What is PASTA threat modeling method
PASTA (Process of Attack Simulation and Threat Analysis) is a ‘risk-centric’ threat modeling method, aimed at helping objectives meet technical requirements using a large range of tools. PASTA brings about an attacker-centric perspective and makes an asset-centric output in the form of threat enumeration and scoring. It makes the threat modeling process even more effective by means of requiring security input from operations, architecture and development.
PASTA has a number of advantages which allows it to stand out from the others. It can be easily adopted from code-based to infrastructure scenarios, covers non-traditional threats and can be used to map in incident response scenarios. It is risk-centric and evidence-based (harvests threat intel sources for threat motives and leverages threat data to support prior threat patterns) and focuses on the probability of attacks and inherent risks.
PASTA stages
The method consists of seven stages, each of which includes a number of activities. These stages are the following:
- Defining objectives. It includes Business Objectives (it can include the code purpose, changes done to the infrastructure, marketing campaign goals, etc.), Security, Compliance and Legal Requirements, Business Impact Analysis (may include business and recovery processes, budget impact and system source requirements) and Operational Impact (involves the impact to the existing processes).
- Defining technical scope. This stage involves project boundaries. It includes data type; infrastructure, application and software dependencies. They all must be documented according to the level of impact.
- Application decomposition. It includes a list of actions concerning mapping of what is important. It includes use cases, actors, assets, roles and data sources identification, defining application entry points and trust levels (even if they must not undergo any change), data movement documentation (through Data Flow Diagramming), showing trust boundaries (including existing and proposed changes) and all data documentation and classification.
- Threat analysis. A very important step, which involves documenting relevant threats and threat patterns to the data. It includes probabilistic attack scenario analysis (all possible risk scenarios are listed), regression analysis on security events (enlisting the events which can refer to the same or similar components), threat intel correlation (using data from the logs, reports by Hackerone, incidents and other sources, which help to predict attack scenarios).
- Vulnerability and weaknesses analysis. A key stage, when the threats are thoroughly examined (e.g. existing vulnerability reports and issues tracking), threat trees and uses and abuse cases (to analyze design flaw) are used, Common Vulnerability Scoring (CVSS), Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) are applied. Impacted systems, sub-systems and data are also examined.
- Attack modeling. After collecting, assessing, examining and ranking the threats, they are turned into attack simulations. The attack surface is tested before and after proposed changes. The stage includes attack surface analysis (for the impacted components) itself, development of the attack trees, Attack-Vulnerability-Exploit analysis (with the help of those attack trees) and, finally, summarizing the impact and explanation of each type of risk.
- Risk and impact analysis. At the closing stage the rationale for mitigation is developed. All the data and information are summarized, risk strategies mitigation is identified, along with efficiency vs cost of mitigation implementation and countermeasures.