βͺβΆοΈβ© GIVEN WHEN THEN Threat Modeling
This is a proof of concept playground for GIVEN WHEN THEN Threat Modeling. We describe threat STEPs in a simple text format with GIVEN WHEN THEN style, approach it like an Attack Defense Tree, then experiment with simulations.
π‘ TL;DR / Lessons learned
βΉοΈ What are some of the lessons learned?
- GIVEN WHEN THEN threat descriptions are explicit about pre- and post-conditions of STEPs ππΌ ... unlike some other approaches, which have this missing, implicit or burried in a wall of text.
- When we start to reuse and refine conditions and work with those structures, GIVEN WHEN THEN develops Attack Defense Tree equivalent capabilities! It is the text-based twin of Attack Defense Trees.
- We can reason about likelihood / impact and run simulations. This proof of concept implements probability propagation: We specify input probabilities for the SOURCEs at least. Applicable GIVEN WHEN THEN STEPs are applied, until there's nothing more to exploit. We see how probabilities spread through the system.
- Don't be fooled by the pretend accuracy: This is still a guessing game. π
I hope it educates how GIVEN conditions unfold in a system. Sometimes, little changes eradicate whole chains in an attack. - We can apply more techniques that are well-understood from Attack Defense Trees...
π£ Threat Model
π€ Simulation
βΉοΈ How does this simulation work?
π² SOURCEs (mentioned GIVEN, not THEN)
π² INTERMEDIATEs (mentioned GIVEN and THEN)
π SINKs (mentioned THEN, not GIVEN)
π EVENTs (mentioned WHEN)
π‘ Inspiration
βΉοΈ What inspired this work?
- Cucumber Gherkin language has GIVEN WHEN THEN language to specify and test software. This style is part of Behavior-driven development (BDD). According to this article, "Behavior-driven development was pioneered by Daniel Terhorst-North back in the early 00s, as he explained in a 2006 article called Introducing BDD."
- I saw GIVEN WHEN THEN in the Threat Modeling Connect Member Spotlight about Luis ServΓn. He helped promote it. I also saw it as a template for threat descriptions in some example threat models, including Featured Threat Model 02 and Featured Threat Model 04 from the Threat Modeling Connect collection. The community can't tell exactly who first proposed applying GIVEN WHEN THEN as a threat description template for threat modeling. (Can you tell?)
-
Attack Trees and Attack Defense Trees provide a rich framework in cybersecurity to capture chains of attack events, different opportunities to reach a certain goal and how to evaluate likelihood / occurence and impact of intermediate nodes, the stepping stones in an attack. Matthew Coles explains how the question of "How do you get there?" helps refine attack trees.
GIVEN WHEN THEN is the text-based twin of Attack Defense Trees, with same expressiveness: AND tree nodes can directly be translated into GIVEN WHEN THEN STEPs and vice versa. OR tree nodes correspond to multiple STEPs with the same WHEN and THEN, each with only one of the GIVENs (or we can allow GIVEN ... OR).
- Visualizing attack trees at TMC forum collects tools that work with Attack Trees and other ways to write them down.
- Cyber Kill Chain is a less general approach that has common steps in a multi step cybersecurity attack.
- Credible Attack Vector (CAV) takes a closer look at the
pre-conditions for a particular attack and decomposes them into four components that must be GIVEN
for an attack to succeed. Mitigation aims to
weaken or eradicate one of those GIVENs.
βΉοΈ This is how CAV can be expressed in GIVEN WHEN THEN style
GIVEN Threat - Active attacker is interested in what youβve got
GIVEN Exploit - Attacker has the means and skill to misuse
GIVEN Exposure - Attacker can get at a weakness
GIVEN Vulnerability - There is a weakness
WHEN Particular attack is performed
THEN Particular impact emerges - Avi Douglen, talking about Value Driven Threat Modeling, demonstrates WITHOUT as a template to specify security, like in "provide awesomeness WITHOUT screwing up" (building on Jim Gumbley's ideas and a group effort at an Open Security Summit).
- Prolog is a logic programming language that is capable of evaluating logical chains and answering queries given relations.
- The simulation approach can be described as Monte Carlo method. Obviously, there's the math around propositional logic, probabilties and how things AND / OR.
π Future Work
βΉοΈ Discover what's next...
(prioritized, important things first)(If there's anything you are interested in, let me know... π¬)
- β Publish on threat-modeling.net
- Have more cool examples - Would you like to contribute??
- Get community feedback
- Show simulation probabilities inside the threat model also
- Publish on GitHub?
- Introduce "UNLESS mitigation kicks in" (= reverse GIVEN). Without something like UNLESS / NOT GIVEN, certain conditions will have to be put in the negative form and we can't really switch cases.
- Move simulation closer to FAIR taxonomy? (Thanks, D Lio)
- Get better describing detection and response controls or indicators of compromise. Maybe introduce PROTECT / DETECT / RESPOND keywords? (Thanks, Ron)
- Show most exploited paths or other hints how to best break chains? (Thanks, Raphael)
- More/other calculations? - Which ones? Any Ideas?
- Some graph drawing?
- Change the role of WHEN? Currently, STEPs will always be executed as long as the GIVENs are provided. WHEN will only be recorded. WHEN should have a GIVEN and THEN component to it...
- Get better at really small probabilities, like 1:109
- Allow for translations like π©πͺ GEGEBEN/WENN/DANN
- Update order to respect topological sorting
- ...