Why we love Threat Profiles

By Paladion

May 18, 2005

We create threat profiles almost every day. The more penetration tests we do, the more convinced we are that the completeness of a test hinges on the quality of the Threat Profile. Let's look at Threat Profiles more closely.

A threat is the goal of an adversary. eg. "steal credit cards", "siphon funds to a fake account", "shut down the e-commerce site" etc.

A threat profile is the set of all threats the system should protect against. Note that a threat profile does not talk about issues the system is vulnerable to – all that comes later, after the test. The threat profile is simply a list of all the threats.

So, why is this important?

It starts from a predicament most security testers are familiar with. When you face an application, where do you begin testing? Do you just bang a scanner at it? Do you just pull out your checklist and start running through the tests? How do you begin?

You begin by building a Threat Profile.

Before you start "attacking", you figure out what the goals of the attacker are. What would an adversary want to achieve in this app? Because, that is what you will also be looking for, and only that. You do not try every attack technique just because it's there on your checklist; instead you will design test cases that achieve the adversary's goals.

And there is another reason you want Threat Profiles handy. They help you zoom in to the interesting variables quickly. Here's how: one of the banking applications we are currently testing has 250+ variables. Do we try every attack, on every variable? No, we just figure out what variables are relevant in the Threat Profile, and focus our efforts on manipulating them to break in. We don't want to manipulate that "&lang=en" phrase. And we don't want to waste cycles attempting a Cross Site Scripting attack on that "&pos=2" input. A brute force approach "every attack, on every variable" is expensive and unnecessary.

And that's why we love Threats Profiles. They helps us focus on outcomes that are meaningful. And the test plan is much more valuable that way.

[We explained Threat modeling and Threat Profiles in the first issue of Palisade and reviewed Snyder and Swiderski’s book on the subject next month.]

Tags: Uncategorized