Threat Modelling With PASTA

Threat modelling is a proactive approach to evaluating the threats your business faces, providing insights and evaluations of risks and mitigation priorities. It is a process which identifies, evaluates, and mitigates the potential threats to your business.

PASTA is the Process for Attack Simulation and Threat Analysis. PASTA threat modelling combines an attacker perspective of a business with risk and impact analysis to create a complete picture of the threats to products and applications, their vulnerability to attack, and informing decisions about risk and priorities for fixes.

PASTA threat modelling is a seven-stage framework for assessing your entire cybersecurity posture. Each stage builds on the work carried out in the stage before until stage seven presents the list of priorities to fix your cybersecurity vulnerabilities. The seven stages are described below.

Stages of PASTA threat modelling

Stage 1: Define your business objectives

Focus on what is important to your business. Understand the objectives of each application or product. Objectives may be driven internally, or they may be influenced by external partners, clients, or regulatory frameworks. They may include the need for a resilient product that works efficiently and reliably, or protecting assets and customers, or avoiding reputation risks.

• External Framework – CoBit, ISO, NIST, SANS, CAG, CIS
• Internal Standards – Crypto, Authentication, .NET security, JAVA security
• External Regulations – PCI-DSS, NERC CIP, FIPS 140-2, FedRAMP
• Internal Process/Artifacts – Risk Assessments, Vulnerability Assessments, SAST/DAST reports

Stage 2: Define the technical scope of assets and components

Understand the attack surface and create a picture of what it is that you are protecting. For each business component identify how they are configured, what dependencies they have on other internal applications, or where third-party applications are used. Be as comprehensive as possible to define which of these could undermine the application and allow a threat to be realised.

Attack Surface Components

• API endpoints
• Web application
• Network infrastructure
• OS Settings
• DNS server
• Certificate server
• Mobile client
• 3rd party SW/Library
• Data storage device
• Application Framework
• Kubernetes configuration
• Docker configuration
• Service configuration

Stage 3: Application factoring and identify application controls

Map the relationships between components. Identify users and their roles and permissions, assets, data, services, hardware, and software. Understand where implicit trust models are in place which could be ripe for exploitation, and the application controls that protect high risk web transactions that could become targets for attack.

Stage 4: Threat analysis based on threat intelligence

Research and find the credible threats that affect your industry and products and build a threat library. Utilise intelligence to understand the latest threats affecting your industry or products and analyse application logs to understand the behaviours the system is recording, including attacks that existing protections have mitigated.

Stage 5: Vulnerability detection

Map which weaknesses will break under threats. This stage builds on stage 2 which identified the attack surface, and looks for vulnerabilities, design flaws, and weaknesses in the codebase, system configuration, or architecture.

Stage 6: Analyse and model attacks

This stage is the attacker stage. The aim is to emulate the attacks that could exploit any identified weaknesses or vulnerabilities and prove that the suspected risks to applications are risks. The PASTA threat modelling methodology recommends building attack trees, which map threats, attacks, and vulnerabilities, to create a blueprint for how applications can be exploited. By the end of this stage, you will have a list of possible attack paths to exploits, including attack vectors.

Stage 7: Risk/ impact analysis and development of countermeasures

This stage uses the answers from earlier stages, such as what’s important to the organisation (stage 1), what are we working with (stage 2), how do they all work together (stage 3), and what does my threat intelligence tell me about our risks (stage 4) to create countermeasures that are truly relevant to your business, product, and the actual threats you face.

The benefits of PASTA threat modelling

There are many benefits to taking an all-encompassing perspective of an organisation’s cybersecurity posture. Just some of the benefits of PASTA threat modelling include:

• Put security at the centre of the entire business.
• Get a full picture of the threats an organisation may face
• Understanding of the evolving cyber threat landscape.
• Informed decision making.

Integrating PASTA threat modelling with your cybersecurity workplan

The entire purpose of PASTA threat modelling is to give your organisation some answers about the priorities for fixing vulnerabilities in a way that will best support your business and security needs.

PASTA threat modelling does not operate in a vacuum. Much of your current cybersecurity efforts, from application security assessments which enable you to understand the vulnerabilities of your applications (which in turn fits into stages 5 and 6 of PASTA) to the work you do to ensure compliance with regulatory requirements will inform your threat modelling.