Summary
Có thể xem threat model như là một tập hợp của những giả thuyết về khả năng của attacker.
- Tùy từng threat model mà sẽ có những mitigations khác nhau.
- Những assumptions có trong threat model phải có tính thực tế.
- A threat model defines the adversary’s assumed powers in terms of how they could be used to attack your system. It’s extremely important that this definition characterizes reality.
- Three simple example of threat model:
- Network user: an (anonymous) user that can connect to a service via the network.
- Can: provide malformed inputs, malformed messages. Drop or send extra messages.
- Possible attack: SQL Injection, XSS or CSRF.
- Snooping user: internet user on the same network as other users of some service.
- Can: read/measure other’s messages. Intercept, duplicate and modify messages.
- Possible attack: session hijacking, DoS (drop user’s message).
- Co-located user: internet user on the same machine as other users of some service, e.g. malware installed on a user’s laptop.
- Can: read/write user file, snoop keypresses.
- Possible attack: password theft
- Network user: an (anonymous) user that can connect to a service via the network.
Once you have your threat model defined, you can work out how you will respond to the threat. Different threat models will elicit different responses.
A poorly chosen model, will result in poor security. In particular, assumptions you make on what an attacker can not do are potential weaknesses if in fact the attacker does not have the assumed limitation.
What steps should you take to ensure your threat model is realistic?
- First, you can use other threat models as a starting point, when their systems are similar to yours.
- Second, you can stay informed about the state of the art in cybersecurity attacks and attack patterns. And you can then apply your knowledge to the system you are building to assess whether new attacks are a real threat.
- Finally, allow your threat model to evolve as you design your system. Challenge assumptions in your design.