Home page logo

webappsec logo WebApp Sec mailing list archives

RE: Threat Modeling
From: "Dan Morrill" <Dan.Morrill () PREMERA com>
Date: Thu, 20 May 2004 19:41:16 -0700

Interesting then in the long run.

The basis of my e-mail was threat modeling the actual attacks that were
coming in to the web server or other network object, not the possible
threats that could be used during the development cycle. 

So working in real world data as to the object (say web server) and what
attacks it is actually seeing, not working  out the DREAD issues. However,
real world can be used to determine statistics that can then be used to work
in STRIDE and DREAD. Especially for home grown code that is developed by the
company for their own use rather than a generic code set like apache, linux,
windows, etc. 

STRIDE/DREAD in use with GP code (General purpose) is more valid in those
instances in my opinion, than doing a detail analysis of the data coming
into the network, and determining risk based on actual data. Depends on
where you are, miss read the question (coming from a different background in


-----Original Message-----
From: Matthew Franz [mailto:mfranz () cisco com]
Sent: Thursday, May 20, 2004 1:47 PM
To: Dan Morrill
Cc: 'aporia () tiscali co uk'; webappsec () securityfocus com
Subject: Re: Threat Modeling

I guess it all depends on what we mean by "threat modeling" and why we
are doing it.

What you are describing is different from (but could possibly inform)
things like STRIDE/DREAD, attack trees, transaction paths, etc. which
would be what I would consder threat modeling. I don't think there are
any free/open source tools for doing something like that.

For what it is worth, some random thoughts I put together on the topic
earlier this month:


- mdf


Here is the odd ball question, why not grab a copy of any SNMP or Syslog
listener, drop it to a database, send your firewall, IDS, and other data
there, then do some data mining scripts to find out activity that is going
on. At least then it would be relevant to where you are on the internet,
would develop a real baseline for your organization. (Don't mind me, did
this already, and can be done using free ware and a good dba). 

For example want to know what day of the week you get the most attacks,
this MS-SQL script (can be easily rewritten for MySQL).

select CASE datepart(dw,id_timestamp)
 WHEN 1 THEN 'Sunday'
 WHEN 2 THEN 'Monday'
 WHEN 3 THEN 'Tuesday'
 WHEN 4 THEN 'Wednesday'
 WHEN 5 THEN 'Thursday'
 WHEN 6 THEN 'Friday'
 WHEN 7 THEN 'Saturday' END AS DayOfWeek
 , count(*) as NumberOfEvents from event
group by datepart(dw,id_timestamp)
order by datepart(dw,id_timestamp)

Want to know which ports are being scanned, use a script similar to this

SELECT     t_port, COUNT(*) AS [Count of TPort]
FROM         dbo.event
GROUP BY t_port

So software involved:

Kiwi's syslog listener
Some cut rate computer with about 1 gig of RAM
Some serious storage space (unless you go to a "trend table" digest at the
end of 48 hours of actual data on line)
Your Operating system of Choice

Just a thought, seen this idea done too many times lately. But the good
is that you can threat trend for yourself based on your data, based on
you are on the internet, and develop some really thought provoking threat
modeling based on your company, not on what someone tells you is the right
thing to model for. 


-----Original Message-----
From: aporia () tiscali co uk [mailto:aporia () tiscali co uk] 
Sent: Thursday, May 20, 2004 9:22 AM
Cc: webappsec () securityfocus com
Subject: RE: Threat Modeling

I've been looking for a free set of threat models, too - no luck, though
- would be interested to know if you are successful.

_However_ I can recommend a software product called CRAMM.  I don't know
you've used it, but basically it's a tool developed by HMG in Cheltenham.
 The great thing about it, and the reason it costs 4,000 GBP is that it
contains a database of over 3000 threats, vulnerabilities and

It also follows a specific methodology (Crown Copyright), and is aligned

Unfortunately, the cost is a significant barrier to using it.  What about
just buying the BS7799 (about 150 GBP) and ISO TR 13335: Guidelines for
Management of IT Security (GMIT)? A reasonable starter pack.  This isn't
either, unfortunately.  But it is American.

Ian Ristic [ivanr () webkreator com]

Any links to any free threat modeling tools out there ?

   Does anyone know what happened to the threat modeling tool
   Microsoft announced in late 2003?

ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web
applications ]

Broadband from an unbeatable ?15.99!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]