
- Re: Threat Modeling Ivan Ristic (May 20)
- RE: Threat Modeling Mikael Brejcha (May 24)
- RE: Threat Modeling Michael Howard (May 20)
- RE: Threat Modeling aporia (May 20)
- RE: Threat Modeling Mark Curphey (May 20)
- Re: Threat Modeling Ivan Ristic (May 21)
- Re: Threat Modeling Frank O'Dwyer (May 21)
- Re: Threat Modeling Adrian Wiesmann (May 21)
- Re: Threat Modeling Adrian Wiesmann (May 21)
- RE: Threat Modeling Dan Morrill (May 20)
- Re: Threat Modeling Matthew Franz (May 20)
- RE: Threat Modeling Dan Morrill (May 21)
- RE: Threat Modeling Michael Howard (May 21)
- RE: Threat Modeling Harbar, Spencer J. (May 25)
- Re: Threat Modeling Chris Scott (May 26)