OCTAVE Threat Modeling method
OCTAVE (Operational Critical Threat, Asset and Vulnerability Evaluation) is a risk-based strategic assessment and planning method. It was developed in the beginning of the century by CERT (Computer Emergency Response Team). It focuses on evaluating organizational risks without addressing technological ones and its main aspects are: operational risk, security practices and technology. Its specifics concern the fact that all the analysis is usually performed by the employees, not a third party. A combined team is formed, which includes both technical specialists and managers. It allows to assess extensively all the consequences of the ‘security incidents’ and create countermeasures.
OCTAVE analysis phases
OCTAVE analysis consists of three phases, which are:
- Building asset-based threat profiles (organizational evaluation). It includes assets references, access type, an actor (jeopardy source), a motive (or violation type), an outcome and links to jeopardy descriptions in public catalogs. According to the actor type, types of risk can be divided into three categories:
1) Risks coming from an attacker who acts through the data transportation network
2) Risks coming from an attacker who has physical access
3) Risks connected with system failures
It can lead to disclosure, modification, loss or destruction of the data source or disconnection or interruption. Trees of variations are often used at this stage.
- Infrastructure vulnerability identification (information infrastructure evaluation). During this phase the infrastructure, supporting entities highlighted before (for example, a server, where the database is kept, or a workstation), and the environment, which can give access to them (for example, a corresponding local network segment) are defined. Servers, networking equipment, Information Security Systems, office PCs and home PCs for remote workers, who have access to the company network, mobile stations, IP storages and the like (and their components) are taken into account. High-severity, Middle-severity and Low-severity vulnerabilities are defined for each of the components.
- Security strategy and plans development (identification of risks to the organization’s critical assets and decision making). At the third phase a report is made, where all vulnerabilities, their possible impact on the appointed assets and solutions for measures and countermeasures are listed. Then the plan for mitigating risks (long-range, mid-term and for the nearest future) is developed. Special catalogs of tools are often used to select countermeasures.
OCTAVE Risk Analysis stages
Risk analysis usually includes several successive stages.
1) Setting up priorities. The most critical goals are defined at this stage, using the criteria, which reflect possible informational risks. They can be divided into ‘low’, ‘middle’ and ‘high’ severity types.
2) Enlisting and profiling of informational assets. It helps to define the ‘asset limits’ and its security requirements. Each profile includes program inputs for the following stages, forms the basis for risk detecting and, thus, is made for each asset separately.
3) Asset mapping. At this stage all the ‘containers’, where and how the asset can be stored, transmitted or processed and which can contain vulnerabilities or, vice versa, become ‘controlled secure points’ (it might be a device, a piece of software, etc.).
4) Problematic areas detecting. Its aim is the quick detection of risks, which are visible from the first glance.
5) Risk scenarios creation. They are usually drawn in the shape of trees, where each of the branches refers to a separate asset. To make it simpler, questionnaires are used. All possible risks and their realization are taken into account, which helps to develop countermeasures later. A quality scale is used here and three possibilities of realization of risks (low, middle and high) are brought in.
6) Risk assessment. At this stage it is defined, how the risk may affect the assets (risks for each asset is assessed separately to define its criticality)
7) Damage assessment. At this stage the level of damage is assessed. This relative assessment helps to prioritize the risks.
8) Decision making. At the final stage measures to handle certain risks are chosen according to the risks’ priority.