Managing Rules
There are essentially two parts for an Analysis with THREATGET. The first part contains the creation of a System Model inside the Enterprise Architect Plugin. The second part deals with the creation and maintenance of the Rule Database. The following section shows how you can manage and create rules. You can only change or delete the rules you have created yourself. The rules provided by the AIT cannot be edited.
Create a New Rule
To create a new Rule, you first have to switch to the correct overview.
All previously created rules are listed in this list. Each rule has the following attributes: Title, Tag, Namespace, Category, Owner, Activated, Action, and Warning. The checkboxes for activation are used to activate rules that are required throughout the threat analysis process. As a result, you can quickly uncheck the checkbox in the Activated column to ignore rule(s) in the analysis.
The Actions column shows which actions you can perform on a selected rule. If you hover over a rule, the possible actions are displayed. AIT Rules can only be viewed. To view a rule, click on the Eye button in the Actions column.
To create a new rule please click on the + button on the right upper corner.
Rule Details
This opens the Rule Editor window, which includes two primary tabs. Title, Description, Tags, Threat Type, Likelihood, and Impact are all provided in the first tap Definition.
The ThreatType follows the STRIDE standard. STRIDE is a model of threats developed for identifying computer security threats.
STRIDE:
* Spoofing
* Tampering
* Repudiation
* Information disclosure
* Denial of Service
* Elevation of Privilege
Please click on the Threat Type button and select, in this case, Elevation of Privilege in the appearing Dropdown menu cause we want to check if we provide some Authorization as we described inside the description. ThreatGet estimates the risk severity of this threat; by utilizing the parameter values of the impact and likelihood.
The Likelihood in TheatGet has four levels:
* VERY LOW
* LOW
* MEDIUM
* HIGH
The Impact in ThreatGet has four levels:
* NEGLIGIBLE
* MODERATE
* MAJOR
* SEVERE
In our example, we suggest selecting a MEDIUM value for the likelihood and MODERATE value for impact. You can also add Tags to your Rule. These tags are different from the Tagged Values. The purpose of the THREATGET Tags is to group Rules into categories. To add a Tag to a Rule please click on the selectable Tags. To learn how to create new THREATGET Tags please see the documentation for tag creation.
Then press Next to proceeds into the following step, which is writing the rule text.
Rule Text
The second tap Anti-Pattern is used to write the main rule text. In our example, we will check the Authorization tagged value of the Top New Element.
ELEMENT : "Top New Element" {
"Authorization" != "Yes"
}
To learn how the Syntax of rules works please see the documentation for rule creation. If you have filled out everything you can click on the Check button at the buttom of the screen.
The application now checks in the background whether your entered rule is syntactically correct. As you can see, the Check button got replaced with a Save button. This means that the rule was syntactically correct and can now be saved. The saved rule is saved in the rule database and is listed with the other previously saved rules.
If you hover over the rule, you can see Actions a Pencil button and a Cross button. By clicking the Pencil button, you can EDIT this rule. By clicking the Cross button, you can DELETE this rule. You can see the added THREATGET Tags next to the name of the Rule. You are also able to search for rules with certain tags inside the Search Bar above.
However, if the rule text has an error, say the user define a name of a non-existing element.
ELEMENT : "New Element" {
"Authorization" != "Yes"
}
The Type "New Element" does not exist is displayed, indicating that the New Element does not exist. Also, if you press the Eye button next to the error message, the error will be highlighted in red to focus on the existing error.