MITRE Att&ck integration with STRIDE threats

[saurabhlime]

Describe what problem your feature request solves: Currently the tool does a good job for decomposing the architecture and applying threats according to the STRIDE framework. This still leaves some gaps to determine the cybersecurity requirements that the process needs to adhere to remediate identified threats.

Describe the solution you'd like: The solution I am proposing is that we can create an additional layer of taxonomy of threats under STRIDE to identify the attackers tactics and techniques which might be used to identify the right defenses. These can become the cybersecurity requirements for the process that we are threat modelling.

This combined process for threat modeling can be like: The first step is to identify the process, map out the dataflows and interactions between them and the trust boundaries.[Threat dragon is capable of this]

Second, for each of the subsystems, enumerate a STRIDE matrix listing the mnemonics. Third, the 12 ATT&CK tactics are tallied. Enumerated tactics are: • Initial Access • Execution • Persistence • Privilege Escalation • Defense Evasion • Credential Access • Discovery • Lateral Movement • Collection • Command and Control • Exfiltration • Impact

In Step 4, for each of the tactics within each of the STRIDE mnemonics, the applicable techniques are evaluated. For instance, for the STRIDE mnemonic of spoofing, the 12 tactics are evaluated for ATT&CK threat techniques that could result in spoofing against authenticity. In other words, Steps 2 through 4 are a process of elimination.

Advantages:

1. Using consistent semantics and vocabulary to communicate threats.
2. Understanding the adversary tactics which helps visualize the defenses to those threats.
3. Use open source framework created by MITRE to educate the development teams for various threats and associated remediations.
4. Identify cybersecurity requirements that help defend against multiple threats. [e.g] Preventing Initial access can remediate other threats that are not directly related.

References: https://blog.isc2.org/isc2_blog/2020/02/under-attack-how-mitres-methodology-to-find-threats-and-embed-counter-measures-might-work-in-your-or.html

[storkinsj]

A thought on this feature: I think if we go through the stride threats and add something (2), mentally we've already done 3. It's why we know how to do 2. I do think it's a good idea for early threat modelers and will help teach.

My request (as with the pulldown for STRIDE vs other methods) is to default to whatever choice we make, and that it's not a mandatory step. So if we by default not to select the att&ck tactic, we don't get blocked if it's not selected. That will allow the "power users" to continue to move quickly through the model.

If you've used the later iteration of the MS SDL threat modeler, you know it's hardwired to windows mechanics and the wizard based approach can break threat modeling by forcing you into choices that don't apply. This is why I've moved away from that tool.

[saurabhlime]

I completely agree with not mandating the Att&ck tactic step. Though we can pre-select the att&ck layer based on the process that is selected for Threat modelling(Cloud, container, network, IAAS etc).

[jgadsden]

Agreed - where Threat Dragon wins is where it is simple and intuitive to use. The freeform text boxes are a big bonus for our community. If we implement this feature we would need it to be optional, as in it would not intercept the main use case.

From my point of view I would find this very useful, so could it be a different mode of Threat Dragon? I am not sure what I mean by that ... somehow I would be able to switch in to and out of Att&ck integration?

[saurabhlime]

Helpful resource to visualize STRIDE mapping to MITRE's Attack CAPEC. https://ostering.com/blog/2022/03/07/capec-stride-mapping/

[jgadsden]

Another comment from a Threat Dragon user: "I am looking to use Threat Dragon as a tool which will inform risk assessments. I am interested to understand if you are aware iof it is possible to import the MITRE CAPEC "Mechanisms of Attack" methods as a .json file? I understand this may be possible as importing it as a layer, and then on top of this doing the actual threat modelling."

[github-actions[bot]]

This issue is stale because it has been open for 6 months with no activity.