Threat-Modeling.net

The
πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately of
πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately #meta

Adam Shostack presented the Fortunately/Unfortunately method for threat modeling in his Whitepaper β€œFast, Cheap and Good - An Unusual Trade-off Available in Threat Modeling”. I like the method and want to discuss some ideas.

Here's how he introduced the method:

β€œFortunately/unfortunately” comes to us from improv comedy, and works surprisingly well in threat modeling. Someone says, β€œfortunately, X,” and someone else replies, β€œunfortunately, Y,” and the exercise continues back and forth. For example, β€œFortunately, we’re encrypting all this data!” β€œUnfortunately, we store the key in the same directory!” The fortunately/unfortunately structure provides an opportunity for both playful and serious exploration, within a very quick demonstration (β€œtraining”) in how it works.

πŸ‡©πŸ‡ͺ German: πŸ™ Leider ⇆ πŸ™‚ Zum GlΓΌck

For German speakers, I suggest πŸ™ Leider ... ⇆ πŸ™‚ Zum GlΓΌck ...

πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately demo conversation

Here's an example with some more content:

πŸ™‚ Fortunately, patients can see their medical images online now. πŸ™ Unfortunately, everyone else can, too. πŸ™‚ Fortunately, we have a login. πŸ™ Unfortunately, it can be cracked easily.
πŸ™‚ Fortunately, we have brute-force protection. πŸ™‚ Fortunately, a random code with 15 digits from A-Z, 0-9 is good enough. πŸ™ Unfortunately, patients forget the code. πŸ™‚ Fortunately, they have a paper printout. πŸ™ Unfortunately, the printout is given to the wrong person. πŸ™‚ Fortunately, healthcare professionals are trained to check the patient's identity before they handout the printout. πŸ™ Unfortunately, an opportunist gets access when they lose the printout. πŸ™‚ Fortunately, we have the birth date as another authentication factor. πŸ™ Unfortunately, that won't deter people in the same household. πŸ™‚ Fortunately, most people live with people they trust or are well aware that they have to protect their secrets.

Paths in a tree?

This presentation introduces a way to look at πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately, that it is basically exploring a path in a πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately tree, where the conversation might have unfolded differently at each node. πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately trees are similar to attack-defense trees, but different. In a conversation, the tree is implicit. We need natural language to trace back.

πŸ™‚ Super powers

Here's some super powers of πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately:

πŸ™‚ Fortunately, it can be "trained" in 1 minute. πŸ™‚ Fortunately, it is fun and playful. πŸ™‚ Fortunately, it is good at finding acceptance criteria for mitigations. πŸ™‚ Fortunately, it is good at considering mitigation bypasses. πŸ™‚ Fortunately, it can consider all kinds of "What can go wrong?", not just security. πŸ™‚ Fortunately, it can unleash the power of language and import all kinds of repertoire. Examples ahead: πŸ™‚ Fortunately, it can import likelihood considerations by saying
πŸ™‚ Fortunately, this will never happen.
and challenging Unfortunately to show why this is worth addressing.
πŸ™‚ Fortunately, it can import feasibility considerations by saying
πŸ™ Unfortunately, we won't be able to ship this fancy mitigation together with the feature.
and challenging Fortunately to provide feasible and good enough security.
πŸ™‚ Fortunately, it can import training and knowledge acquisition by saying
πŸ™ Unfortunately, we don't know how to build that kind of thing.
and challenging Fortunately to demonstrate learning opportunities.

πŸ™ Downsides debunked πŸ™‚

Here's some disadvantages of πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately and some ideas how to overcome them:

πŸ™ Unfortunately, it needs two or more players and I don't have any friends. πŸ™‚ Fortunately, it can be played by one player who is good at dialectical self-talk. πŸ™‚ Fortunately, almost everyone can be a player. πŸ™‚ Fortunately, you can certainly find one friend if you try. πŸ™ Unfortunately, it can't threat model a system that is big enough so that I care. πŸ™‚ Fortunately, it works in an Incremental Threat Modeling scenario where we threat model a small increment with a narrow scope, which is a realistic scenario, especially with a "threat model every story" approach. πŸ™‚ Fortunately, it can be used in a Divide & Conquer approach as a Conquer strategy and let the Divide strategy reduce the scope until it works. πŸ™‚ Fortunately, it is not the only threat modeling method that exists. πŸ™‚ Fortunately, it is still good as a starter drug for threat modeling. πŸ™ Unfortunately, it is unstructured. πŸ™‚ Fortunately, it can be combined with structured approaches, like STRIDE, to provide some guidance. For example, we might scope upfront that we want to discuss availability. πŸ™ Unfortunately, it is transient and easily forgotten. πŸ™‚ Fortunately, we can have a transient conversation and still capture the essential learnings. πŸ™‚ Fortunately, it can be operated as a collaborative writing exercise. πŸ™‚ Fortunately, it can be recorded, transcribed and post-processed. πŸ™ Unfortunately, it needs to be drawn as a tree when written down. πŸ™‚ Fortunately, it can be presented flat, when different branches are not that important. πŸ™‚ Fortunately, we can present a tree as text with indentation like seen here. πŸ™ Unfortunately, it is sometimes hard to stick to the system and have a single conversation. πŸ™‚ Fortunately, we can have multiple conversations / a forest of trees. πŸ™ Unfortunately, it is not directly obvious what are good conversation starters. πŸ™‚ Fortunately, we can start with features we devolop, like
πŸ™‚ Fortunately, now we can X...
or with problems that were reported.
πŸ™ Unfortunately, it mixes essentials with ideas, may have irrelevant paths and include wrong turns. πŸ™‚ Fortunately, it can be seen as an input for actual decision what is relevant, kept and done. πŸ™‚ Fortunately, in a transcribed conversation, we can mark relevant things bold or strike-out irrelevant things. πŸ™ Unfortunately, it may be too playful for some people to be taken seriously. πŸ™‚ Fortunately, we can demonstrate its value by introducing it with a real example from a familiar domain. πŸ™ Unfortunately, it lacks obvious support how to easily trace back. πŸ™‚ Fortunately, Unfortunately can always jump to a more promising branch by saying
πŸ™ Unfortunately, there's another problem: Z
when the current branch is a winning branch for Fortunately.
πŸ™ Unfortunately, it is kind of DFSy (depth-first-search-y) when it should better be BFSy (breadth-first-search-y). πŸ™‚ Fortunately, that is not a problem when we operate it as a writing exercise. πŸ™ Unfortunately, the tree doesn't fit in our head, so we can't backtrace easily and may forget some branches. πŸ™‚ Fortunately, ???

Conclusion / TL;DR

πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately is an exciting method that is particularly impressive due to its light weight. To operate it seriously, it needs a few more ingredients: How is it embedded? How do we explore the relevant branches? How are the results processed? It also works as a collaborative writing exercise that explores πŸ™‚ Fortunately ⇆ πŸ™ Unfortunately forests.

Want more?