Threat Analysis

Once the model is complete, the next step is to assess its security. ThreatGet thoroughly investigates potential cyber threats that could exploit any existing vulnerabilities. The analysis process in ThreatGet examines all security information provided in the system design, identifying possible weaknesses that attackers might exploit. Additionally, ThreatGet can generate an attack path propagation, illustrating potential attack paths that an attacker could follow, step-by-step, to achieve a malicious goal.

Both threat analysis techniques are rule-based approaches. Users can manage the built-in rules and expand the rules database as needed, adding new cyber threats to keep the database up-to-date with a custom set of rules that cover specific system domains. More details about managing rule-set can be found in the ThreatGet Rules section.

analysis apporach is the threat can be initiated through the Analysis path, where the ThreatGet rule engine plays a crucial role in examining potential weaknesses within the system model in depth.

Analysis

To begin the analysis, select the "Analysis" phase as shown in the diagram below. By default, the AN option (representing Analysis) on the left side is selected, and the analysis should start automatically once the page opens. However, you can click on the Magnifier icon to ensure that all threats are listed, reflecting accurate security analysis results for your model.

A new window opens, listing all identified threats detected by the ThreatGet rule engine.

The list provides a brief overview of the identified threats, including:

• ID: A unique identifier for each identified threat.
• Title: The name of the identified threat.
• Source: The affected source element.
• Target: The affected target element.
• Likelihood: The severity level of likelihood.
• Threat Type: Each threat is classified according to its malicious impact. ThreatGet categorizes all identified threats based on the STRIDE model:
  • S – Spoofing: Violates authentication
  • T – Tampering: Violates integrity
  • R – Repudiation: Violates non-repudiation
  • I – Information Disclosure: Violates confidentiality
  • D – Denial of Service: Violates availability
  • E – Elevation of Privilege: Violates authorization

For more details on each threat, press of the threat, the window will be extended with more details.

More details about the selected threats are displayed, providing additional information. The Description field offers further insights into the threat, elaborating on the specific elements and connections impacted by it. The Likelihood Level indicates the probability of the threat occurring. Additionally, the Category field displays the STRIDE classification of the threat, which the user can modify by selecting the desired option from the menu. The Attack Feasibility describes multiple attributes indicating the feasibility of a successful attack. According to ISO 21434, this includes the following:

• Elapsed Time: Represents the time to identify and exploit vulnerabilities for an attack, which can range from days to months.

• Expertise: Capabilities of attackers, which can vary as follows:

  • Layman: Unknowledgeable with no expertise.
  • Proficient: Knowledgeable with familiarity with security behavior.
  • Expert: Familiar with algorithms, protocols, hardware, structures, and security techniques.
  • Multiple Experts: Multiple highly experienced engineers with expertise in different fields.

• Knowledge: It represents the knowledge about the target, varying based on available information.

  • Public: Public or shared information, such as data shared on the internet.
  • Restricted: Internal documents shared between restricted parties.
  • Confidential: Confidential information about the item itself.
  • Strictly confidential: Strictly confidential information about the item itself.

• Window of opportunity: This represents access type (physical or virtual) and time spent accessing the target (limited or unlimited), including various levels:

  • Unlimited: Highly available through untrusted or public networks without a time limit.
  • Easy: Highly available with limited-time access.
  • Moderate: Have restricted limits for access using special tools or methods.
  • Difficult: Very low availability, with limited windows of opportunity for performing an attack.

• Equipment: Describes attack tool classifications:

  • Standard: This type of equipment is available to attackers, and it could also be part of the target item itself, such as debuggers in Operating Systems.
  • Specialized: It is equipment that is not easily available to attackers but can be acquired with effort.
  • Bespoke: This type of equipment is not available to the public, such as specific manufacturer-restricted tools.
  • Multi Bespoke: Refers to bespoke equipment for various attack stages.

• Risk Treatment: Defines the proper action that should be taken for handling the cyber risk. The user can define their decision for controlling the risk, which can be classified into four different actions:

  • Accept: No particular action is required.
  • Mitigate: Specific actions should be taken to keep the risk low or at an acceptable level.
  • Transfer: This action involves transferring the risk to someone or an organization capable of managing and controlling it.
  • Avoid: Refers to avoiding cyber risks by applying security measures to prevent any negative consequences.

Once the user selects the appropriate risk treatment plan based on their knowledge of mitigating cyber risks, a text field labeled "Rationale" becomes active. This field allows the user to provide a brief description explaining their reasoning for addressing the risk based on the chosen treatment plan.

!!! Warning "⚠️ Important Note" Any changes or updates to threat factors, such as updating the STRIDE categories, attack feasibilities, or risk treatment, must be saved; otherwise, the user will lose all modifications. Therefore, after making changes, the black 💾 icon button should be pressed.

Filtering ThreatGet Analysis Results

A threat may be identified multiple times based on its propagation within the system model, which can make locating a particular threat challenging. To address this, ThreatGet lists each identified threat once on the left side, along with its occurrences in the results. ThreatGet also provides advanced filtering options to help users refine analysis results according to specific needs.

When the Filter by option is set to Rule Name, the filter activates, allowing users to locate specific threats quickly. In the Search bar, users can enter keywords to find threats by title. Additionally, users can filter results by Source or Target components, offering more precise threat identification within the system model. By selecting Filter by for source or target, ThreatGet will search for threats based on the selected filter option, matching the keywords entered for source or target component names.

Attack Tree

As mentioned earlier, ThreatGet can generate a set of paths illustrating how an attacker might follow specific steps toward a malicious goal. To switch the analysis approach to the attack tree, the user can click on AT on the left side.

A new window will appear, displaying a list of all threats on the left side of the window. Once the user selects a particular threat, the attack tree propagation will be displayed, outlining the sequence of steps an attacker might follow to reach a malicious goal. This malicious goal refers to the system asset(s) that represent the primary target the attacker aims to compromise. These assets indicate the main objectives that motivate the attacker’s actions.

Each node in the tree represents a step or threat that an attacker can exploit to progress further toward the malicious goal. To view each step more clearly, click on any node in the tree. A sublist will appear in the lower half of the window, showing a list of threats associated with that specific tree node.

Each of these threats has more details. Click on any threat to display additional information within the same window.