Threat Modeling – Information Gathering
In this post, I’ll explain the concept of Information Gathering, the first step for creating a threat model, and some tips to ensure the right data has been collected before creating the actual threat model.
Information Gathering
As said before, Information gathering is the first step to creating a Threat Model. During this process the following items should be identified:
-
Entry Points to the solution.
-
Assets to be protected from possible attackers.
For this process, you need to be certain that the whole solution is being considered (and not just a part of it e.g. the database,) a good way of doing this is:
-
Reviewing the solution diagrams.
-
Meeting with the architects of the solution.
-
Analyze the solution with debugger tools.
|
TIP: Documents may be out of date, so you shouldn’t rely on them |
Output
The output of information gathering, as you may have already realized, should be a complete set of architecture diagrams in which the different components and data-flows are identified. Especially those that come from the outside (should be least trusted.)
Sketching the architecture diagram
The architecture diagrams should be based on the documentation that is already created for the solution (remember not to rely in documentation), and updated with all information that comes up after reviewing them, and meeting with the architects of the solution.
Once the architecture diagrams are created, it’s wise to check the gathered information with what actually happens in the solution, by doing some runtime inspection, also called application footprinting (this is where debuggers and external tools come in) which is intended to identify how the application receives input from the environment.
|
TIP: It’s important to identify what processing occurs on the data after it enters the system, to analyze validations, authentications, or any other security measures that should or must be taken. |
At this point, you should have enumerated all the application’s entry points, noting for each one of them if it’s remote, encrypted, which protocol is using, which interface type it has, and if the interface has authentication and session management, etc.
Next Steps
On my next posts I’ll be describing the process of threat modeling per se, and the usage of Microsoft SDL Threat Modeling Tool.
Hope you find this information useful; feedback and comments are always welcomed 
!
You can find some useful resources below.
External Data Flows
-
Networks I/O
-
File I/O
-
Registry
-
Named pipes, shared memory, any OS object.
-
Windows messages
-
Others…
Useful Tools for Application Footprinting
Related Links
Recommended Reads
[...] is the second post regarding Threat Modeling. On the previous post I talked about information gathering before starting with the process of threat modeling per [...]
[...] is the third post on a series of Threat Modeling post, previously I wrote about Information Gathering and The Modeling Process. On this opportunity I’d like to introduce you to a very useful [...]