FFRI, Inc., profile picture
Uploaded byFFRI, Inc.
732 views

Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)

The document outlines various methods for threat analysis, including Data Flow Diagrams (DFD), STRIDE, attack libraries, and attack trees. It defines threats, enumerates various threat characteristics, and explains the processes involved in conducting a thorough threat analysis. The document concludes that these methods, especially when combined, can help efficiently identify and visualize threats to enhance security planning.

Embed presentation

Downloaded 13 times
FFRI,Inc. 1 Introduction of Threat Analysis Methods FFRI, Inc. http://www.ffri.jpE-Mail: research-feedback[at]ffri.jp Twitter: @FFRI_Research Monthly Research 2016.9
FFRI,Inc. 2 Agenda • Definition of threat analysis • Threat analysis process • Analysis methods – DFD(Data Flow Diagram) – STRIDE – Attack Library – Attack Tree • Conclusions • References
FFRI,Inc. 3 Definition of threat analysis • Methods to identify threats and evaluate risk • What is a threat? – It is causes of damage to assets. • These can be classified by environmental threats and human threats. • Threat analysis is performed in requirements phase and design phase. – If found problems, then fix it Requirements Design Implement Test Target of threat analysis
FFRI,Inc. 4 Threat analysis process DFD STRIDE Attack Tree Enumeration of threats Enumeration of threat causes Attack Library Reference of attack patterns Remediation Visualize to understand Introduction area
FFRI,Inc. 5 DFD(Data Flow Diagram) • DFD illustrates data flow in a system – DFD would help to understand data flow on a system. User Web Server Data Base Response Request Response data Inquiry Boundary between server and DB Boundary between user and server
FFRI,Inc. 6 STRIDE • What is the STRIDE? – This method is possible to identify threat which might occur in a system. – It is the acronym of the elements of the information system. Threat characteristics Example Spoofing Spoofing the owner Tampering Forge data Repudiation Delete logs Information Disclosure Leak of credit card number Denial of Service Put a load on the server Elevation of Privilege Get of administrative privileges
FFRI,Inc. 7 The STRIDE usage example • This description is using DFD on page 5 ( in this presentation ). • Spoofing – The third party gain unauthorized access to the system. • Tampering – Tampering the contents of the database • Repudiation – Delete the access log of the Web server • Information disclosure – Leak of customer information from database • Denial of Service(DoS) – The server is down by sending a large number of requests • Escalation of privilege – Execution of malicious programs in the Web server
FFRI,Inc. 8 Attack Library • What is the Attack Library? – It is list of attack method. • The CAPEC is an Attack Library that created by the MITRE. – If you use the Attack Library, threat enumeration will be efficient. – The collected information can be reused. – Attack Library is useful to making Attack Tree. https://capec.mitre.org/
FFRI,Inc. 9 Attack Tree • What is Attack Tree? – It is enumerated causes of threat. • Attack Tree is expressed by tree structure. • Pros – Attack tree can visualize the attack methods. – It is possible to quickly discover the vulnerability. • Cons – It takes time to create the Attack Tree. • How to create Attack Tree 1. Write the attacker’s goal to root. 2. Write attack methods to nodes.
FFRI,Inc. 10 Example of Attack Tree Unauthorized access Intrusion into the server room Use the ID of the user SQL Injection Leaked information from memo Get credential from target Threaten Listening Bribe Attacker’s goal Attack methods
FFRI,Inc. 11 Conclusions • Threat analysis begins from DFD. • STRIDE is easy to use because the threat's property has been patterned. • Attack library would help to perform a threat analysis more efficiently. – The CAPEC will be the reference of Attack Library. • Attack Tree is useful when considering measures. • You can obtain various information by performing threat analysis. – The information is a weak point to the attack. – It will lead to finding latent threats.
FFRI,Inc. References • Threat Modeling – http://as.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html • Strategies for Threat Modeling – https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzaWdzdGF3ZWJ8 Z3g6NmE4NDhjYWNhOGYxMDBlOQ • STRIDE – https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzaWdzdGF3ZWJ8 Z3g6MmY4ZTgxNmY5ODFhZWY5MA • Attack Trees – https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzaWdzdGF3ZWJ8 Z3g6M2UzZDhjYWE5ZmU2NzJjYQ • Attack Libraries – https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzaWdzdGF3ZWJ8 Z3g6YmVkN2EwODFjMDcxMjg3 • CAPEC – https://capec.mitre.org/ • Threat Modeling Analysis – https://msdn.microsoft.com/ja-jp/library/aa561499.aspx 12

More Related Content

PDF
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
byFFRI, Inc.
 
PDF
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
byFFRI, Inc.
 
PDF
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
byFFRI, Inc.
 
PDF
Penetration Testing Execution Phases
byNasir Bhutta
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
bySuvrat Jain
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
PPTX
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
byInfocyte
 
PDF
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
byFalgun Rathod
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
byFFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
byFFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
byFFRI, Inc.
 
Penetration Testing Execution Phases
byNasir Bhutta
 
Ethical Hacking n VAPT presentation by Suvrat jain
bySuvrat Jain
 
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
byInfocyte
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
byFalgun Rathod
 

What's hot

PDF
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
byIRJET Journal
 
PPTX
Penetration testing reporting and methodology
byRashad Aliyev
 
PPTX
Red Team Operations: Attack and Think Like a Criminal
byInfosec
 
PPTX
Threat Hunting 101: Intro to Threat Detection and Incident Response
byInfocyte
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PPTX
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
PPTX
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
PPTX
Penetration testing in wireless network
byHadi Fadlallah
 
PPT
STRIDE And DREAD
bychuckbt
 
PPT
The Security Vulnerability Assessment Process & Best Practices
byKellep Charles
 
PPTX
Another Side of Hacking
bySatria Ady Pradana
 
PPTX
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
byEndgameInc
 
PDF
Microsoft threat modeling tool 2016
byRihab Chebbah
 
PPTX
Red team and blue team in ethical hacking
byVikram Khanna
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PPTX
Strata 2015 Presentation -- Detecting Lateral Movement
byRam Shankar Siva Kumar
 
PPTX
Cyber Incident Response Triage - CPX 360 Presentation
byInfocyte
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PDF
What is Penetration & Penetration test ?
byBhavin Shah
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
byIRJET Journal
 
Penetration testing reporting and methodology
byRashad Aliyev
 
Red Team Operations: Attack and Think Like a Criminal
byInfosec
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
byInfocyte
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
Penetration testing in wireless network
byHadi Fadlallah
 
STRIDE And DREAD
bychuckbt
 
The Security Vulnerability Assessment Process & Best Practices
byKellep Charles
 
Another Side of Hacking
bySatria Ady Pradana
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
byEndgameInc
 
Microsoft threat modeling tool 2016
byRihab Chebbah
 
Red team and blue team in ethical hacking
byVikram Khanna
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
Strata 2015 Presentation -- Detecting Lateral Movement
byRam Shankar Siva Kumar
 
Cyber Incident Response Triage - CPX 360 Presentation
byInfocyte
 
WTF is Penetration Testing v.2
byScott Sutherland
 
What is Penetration & Penetration test ?
byBhavin Shah
 

Similar to Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)

PDF
Application Threat Modeling
byPriyanka Aash
 
PDF
Threat Modeling Using STRIDE
byGirindro Pringgo Digdo
 
PDF
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
byFelipe Prado
 
DOCX
Residency ResearchISOL 536 Security Architecture and Design.docx
bybrittneyj3
 
PDF
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
PDF
Analysis on Common Network Attacks & Vulnerability Scanners
byPROBOTEK
 
PPTX
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
PPT
Security Overview - Updates and Trends In Detail
byMohanArumugam24
 
PDF
ch_2_Threat_Modeling_Risk_assessment.pdf
bygajendra903637
 
PPTX
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
byMohammed Abdul Lateef
 
PPTX
Intrusion detection system
bySweta Sharma
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
PDF
Null bachav
byNaga Venkata Sunil Alamuri
 
PPT
data mining for security application
bybharatsvnit
 
PPT
data mining for security application
bybharatsvnit
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PDF
Threat Modelling
byn|u - The Open Security Community
 
PPTX
Architecting for Security Resilience
byJoel Aleburu
 
PDF
Session2-Application Threat Modeling
byzakieh alizadeh
 
PPTX
Threat Modelling and managed risks for medical devices
byFrédéric Sagez
 
Application Threat Modeling
byPriyanka Aash
 
Threat Modeling Using STRIDE
byGirindro Pringgo Digdo
 
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
byFelipe Prado
 
Residency ResearchISOL 536 Security Architecture and Design.docx
bybrittneyj3
 
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
Analysis on Common Network Attacks & Vulnerability Scanners
byPROBOTEK
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
Security Overview - Updates and Trends In Detail
byMohanArumugam24
 
ch_2_Threat_Modeling_Risk_assessment.pdf
bygajendra903637
 
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
byMohammed Abdul Lateef
 
Intrusion detection system
bySweta Sharma
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Null bachav
byNaga Venkata Sunil Alamuri
 
data mining for security application
bybharatsvnit
 
data mining for security application
bybharatsvnit
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Threat Modelling
byn|u - The Open Security Community
 
Architecting for Security Resilience
byJoel Aleburu
 
Session2-Application Threat Modeling
byzakieh alizadeh
 
Threat Modelling and managed risks for medical devices
byFrédéric Sagez
 

More from FFRI, Inc.

PDF
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
PDF
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
PDF
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
byFFRI, Inc.
 
PDF
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
byFFRI, Inc.
 
PDF
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
byFFRI, Inc.
 
PDF
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
byFFRI, Inc.
 
PDF
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
byFFRI, Inc.
 
PDF
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
byFFRI, Inc.
 
PDF
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
byFFRI, Inc.
 
PDF
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
byFFRI, Inc.
 
PDF
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
byFFRI, Inc.
 
PDF
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
byFFRI, Inc.
 
PDF
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
byFFRI, Inc.
 
PDF
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
byFFRI, Inc.
 
PDF
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
byFFRI, Inc.
 
PDF
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
byFFRI, Inc.
 
PDF
Malwarem armed with PowerShell
byFFRI, Inc.
 
PDF
MR201504 Web Defacing Attacks Targeting WordPress
byFFRI, Inc.
 
PDF
MR201502 Intel Memory Protection Extensions Overview
byFFRI, Inc.
 
PDF
MR201501 Latest trends in Linux Malware
byFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
byFFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
byFFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
byFFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
byFFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
byFFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
byFFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
byFFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
byFFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
byFFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
byFFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
byFFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
byFFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
byFFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
byFFRI, Inc.
 
Malwarem armed with PowerShell
byFFRI, Inc.
 
MR201504 Web Defacing Attacks Targeting WordPress
byFFRI, Inc.
 
MR201502 Intel Memory Protection Extensions Overview
byFFRI, Inc.
 
MR201501 Latest trends in Linux Malware
byFFRI, Inc.
 

Recently uploaded

PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
How to Evaluate a High Performance Database
byScyllaDB
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 

Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)

  • 1.
    FFRI,Inc. 1 Introduction of ThreatAnalysis Methods FFRI, Inc. http://www.ffri.jpE-Mail: research-feedback[at]ffri.jp Twitter: @FFRI_Research Monthly Research 2016.9
  • 2.
    FFRI,Inc. 2 Agenda • Definition ofthreat analysis • Threat analysis process • Analysis methods – DFD(Data Flow Diagram) – STRIDE – Attack Library – Attack Tree • Conclusions • References
  • 3.
    FFRI,Inc. 3 Definition of threatanalysis • Methods to identify threats and evaluate risk • What is a threat? – It is causes of damage to assets. • These can be classified by environmental threats and human threats. • Threat analysis is performed in requirements phase and design phase. – If found problems, then fix it Requirements Design Implement Test Target of threat analysis
  • 4.
    FFRI,Inc. 4 Threat analysis process DFD STRIDE AttackTree Enumeration of threats Enumeration of threat causes Attack Library Reference of attack patterns Remediation Visualize to understand Introduction area
  • 5.
    FFRI,Inc. 5 DFD(Data Flow Diagram) •DFD illustrates data flow in a system – DFD would help to understand data flow on a system. User Web Server Data Base Response Request Response data Inquiry Boundary between server and DB Boundary between user and server
  • 6.
    FFRI,Inc. 6 STRIDE • What isthe STRIDE? – This method is possible to identify threat which might occur in a system. – It is the acronym of the elements of the information system. Threat characteristics Example Spoofing Spoofing the owner Tampering Forge data Repudiation Delete logs Information Disclosure Leak of credit card number Denial of Service Put a load on the server Elevation of Privilege Get of administrative privileges
  • 7.
    FFRI,Inc. 7 The STRIDE usageexample • This description is using DFD on page 5 ( in this presentation ). • Spoofing – The third party gain unauthorized access to the system. • Tampering – Tampering the contents of the database • Repudiation – Delete the access log of the Web server • Information disclosure – Leak of customer information from database • Denial of Service(DoS) – The server is down by sending a large number of requests • Escalation of privilege – Execution of malicious programs in the Web server
  • 8.
    FFRI,Inc. 8 Attack Library • Whatis the Attack Library? – It is list of attack method. • The CAPEC is an Attack Library that created by the MITRE. – If you use the Attack Library, threat enumeration will be efficient. – The collected information can be reused. – Attack Library is useful to making Attack Tree. https://capec.mitre.org/
  • 9.
    FFRI,Inc. 9 Attack Tree • Whatis Attack Tree? – It is enumerated causes of threat. • Attack Tree is expressed by tree structure. • Pros – Attack tree can visualize the attack methods. – It is possible to quickly discover the vulnerability. • Cons – It takes time to create the Attack Tree. • How to create Attack Tree 1. Write the attacker’s goal to root. 2. Write attack methods to nodes.
  • 10.
    FFRI,Inc. 10 Example of AttackTree Unauthorized access Intrusion into the server room Use the ID of the user SQL Injection Leaked information from memo Get credential from target Threaten Listening Bribe Attacker’s goal Attack methods
  • 11.
    FFRI,Inc. 11 Conclusions • Threat analysisbegins from DFD. • STRIDE is easy to use because the threat's property has been patterned. • Attack library would help to perform a threat analysis more efficiently. – The CAPEC will be the reference of Attack Library. • Attack Tree is useful when considering measures. • You can obtain various information by performing threat analysis. – The information is a weak point to the attack. – It will lead to finding latent threats.
  • 12.
    FFRI,Inc. References • Threat Modeling –http://as.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html • Strategies for Threat Modeling – https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzaWdzdGF3ZWJ8 Z3g6NmE4NDhjYWNhOGYxMDBlOQ • STRIDE – https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzaWdzdGF3ZWJ8 Z3g6MmY4ZTgxNmY5ODFhZWY5MA • Attack Trees – https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzaWdzdGF3ZWJ8 Z3g6M2UzZDhjYWE5ZmU2NzJjYQ • Attack Libraries – https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzaWdzdGF3ZWJ8 Z3g6YmVkN2EwODFjMDcxMjg3 • CAPEC – https://capec.mitre.org/ • Threat Modeling Analysis – https://msdn.microsoft.com/ja-jp/library/aa561499.aspx 12