PASTA allows organizations to understand an attacker’s perspective on applications and infrastructure, thus developing threat management processes and policies. Let’s learn more about PASTA threat modeling in this slideshare. To know more about threat modeling, click here: https://www.eccouncil.org/threat-modeling/
2. What Is PASTA Threat
Modeling?
Process for Attack Simulation and Threat Analysis (PASTA) is a methodology to perform
application threat modeling. This technique focuses on the application of security
countermeasures to potentially mitigate defined threat models, weaknesses,
vulnerabilities, and attack vectors. PASTA allows organizations to understand an
attacker’s perspective on applications and infrastructure, thus developing threat
management processes and policies.
Copyright EC-Council 2020. All Rights Reserved.
3. PASTA Threat
Modeling
Process
Define Objectives
Define Technical Scope
Decomposition Application
Threat Analysis
Vulnerabilities &
Weaknesses Analysis
Model Attacks
Risk & Impact Analysis
Copyright EC-Council 2020. All Rights Reserved.
4. Define
Objectives
The first step of PASTA lists down the objectives of the threat modeling process. Clear
objectives make the entire process more streamlined, with a focus on only the relevant
assets. Defining objectives is necessary to determine security and compliance
requirements as per business or government regulations. The tools and methods to be
used for the test are also defined in this step.
Copyright EC-Council 2020. All Rights Reserved.
5. Define
Technical Scope
The boundaries of the application is defined, along with the dependencies from the
network environment. The dependencies on the server infrastructure also need to be
discovered, along with their relevance to the software.
Copyright EC-Council 2020. All Rights Reserved.
6. Decomposition &
Analysis of Application
Decomposing the application into essential elements of the architecture enables it to be
further analyzed for attack simulation and threat analysis from the attacker's and the
defender's perspective.
Copyright EC-Council 2020. All Rights Reserved.
7. Threat
Analysis
Threat analysis enumerates threat attack scenarios that are exploited by web-focused
attack agents. An analysis of incidents and security events coupled with fraud case
management reports is useful information at this stage.
The analysis process results in the identification of threat agents and attacks that the
application might be susceptible to.
Copyright EC-Council 2020. All Rights Reserved.
8. Vulnerabilities &
Weaknesses Analysis
This stage aims to analyze the weaknesses and vulnerabilities of web application security
controls, while correlating vulnerabilities to the application’s assets.
It maps threats to security flaws in the application and catalogs, and scores vulnerabilities
as per established scoring.
Copyright EC-Council 2020. All Rights Reserved.
9. Attack/Exploit
Enumeration and Modeling
This process involves the identification of the application’s attack surface. The attack
trees for the identified exploits are enumerated and determined. A map of attack vectors
to attack trees’ nodes is drawn, and the identification of exploits and attack paths is
carried out with the attack trees’ aid.
Copyright EC-Council 2020. All Rights Reserved.
10. Risk &
Impact Analysis
Once the threat model has been successfully created and analyzed, an analysis of the
affected areas is carried out, post-attack. Affected assets, systems, and networks are
analyzed to determine the extent of disruption. Gaps in security controls are
also identified in this step. Based on identified attack vectors, residual risk and
mitigations are developed and prioritized.
Copyright EC-Council 2020. All Rights Reserved.