Threat scenario identification

Goal: Identification of threat scenarios as a starting point for the attack path analysis

On our way to the first risk level, which is based on potential impact on the one hand and an attack feasibility on the other hand, we need to cover threat scenarios next. A threat scenario is a potential, rather high level attack. It is realizing one ore many damage scenarios and is itself realized by a set of attack steps (often times also called attack tree). As with damage scenarios, it is possible to create the threat scenario elements manually in the respective chunks. The following image depicts the editor, followed by a description of the properties. It is recommended to use the threat scenario identification assistant to get to an initial set of threat scenarios in a structured manner.

Threat scenarios can be edited using the editor depicted below:

A threat scenario consists of the following properties:

  • Name Short identifier of the threat scenario, e.g. TS.1
  • Title Descriptive title of the threat scenario, e.g. Spoofing on CAN Bus
  • Description Description of the threat scenario
  • Cause of Compromise STRIDE-Category that is the cause of compromise. The selection is based on the active threat catalog which can be organized to the user’s needs.
  • Acts on Affected system element of the threat scenario
  • Compromises Read-only list of the compromised cybersecurity property. The information is derived from the cause of compromise. (e.g. spoofing might lead to breaking confidentiality and integrity)
  • Threatens Optional list of other threat scenarios, that are threatened by this one
  • Attack Tree Related attack tree which realizes this threat scenario. Could be a single attack step or a complex tree including logical expressions.
  • Realizes List of damage scenarios that are realized by this threat scenario
  • Damped by List of assumptions that dampen the risk
  • Risk Level Calculated risk level. If expanded, you can see the risk level per stakeholder and impact category.

Threat scenario identification assistant

Instead of creating the threat scenarios in the corresponding chunk, you may also use the threat assistant. Using the assistant supports creating attack steps from the catalog-provided STRIDE categories. It will take care of linking the corresponding system element and threat class for you. The threat scenario identification assistant can be found in the assistants folder.

The following image shows one particular example which is taking care of threat scenarios with regard to the CAN bus:

  • Spoofing This entry shows an accepted suggestion. The name of the created threat scenario is shown in brackets (e.g. TS.7). You can reset this suggestion which removes the corresponding damages scenario from your model.
  • Tampering In case you rejected a suggestion it will look as depicted here. The decision will be part of your model and a rationale can be given in the inspector window. This way it is clear that you did not forget about this case but ignored it intentionally for now
  • Repudiation This entry has not been processed, yet. You may either accept this suggestion or reject it. Accepting it will create a threat scenario for you and link it with the system element and STRIDE category for you.