Welcome to the fourth chapter of our voyage at the discovery of how to create your own Threat Modeling Templates with Microsoft Threat Modeling Tools 2016.
The first article of the series, where I introduced how to create your own Template, can be found in Threat Modeling Templates: how to start your own. The second article, dedicated on the definition of your own Entities, can be found in Threat Modeling Templates: the Stencils. The third article, on the definition of Threats, is published in Threat Modeling Templates: the Threats.
The current article discusses the third Tab in the Template Editor, which is dedicated to the edit of the properties of the threats that are generated by the tool based on the model.
During the previous article, we have seen how Threats can be defined and in particular how you can define the rules to let the Threat Manager Tools generate them automatically.
There are other information that you can assign to Threats, though, to specify information on the Threats. For example, you can define information like the Title of the Threat, you can add a Description or even lists of values, like the Priority.
Properties can be of two types: Text or Lists. For text, it will be possible to insert a specific content for each Threat. If you decide to create a List Property, then you will be requested to define the possible values and you will be able to select the specific default value for each Threat.
Personally, I think that it could be useful to include some additional properties, to improve the details of the Threats. For example:
- Recommended Preventive Controls – security controls that are recommended by the organization for preventing the threat.
- Recommended Detective Controls – security controls that are recommended by the organization for detecting the occurrence the threat.
- Recommended Corrective Controls – security controls that are recommended by the organization for addressing the threat as soon as it occurs.
- Recommended Recovery Controls – security controls that are recommended by the organization for recovering from the consequences of the threat.
- Mitigation Type – Accept, Avoid, Mitigate, Transfer – the usual four mitigation types.
- Preventive Controls – security controls that have been selected for the application, to prevent the threat.
- Detective Controls – security controls that have been selected for the application, to detect the occurrence the threat.
- Corrective Controls – security controls that have been selected for the application, to address the threat as soon as it occurs.
- Recovery Controls – security controls that have been selected for the application, to recover from the consequences of the threat.
- Description of Residual Risk – what are the attack scenarios that cannot be addressed by adopting the previous mitigations? This is needed by Stakeholders to understand the residual risk of the solution. CxO would love this line.
- Residual Risk Evaluation – qualitative analysis of the residual risks.
The Recommended Controls are needed, because most teams have no clue about what would be required: by specifying the standard Recommended Controls, the organization is simplifying the job of the less expert teams, and also it is improving quality. Having multiple types of controls explicited, means that the teams are encouraged to define multiple protections, to delay the attackers, detect the attacks and handle their consequences. If you are not explicitly asking for all those Security Controls, typically the mitigation found is partial and therefore not effective: for example, it would be possible to delay the attackers, but then the attack is not detected, and as a consequence the protection would represent a cost with no real value for the organization. The other important properties concern the Residual Risk: this is a concept that helps CxOs what the solution really means for their security and to decide what to do. The Description describes the risk that you have if you do not apply any mitigation, but what happens if you apply the mitigations? Would they be really important to control the risk, or not really? The Description of Residual Risk and Residual Risk Evaluation are there for letting this information to surface.
This is essentially all for now. Next time we will finish with a general overview of the Threat Modeling Templates workflow and with some Tips & Tricks.