I’m excited to announce that I will be speaking at BSides Nashville May 11, 2024. I will presenting my threat modeling talk which I’ve been blogging about the past couple of weeks. I’ll link the blog posts to the talk and pictures for past BSides events below. I’ve been going to BSides Nashville since it started in 2014. The first few years I attended I lived in Columbia, SC, which meant a seven hour drive to attend the conference. In 2016 I moved to Nashville and now consider it my home BSides conference.

It’s a really great event with a lot of great speakers and great spot. It’s also Nashville so getting into some fun (or trouble) is right around the corner. Prior to the pandemic they used to sell out 300 tickets very quickly. Post-pandemic they’ve struggled to get back to those number but so has every other local user group and conference. I’m expecting this year to be a big year for conference attendance not only for myself but the community. I believe people are ready to get back out there. More importantly the job market is influx and a lot of people are looking for jobs. The best way to do that is to get out and network with people at local user groups and conferences. If you’re planning to attend reach out and we can meet in person!

Threat modeling blog posts:

BSides Nashville Pictures:

BSides Nashville 2014

Bsides Nashville, TN, May 17, 2014.

BSides Nashville 2015

BSides Nashville, TN, April 11, 2015.

BSides Nashville 2016

BSides Nashville, TN, April 16, 2016

BSides Nashville 2017

Nashville, TN, April 22, 2017

BSides Nashville 2018

Nashville, TN, April 14, 2018

BSides Nashville 2019

Nashville, TN, April 13, 2019

My presentation for this year is Threat Modeling. My first stop is the 2024 Palmetto Cybersecurity Summit Feb 21-22, 2024, in Columbia SC. I’ll also be speaking at BSides Nashville May 11, 2024, and ShowMeCon May 13-14, 2024.

In this post I want to talk about rating and prioritizing the discovered threats from a threat modeling session. We’ll get into the different methodologies and talk about some of the nuances of them.

Methodologies for Risk Management

Created with help from ChatGPT

DREAD

DREAD, an acronym for Damage, Reproducibility, Exploitability, Affected users, and Discoverability, is a risk assessment model used to prioritize threats. Although its use has declined due to its subjective nature and lack of business context alignment, some organizations may still find it useful for quick, high-level risk assessments.

This is what I use for threat modeling. If you read Adam Shostack’s book he calls it obsolete and recommends SDL Bug Bar. The reason is that the different categories can be a bit ambiguous, lack granularity, and context. I think it’s great for getting started and keeps threat modeling simple. As threat modeling matures there may be a need to mature the risk management and switch to something that provides more scaleability.

Using DREAD we would rate the threat by each theat on a 1-3 scale. This allowed for prioritizing low, medium, and high. The final number will help prioritize the threats discovered for follow up. Again, when dealing with other groups it’s important to keep the bar to entry low. As the program matures and people get a better idea on threat modeling advancing to something a bit more technical can be useful.

SDL Bug Bar

The Security Development Lifecycle (SDL) Bug Bar is a concept and a set of criteria used within Microsoft's SDL framework to classify and prioritize the handling of software bugs based on their security implications. The "bug bar" establishes a baseline for the security severity that a bug must meet or exceed to be considered a priority for fix before software can be released. It helps teams make consistent, informed decisions about which security vulnerabilities to fix and when to fix them.

There’s not really a lot available online for implementing the Bug Bar. There are some blog posts and the SDL Bug Bar PDF which doesn’t exactly give instructions on how to implement. It can be loaded as a template into other Microsoft tooling so that can be helpful and will help with streamlining some of the threat modeling process. Leave a comment below if you’ve had experience implementing the SDL Bug Bar.

OWASP Risk Rating Methodology

The Open Web Application Security Project (OWASP) offers a risk rating methodology that considers factors such as threat agents, attack vectors, technical impact, and business impact to prioritize vulnerabilities. This methodology is particularly useful for web application security and can be adapted to fit an organization's specific needs. This has more in-depth math and expanded categories for rating a threat. This could be another option for maturity.

CVSS (Common Vulnerability Scoring System)

CVSS provides an open framework for rating the severity of security vulnerabilities in software. It offers a standardized way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS scores can help organizations prioritize their response and remediation efforts based on the potential impact of each vulnerability. This is one of the standards for vulnerabilities.

FAIR (Factor Analysis of Information Risk)

FAIR is a quantitative risk analysis methodology that helps organizations understand, analyze, and quantify information risk in financial terms. FAIR differs from other models by focusing on the financial impact of risks, making it particularly useful for making informed, data-driven decisions about cybersecurity investments and risk management strategies. This methodology was created by Jack Jones with the intent of providing risk in financial terms for organization.

TARA (Threat Agent Risk Assessment)

TARA identifies potential threat agents and evaluates the risks they pose to an organization's critical assets. This methodology is useful for organizations that want to focus on the most likely sources of threats and tailor their defenses accordingly. Intel created TARA as part of its comprehensive security and risk management strategy to identify, assess, and prioritize risks based on the potential impact of various threat agents. This methodology was created by the Department of Defense (DoD) in 2010. It uses built in attacks to assist in the risk assessment process.

Summary

There are multiple options for rating and prioritizing the threats identified in a threat modeling session. I like DREAD because it’s simple but that might not be feasible for larger organizations. If you’re a Microsoft shop the SDL Bug Bar may be a better fit. OWASP Risk Rating Methodology is also another option. If you really want to go deep CVSS or another framework may be the best option. FAIR and TARA are two methodologies that look to provide specific context to risk management. FAIR from a financial standpoint and TARA has a DoD lean. Choosing the best risk management methodology will depend on the organization and it’s needs. Try multiple and see what works best for your organization.

Next we’ll get into tools and resources for threat modeling.