When we talk about pasta, we usually mean a wheat based food, which the Italians successfully converted into a staple dish the world over. However, there’s another pasta in town – PASTA threat modelling. This pasta is a risk-centric, offensive minded threat modelling methodology that considers your entire business and technological landscape in order to identify the priorities for risk mitigation.
In honour of World Pasta Day on 25th October, we take a quick look at how PASTA threat modelling works, and how it can benefit your organisation.
What is PASTA threat modelling?
Threat modelling is a process which identifies, evaluates, and mitigates the potential threats to your business. Threat modelling is a proactive approach to evaluating the threats your business faces, providing insights and evaluations of risks and mitigation priorities.
PASTA is the Process for Attack Simulation and Threat Analysis. PASTA threat modelling combines an attacker perspective of a business with risk and impact analysis to create a complete picture of the threats to products and applications, their vulnerability to attack, and informing decisions about risk and priorities for fixes.
PASTA threat modelling is a seven stage framework for assessing your entire cybersecurity posture. Each stage builds on the work carried out in the stage before until stage seven presents the list of priorities to fix your cybersecurity vulnerabilities. The seven stages are described below.
The seven stages of PASTA threat modelling
Stage 1: Define your business objectives
Focus on what is important to your business. Understand the objectives of each application or product. Objectives may be driven internally or they may be influenced by external partners, clients, or regulatory frameworks. They may include the need for a resilient product that works efficiently and reliably, or protecting assets and customers, or avoiding reputation risks.
Stage 2: Define the technical scope of assets and components
Understand the attack surface, and create a picture of what it is that you are protecting. For each business component identify how they are configured, what dependencies they have on other internal applications, or where third party applications are used. Be as comprehensive as possible to define which of these could undermine the application and allow a threat to be realised.
Stage 3: Application factoring and identify application controls
Map the relationships between components. Identify users and their roles and permissions, assets, data, services, hardware, and software. Understand where implicit trust models are in place which could be ripe for exploitation, and the application controls that protect high risk web transactions that could become targets for attack.
Stage 4: Threat analysis based on threat intelligence
Research and find the credible threats that affect your industry and products, and build a threat library. Utilise intelligence to understand the latest threats affecting your industry or products, and analyse application logs to understand the behaviours the system is recording, including attacks that existing protections have mitigated.
Stage 5: Vulnerability detection
Map which weaknesses will break under threats. This stage builds on stage 2 which identified the attack surface, and looks for vulnerabilities, design flaws, and weaknesses in the codebase, system configuration, or architecture.
Stage 6: Analyse and model attacks
This stage is the attacker stage. The aim is to emulate the attacks that could exploit any identified weaknesses or vulnerabilities, and prove that the suspected risks to applications actually are risks. The PASTA threat modelling methodology recommends building attack trees, which map threats, attacks and vulnerabilities, to create a blueprint for how applications can be exploited. By the end of this stage you will have a list of possible attack paths to exploits, including attack vectors.
Stage 7: Risk/ impact analysis and development of countermeasures
This stage uses the answers from earlier stages, such as what’s important to the organisation (stage 1), what are we working with (stage 2), how do they all work together (stage 3), and what does my threat intelligence tell me about our risks (stage 4) in order to create countermeasures
that are truly relevant to your business, product, and the actual threats you face.
The benefits of PASTA threat modelling
There are many benefits to taking an all-encompassing perspective of an organisation’s cybersecurity posture. Just some of the benefits of PASTA threat modelling include:
Put security at the centre of the entire business. PASTA threat modelling is an opportunity to involve stakeholders from across the organisation to understand how their goals are impacted by cybersecurity threats, and how in turn their goals influence the cybersecurity decisions the organisation makes.
Get a full picture of the threats an organisation may face. This includes the risks of those threats becoming attacks, and the goals those threats impact. Your security team can then prioritise threats to mitigate, ensuring that resources and attention are distributed effectively.
Understanding of the evolving cyber threat landscape. PASTA threat modelling is not a static, one-time assessment. Built into the process (at stage 4) is understanding of the current threats that your organisation may face. Cybersecurity threats are constantly evolving, and PASTA threat modelling encourages you to put time into understanding those threats rather than relying on old data or intelligence.
Informed decision making. PASTA threat modelling on new products allows your company to see whether existing protections are appropriate for the new product. It also helps make the decision whether to utilise a new tool or product from a supplier.
Integrating PASTA threat modelling with your cybersecurity workplan
The entire purpose of PASTA threat modelling is to give your organisation some answers about the priorities for fixing vulnerabilities in a way that will best support your business and security needs.
PASTA threat modelling does not operate in a vacuum. Much of your current cybersecurity efforts, from application security assessments which enable you to understand the vulnerabilities of your applications (which in turn fits into stages 5 and 6 of PASTA) to the work you do to ensure compliance with regulatory requirements will inform your threat modelling.
What PASTA threat modelling does is pull all your cybersecurity together with an attacking perspective to achieve the best cybersecurity planning for your organisation. Which is pretty similar to what a pasta dish with a strong sauce will do for your dinner.