CompTIA SecurityX

MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive, globally accessible knowledge base of cyber adversary behavior and tactics. Developed by the MITRE Corporation, it is a valuable resource for organisations to understand the different stages of cyber attacks and develop effective defenses.

Use the website navigator page https://mitre-attack.github.io/attack-navigator/

D.R.E.A.D

Developed by Microsoft to prioritize security threats and vulnerabilities.

D - Damage: Potential harm that could result from a successful exploitation of a vulnerability. Includes data loss, system downtime, or reputation damage.

R - Reproducibility: Ease which an attacker can successfully recreate the exploitation of a vulnerability. The higher the vulnerability score suggests that the vulnerability is straightforward to abuse, posing a greater risk.

E - Exploitability: Difficulty level involved in exploiting the vulnerability considering factors such as technical skill required, availability of tools or exploits , the amount of time it would take to exploit a vulnerability successfully.

A - Affected Users: The number of users affected once the vulnerability has been exploited.

D - Discoverability: Ease which an attacker can find and identify the vulnerability considering whether it is publicly known or how difficult is it to discover based on exposure of the assets (publicly reachable or in a regulated environment).

S.T.R.I.D.E (Acronym)

Threat modeling framework by Microsoft to help identify potential security threats in software development and system design.

S - Spoofing: Unauthorized access or impression of a user or a system

T - Tampering: Unauthorized modification or manipulation of data or code

R - Repudiation: Ability to deny having acted, typically due to insufficient auditing or logging

I - Information disclosure: Unauthorized access to sensitive information, such as personal or financial data.

D - Denial of service Flooding a web-server with requests, overwhelming resources making it fall , not available online.

E - Elevation of Privilege: unauthorized elevation of access privileges, allowing the threat actors to perform unintended actions.

P.A.S.T.A

Process for Attack Simulation and Threat Analysis, structured, risk-centric threat modeling framework designed to help organisations identify and evaluate security threats and vulnerabilities within their systems, applications or infrastructure.

7 step methodology

1. Define the Objectives *Establish the scope of the threat modelling exercise by identifying the systems, applications, or networks being analysed and the specific security objectives and compliance requirements to be met. *

2. Define the Technical Scope Create an inventory of assets, such as hardware, software, and data, and develop a clear understanding of the system's architecture, dependencies, and data flow

3. Decompose the Application Break down the system into its components, identifying entry points, trust boundaries, and potential attack surfaces. This step also includes mapping out data flows and understanding user roles and privileges within the system

4. Analyse the Threats Identify potential threats to the system by considering various threat sources, such as external attackers, insider threats, and accidental exposures. This step often involves leveraging industry-standard threat classification frameworks or attack libraries.

5. Vulnerabilities and Weaknesses Analysis Analyse the system for existing vulnerabilities, such as mis-configurations, software bugs, or un-patched systems, that an attacker could exploit to achieve their objectives. Using 6. Vulnerability assessment tools and techniques such as static and dynamic code analysis or penetration testing, can be employed during this step

6. Analyse the Attacks Simulate potential attack scenarios and evaluate the likelihood and impact of each threat. This step helps determine the risk level associated with each identified threat, allowing security teams to prioritize the most significant risks.

7. Risk and impact Analysis Develop and implement appropriate security controls and countermeasures to address the identified risks, such as updating software, applying patches, or implementing access controls. The chosen countermeasures should be aligned with the organisations risk tolerance and security objectives.

To implement PASTA , follow practical guidelines

1. Define the objectives

2. Set a clear and realistic security objectives for the threat modeling exercise

3. Identify relevant compliance requirements and industry-specific security standards.

4. Define the Technical Scope

5. Identify all critical assets, such as systems and applications, that handle sensitive data owned by the organisation.

6. Develop a thorough understanding of the system architecture, including data flows and dependencies.

7. Decompose the Application

8. Break down the system into manageable components or modules.

9. Identify and document each component's possible entry points, trust boundaries, attack surfaces, data flows, and user flows.

10. Analyse the threats

11. Research and list potential threats from various sources, such as external attackers, insider threats, and accidental exposures.

12. Leverage threat intelligence feeds and industry best practices to stay updated on emerging threats.

13. Vulnerabilities and Weaknesses Analysis

14. use a combination of tools and techniques, such as static and dynamic analysis, vulnerability scanning, and penetration testing , to identify potential weaknesses in the system.

15. Keep track of known vulnerabilities and ensure they are addressed promptly.

16. Analyse the Attacks

17. Develop realistic attack scenarios and simulate them to evaluate their potential consequences.

18. Create a blueprint of scenarios i.e. Attack Trees and ensure that all use cases are covered and aligned with the objective of exercise.

19. Risk and impact analysis

20. Assess the likelihood and impact of each identified threat and prioritize risks based on their overall severity.
21. Determine the most effective and cost-efficient countermeasures for the identified risks, considering the organisation's risk tolerance and security objectives.

---