Story-Driven Threat Modeling with ThreatPlaybook
Objective
In this tutorial, you will learn how you can create a story-driven threat model with ThreatPlaybook
What is a Story-Driven Threat Model?
User-Story Driven Threat Modeling
Story-Driven Threat Modeling is different from System-Driven Threat Modeling that we are largely used to. Story-driven threat modeling starts with modeling user-stories (or feature definitions). The primary reasons behind story-driven threat modeling are:
- Speed - Your Threat Models are able to keep pace with the Engineering Team's SDLC rather than a long-drawn system-wide threat model being performed on a periodic basis
- Focus - The focus of your threat model in case of a story-driven threat model is the user-story itself. You waste little/no time on analyzing too many tangents
- Iterative - Story-driven threat modeling evolves with the story. If the story changes, the threat model might change. It lends itself to more scalability and elasticity
User Story/Feature
The User Story is a Description of the Functionality. This concept is very popular in the world of Agile Development, where an Agile Team picks a bunch of user stories to get done in a sprint. It is a Unit of Work to be completed in a sprint. A user story typically looks like this
As a user (salesperson), I should be able to access my customer's profile to be able to log call information with the customer
Abuser Story
An Abuser Story is an "evil user's version" of a user story. An Abuser Story captures (at a high level) WHAT a threat actor can do to abuse the feature enumerated in the User Story. For example
As a rival salesperson, I will access other salespeople's customers in the application to poach customers from my colleagues
Threat Model/Scenario
A Threat Model/Scenario is a description of HOW a threat actor can bring the abuser story to life. This is a scenario detailing the Attack Vector (primary technique for attack) and approach to bringing the Abuser Story to life. One can use STRIDE as an approach to capture various threats and use DREAD/CVSSv3 to capture impact of said attack. For example:
Abuser Story: As a rival salesperson, I will access other salespeople's customers in the application to poach customers from my colleagues
Threat Models:
- Attacker performs SQL Injection, to gain access to the Database of other customers in the System
- Attacker attempts to perform Insecure Direct Object Reference attacks, by incrementing the customer's ID value, gaining access to another customer's account
- Attacker steals a rival's session tokens by performing a Man-in-the-Middle Attack ....
Story-Driven Threat Modeling with ThreatPlaybook
Start by making sure that you have your Server and CLI setup
Follow Steps 1 and 2 in the Quick Start Guide here
Let's configure the CLI first
Currently, the CLI or the REST API are the only ways that data can be loaded into ThreatPlaybook. WebUI is view-only
Create a Project Directory
cd into your project directory
Configure
Please ensure that you substitute the following:
your-emailenter any email address, eample: admin@admin.comhost-infofor your addressable IP Address, example: 192.168.1.17portfor the nginx port, example: 80
After this, the CLI prompts you for a password, which is the super-admin password that you've setup in Step 1
Let's create a Project
A Project is typically an application that you want to Threat Model. In the case of a micro-service, you may want to use either a single project or multiple projects if they are modeled and managed separately
test-projectis the name of the project, in this case
Let's create our User-Story/Feature YAML file
In ThreatPlaybook, each user-story/feature is captured "as-code" in a single YAML file.
The YAML file typically has a structure of:
- Feature/User-Story
- Abuser-Stories under the Feature/User-Story
- Threat Scenarios under the Abuser Story
- Test Cases for the Threat Scenario
- Threat Scenarios under the Abuser Story
- Abuser-Stories under the Feature/User-Story
Let's look at a sample user-story/feature yaml
Let's examine this YAML file in more detail and some tips
- ThreatPlaybook is name-based, so its important that you name your features/abuser-stories/threat-scenarios uniquely
- Threat Scenarios can either be
repotype orinlinetype:- Repo Type: ThreatPlaybook has a list of canned Vulnerability Definitions already pre-loaded in the system. Of course, you can create your own definitions as well. These form a repository or
repo. So, when you want to declare a threat scenario is arepotype threat scenario, all you have to do is refer to the name of your canned vulnerability, and ThreatPlaybook automatically enumerates the following from the repo:- CWE
- Mitigations
- Test cases
- other metadata fields
- Inline type: When you declare and use inline threat scenarios, you are defining and declaring the threat scenario
inlinewith the YAML. In this case, there's no canned vulnerability and you are declaring that vulnerability definition on the fly. Here, you need to declare all these attributes yourself:- name
- cwe
- vul_name
- test-cases
- severity
- description
- test cases
- Repo Type: ThreatPlaybook has a list of canned Vulnerability Definitions already pre-loaded in the system. Of course, you can create your own definitions as well. These form a repository or
Push YAML to ThreatPlaybook server
When you're done defining your YAML, all you have to do is to push the Story-driven threat model to the ThreatPlaybook Server. This can be done with:
You'll need to provide the absolute (full) path to the yaml file. Relative paths wont work
If everything has worked, you should see a string of success messages of having created objects in ThreatPlaybook