Tuesday, June 12, 2007

Threat Model vs Attack Model

This is just a brief post on terminology. Recently I've heard people discussing "threat models" and "attack models." When I reviewed Gary McGraw's excellent Software Security I said the following:

Gary is not afraid to point out the problems with other interpretations of the software security problem. I almost fell out of my chair when I read his critique on pp 140-7 and p 213 of Microsoft's improper use of terms like "threat" in their so-called "threat model." Gary is absolutely right to say Microsoft is performing "risk analysis," not "threat analysis." (I laughed when I read him describe Microsoft's "Threat Modeling" as "[t]he unfortunately titled book" on p 310.) I examine this issue deeper in my reviews of Microsoft's books.

In other words, what Microsoft calls "threat modeling" is actually a form of risk analysis. So what is a threat model?

Four years ago I wrote Threat Matrix Chart Clarifies Definition of "Threat", which showed the sorts of components one should analyze when doing threat modeling. I wrote:

It shows the five components used to judge a threat: existence, capability, history, intentions, and targeting.

That is how one models threats. It has nothing to do with the specifics of the attack. That is attack modeling.

Attack modeling concentrates on the nature of an attack, not the threats conducting them. I mentioned this in my review of Microsoft's Writing Secure Code, 2nd Ed:

[W]henever you read "threat trees," [in this misguided Microsoft book] think "attack trees" -- and remember Bruce Schneier worked hard on these but is apparently ignored by Microsoft.

That is still true -- Bruce Schneier's work on attack trees and attack modeling is correct in its terminology and its applications. Attack trees are a way to perform attack modeling. Attack modeling can be done separate from threat modeling, meaning one can develop an attack tree that any sufficient threat could execute.

This understanding also means most organizations will have more useful results performing attack modeling and not threat modeling, because most organizations (outside law enforcement and the intel community) lack any real threat knowledge. With the help of a pen testing team an organization can develop realistic attack models and therefore effective countermeasures. This is Ira Winkler's point when he says most organizations aren't equipped to deal with threats and instead they should mitigate vulnerabilities that any threat might attack.

This does not mean I am embracing vulnerability-centric security. I still believe threats are the primary security problem, but only those chartered and equipped to deter, apprehend, prosecute, and incarcerate threats should do so. The rest of us should focus our resources on what we can, but take every step to get law enforcement and the military to do the real work of threat removal.

4 comments:

Fernando Cima said...

To my knowledge the term "threat tree" comes from the work of Edward Amoroso (check "Fundamentals of Computer Security Technology", Prentice-Hall 1994), which by far predates any work in this area by Bruce Schneier. Amoroso's work is very known inside Microsoft and this is as far as I know the historical reason Microsoft uses an "incorrect" terminology.

Danny Lieberman said...

Richard,
Just stumbled on this post of a year ago. Yes - Microsoft are a little careless with their definitions.

But, I'd like to make two points:
1) There ARE rigorous definitions. The entities are:
a. assets - things that have value ( might be digital, physical, reputational or operational)
b. assets have vulnerabilities, a weakness or failing
c. threats exploit vulnerabilities
d. attacks are the manifestation of a threat
e. countermeasures mitigate vulnerabilities.

I don't believe you can break attacks away from threats and I disagree with Ira Winklers position that companies can't figure out threats.

In my experience - the language of threat modeling is natural for employees at all levels - once you explain the conceptual model - and that takes about 10 minutes tops.

Take care
Danny

http://www.architectsban.webs.com said...
This comment has been removed by a blog administrator.
Alex said...

Threat analysis and attack analysis should be subsets of risk analysis. They have uses outside of risk analysis, to be sure, but if a risk model does not utilize the posterior results of threat and attack analysis, there's a great chance that the model is little more than numerology.