6 min. reading time

The threat catalog contains all of the threats that should be considered within the TARA process. There are some established formats for the threat catalog such as STRIDE or MITRE; and these can be incorporated within itemis SECURE. Additionally, itemis SECURE allows the user to create a fully custom threat catalog format, should either of the two primary formats be insufficient for the use case.

In order to demonstrate how the STRIDE or MITRE frameworks can be implemented within the itemis SECURE threat catalog, the properties of the catalog need to be defined. Properties are as follows:

  • Threatens
  • Architecture
  • Technologies
  • Attack Feasibility
  • Refines

Threatens

A 1:N relationship that demonstrates which security property the threat is working against. In the ISO21434 standard, this would include Confidentiality, Integrity, and Availability. 

Architecture

A 1:N relationship that tags four different types of architecture that is defined within the item definition. These tags include:

  1. Channel
  2. Component
  3. Data
  4. Data flow

When a threat is given an architecture tag; any facet of the item definition that is defined with that tag will have the threat considered within the itemis SECURE threat scenario identification assistant.

Technologies

A 1:N relationship that tags a control as applicable to a particular type of technology. This works in a similar manner to the architecture property, but you are able to customize what types of technology can be tagged through the technology catalog.

Attack Feasibility

A 1:1 relationship that provides numerous different categories to rate the feasibility of a threat occuring. It is possible to modify each of these categories individually or even remove the categories as a whole and simply state that the threat is impossible to perform

Refines

Another 1:N relationship. The refine property allows you to create a parent threat class and then set children to inherit the values from this parent. The refinement property is the primary way to organize the threat catalog, and it is vital to the organization of STRIDE and MITRE

Setting Up a STRIDE Threat Catalog

STRIDE is an acronym used to describe different threat categories and breaks down as follows:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege

The purpose of this organization style is to place different types of attacks under their most relevant category. In order to accomplish this format within itemis SECURE, the user would need to create a base threat class for each STRIDE category. Then when specific types of attacks are to be added, attach them to the most relevant category using the refine property.

The main benefit of using STRIDE is that it allows for the creation of very flexible attack trees. It is also quite useful for modeling attacks that are not-documented or simply hypothetical. 

Setting Up a MITRE Threat Catalog

MITRE is a threat catalog format that aims to provide detailed step by step attack trees for an attack, rather than providing generalized attack categories. In order to use this type of threat catalog properly, each step of the catalog must be followed in order to create the full attack tree. Order of MITRE is as follows:

  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Collection
  12. Command and Control
  13. Exfiltration
  14. Impact

To set up this type of threat catalog within itemis SECURE, all 14 steps should be made as baseline threat classes. Then any additional entries should be a refinement of the most relevant step in the process. 

Creating a Original Threat Catalog Format

The flexibility of itemis SECURE allows for the user to create their own format for the threat catalog. Depending on what the user is trying to accomplish; the specific inputs required to achieve this will vary. However, a general underlying principle of using the refine property to categorize different threats would be used across all catalogs in order to facilitate some sort of organization. 

Developing a unique format can be quite beneficial for organizations that do not benefit from either of the two previously mentioned formats, but it does require a bit more time to develop and implement as there is no established norm to follow. 

Comments