Re: Threat Modeling

[Matthew Franz <mfranz () cisco com>]

I guess it all depends on what we mean by "threat modeling" and why we
are doing it.

What you are describing is different from (but could possibly inform)
things like STRIDE/DREAD, attack trees, transaction paths, etc. which
would be what I would consder threat modeling. I don't think there are
any free/open source tools for doing something like that.

For what it is worth, some random thoughts I put together on the topic
earlier this month:

http://www.io.com/~mdfranz/papers/unpub-may04-flexible-threat-modeling.pdf

- mdf

> Ok,
>
> Here is the odd ball question, why not grab a copy of any SNMP or Syslog
> listener, drop it to a database, send your firewall, IDS, and other data
> there, then do some data mining scripts to find out activity that is going
> on. At least then it would be relevant to where you are on the internet, and
> would develop a real baseline for your organization. (Don't mind me, did
> this already, and can be done using free ware and a good dba). 
>
> For example want to know what day of the week you get the most attacks, use
> this MS-SQL script (can be easily rewritten for MySQL).
>
> select CASE datepart(dw,id_timestamp)
>  WHEN 1 THEN 'Sunday'
>  WHEN 2 THEN 'Monday'
>  WHEN 3 THEN 'Tuesday'
>  WHEN 4 THEN 'Wednesday'
>  WHEN 5 THEN 'Thursday'
>  WHEN 6 THEN 'Friday'
>  WHEN 7 THEN 'Saturday' END AS DayOfWeek
>  , count(*) as NumberOfEvents from event
> group by datepart(dw,id_timestamp)
> order by datepart(dw,id_timestamp)
>
> Want to know which ports are being scanned, use a script similar to this
> one.
>
> SELECT     t_port, COUNT(*) AS [Count of TPort]
> FROM         dbo.event
> GROUP BY t_port
>
> So software involved:
>
> Kiwi's syslog listener
> MySQL
> Some cut rate computer with about 1 gig of RAM
> Some serious storage space (unless you go to a "trend table" digest at the
> end of 48 hours of actual data on line)
> Your Operating system of Choice
>
> Just a thought, seen this idea done too many times lately. But the good part
> is that you can threat trend for yourself based on your data, based on where
> you are on the internet, and develop some really thought provoking threat
> modeling based on your company, not on what someone tells you is the right
> thing to model for. 
>
> Cheers/r/Dan 
>
> -----Original Message-----
> From: aporia () tiscali co uk [mailto:aporia () tiscali co uk] 
> Sent: Thursday, May 20, 2004 9:22 AM
> Cc: webappsec () securityfocus com
> Subject: RE: Threat Modeling
>
> I've been looking for a free set of threat models, too - no luck, though
> - would be interested to know if you are successful.
>
> _However_ I can recommend a software product called CRAMM.  I don't know if
> you've used it, but basically it's a tool developed by HMG in Cheltenham.
>  The great thing about it, and the reason it costs 4,000 GBP is that it
> contains a database of over 3000 threats, vulnerabilities and
> countermeasures.
>
> It also follows a specific methodology (Crown Copyright), and is aligned to
> BS7799.
>
> Unfortunately, the cost is a significant barrier to using it.  What about
> just buying the BS7799 (about 150 GBP) and ISO TR 13335: Guidelines for
> Management of IT Security (GMIT)? A reasonable starter pack.  This isn't fee
> either, unfortunately.  But it is American.
>
> ---------------
> Ian Ristic [ivanr () webkreator com]
>
> > Any links to any free threat modeling tools out there ?
>
>    Does anyone know what happened to the threat modeling tool
>    Microsoft announced in late 2003?
>
> --
> ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web
> applications ]
>
> __________________________________________________
> Broadband from an unbeatable ?15.99!
>
> http://www.tiscali.co.uk/products/broadband/home.html?code=SM-NL-11AM