4

The OWASP Application Threat Modeling, quoting step 2 says specifically:

These threats can be identified further as the roots for threat trees; there is one tree for each threat goal.

what is threat tree and what it has to do with a potential threat goal in threat modeling for web applications?

Shritam Bhowmick
  • 1,602
  • 14
  • 28
  • 3
    a quick Google search revealed: https://en.wikipedia.org/wiki/Attack_tree – schroeder Sep 03 '15 at 22:34
  • 1
    @schroeder yes certainly, but this does not answer what OWASP meant by `there is one tree for each threat goal`. Also the term `threat tree` might be different from an `attack tree` or are they same? Since an attack is a *process* and threat might be just an *logical assumption that a risk exists* which has *agents* or *threat agents* giving birth to **security risks**? – Shritam Bhowmick Sep 03 '15 at 22:41
  • OWASP mentions "trees" in the context of STRIDE, which you said you knew about. STRIDE defines the concept of a "tree" and uses the term "Attack Tree": https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_009 – schroeder Sep 03 '15 at 22:47
  • @schroeder exactly - *but* I have really dug this information out and the entire concept seems to flip out. It's evident from recent research that **attack trees** and **threat trees** are entirely different to that what *Microsoft* assumed. This can be found here: http://taosecurity.blogspot.in/2007/06/threat-model-vs-attack-model.html – Shritam Bhowmick Sep 03 '15 at 22:55
  • So if OWASP is using the term in reference to STRIDE, then they likely mean the STRIDE meaning. – schroeder Sep 03 '15 at 23:00
  • @schroeder And if OWASP is using the term closely related to STRIDE, the Microsoft's ASF and it's threat modeling schema is really outdated (refer: https://msdn.microsoft.com/en-us/library/ms978516.aspx) and I cannot think of a place to start with this information. What exactly are more threat models other than *STRIDE* and *DREAD* which I must be aware of to implement it into SSDLC for web applications? – Shritam Bhowmick Sep 03 '15 at 23:08
  • 2
    Shritam - I guess I'm not sure what you are trying to do. Can you edit your question and list your goal? Is your only goal to understand that one sentence in the OWASP document or are you looking to perform some task? If so, what task? – Neil Smithline Sep 04 '15 at 01:02
  • 2
    Debating "threat" vs "attack" is not useful. It will depend on one's perspective of the exercise. Even your Taosecurity link talks about that. Your simplified question can be boiled down to 2 different answers: 1) threat tree = attack tree, or 2) you will have to ask the author of the OWASP page what was meant. – schroeder Sep 04 '15 at 15:22
  • 1
    FWIW, DREAD is a threat scoring system rather than a threat modeling framework, so more closely related to CVSS than the STRIDE. – Xander Sep 04 '15 at 15:53
  • @Xander you see now that something really new to learn that DREAD is more of like a scoring system like CVSS. Thanks for this input here. – Shritam Bhowmick Sep 04 '15 at 18:25

2 Answers2

6

An attack tree and a threat tree are the same thing. In a traditional application threat model, you start with the component that you're building, (be that the entire application, a component or function, a data flow, etc.) and enumerate the potential threats to that component.

When you're building an attack tree, the development is reversed. You start with the attacker's end goal, and then enumerate the possible ways you could achieve the end goal, and only then look at the application to find locations where it may be vulnerable to the vectors you've identified.

As Adam Shostack mentioned in his answer, attack trees are generally more suited to more advanced practitioners, and usually as a complement to traditional threat models, not a replacement for them.

Ideologically, attack trees are more a red-team style attacker-centric approach to the problem, which can provide useful additional insight.

Community
  • 1
Xander
  • 35,525
  • 27
  • 113
  • 141
  • I think a conceptual difference [here](http://taosecurity.blogspot.in/2007/06/threat-model-vs-attack-model.html) made the confusion. Threat Modeling for application is still emerging and I saw on a thesis - CERN used it's EAST (Extensible Agile Security Testing) to obtain efficient results. The red team alike approach is actually what distinguishes attack tree from threat tree. Would it be relevant to say that attack tree is *developers approach to modeling from an attackers perspective* and threat tree on the contrary is *developers approach to information security risk management*? – Shritam Bhowmick Sep 04 '15 at 18:24
  • 1
    I would recommend against trying to distinguish threat trees from attack trees. As Xander says, they're the same thing. – Adam Shostack Sep 04 '15 at 19:56
  • I agree on this answer after concluding my research on this one. Attack tree and threat three are similar with one difference - attack might be the procedure and the threat is the more generalized form from where an attack could had started in the first place. Just keeping it real. – Shritam Bhowmick Nov 08 '15 at 15:20
3

Focus first on drawing a 'whiteboard style' diagram your web application, its dependencies, and its trust boundaries and then use STRIDE, CAPEC or the OWASP top ten to identify threats.

(Creating new threat trees is a task requiring a good deal of expertise. I'm not aware of threat trees designed to be used by those new to web threat modeling.)

@schoeder: STRIDE and attack trees are defined independently. STRIDE comes from here, http://blogs.microsoft.com/cybertrust/2009/08/27/the-threats-to-our-products/ attack trees were defined by Amaroso.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
  • when we plan for security - is it necessary to pick up on a specific threat modeling technique and stick to it or this realization comes as we advance in the process? For Web Applications, WASC/OWASP would be the good starting point to start? or does both of these have to be later pointed towards STRIDE with DREAD scoring system (picked from one of the answers by @Xander) or CAPEC? What is more convenient in overall web application security and efficient? – Shritam Bhowmick Sep 04 '15 at 18:32
  • You should think of techniques like programming techniques. You might start in PHP, shift to Ruby because it works better later. OWASP might be an ok starting point for you. STRIDE might be ok for you. (STRIDE works better for those with more security background.) Don't use DREAD, it's too subjective. If this is your first TM project, I suggest focusing on the fix side of things and starting with easy to fix issues. – Adam Shostack Sep 04 '15 at 19:51
  • thanks for the valuable information. I am now new to security but have only been on attacking side. I am learning new ways to model threats to help developers do their job. Isn't it most security auditors are responsible for threat modeling? Also by referring `fix side of things`, do you point to `being on the defensive side rather the attacking side`? For defensive, I have always thought `positive security testing` rather than focused on `negative security testing`. The latter reveals holistic approach to risk management in software security. – Shritam Bhowmick Sep 04 '15 at 20:17
  • By "the fix side of things" I mean focus on fixing the problems you find via threat modeling. – Adam Shostack Sep 04 '15 at 21:39
  • yes that would help. So I basically follow penetrate n patch model either way then. I thought the whole concept of STRIDE/DREAD is to classify threats and obtain the root cause. Whether this is effective after deployment or at the SDLC phase is questionable. – Shritam Bhowmick Sep 04 '15 at 22:52