Contents
Hungry for Security? How about 7 courses of PASTA?
The PASTA threat modeling method, which stands for Process for Attack Simulation and Threat Analysis, is organized into seven distinct stages, with the output of each stage feeding information into the next.
Here are the specific inputs, activities, and outputs required for each of the seven PASTA stages:
Stage One: Define the Objectives
This stage involves defining objectives broadly, including business objectives, security objectives, security governance, and compliance objectives related to the object in scope.
| Category | Specific Details | Source |
|---|---|---|
| Input | Business requirements; Functional requirements; Information security policies (baselines, requirements, etc.); Regulatory compliance; Data classification / requirements. | |
| Activities | Define business objectives; Define security requirements; Define compliance requirements; Perform Business Impact Analysis. | |
| Output | Application functionality description; Business objectives; Security, compliance and regulatory requirements; Business Impact Analysis. |
Stage Two: Define the Technical Scope
This stage focuses on determining the technical scope and attack surface, which includes technology aspects, relationships with other systems, dependencies, and imports.
| Category | Specific Details | Source |
|---|---|---|
| Input | Design requirements; Rough technical sketches and notes; Network (security) diagrams; Connectors to other applications, APIs, etc.; Asset library; Architectural documents and diagrams; Technical issue/risk register. | |
| Activities | Determine application and threat modeling scope and boundaries; Determine dependencies at network, servers/services, and software level. | |
| Output | End to end view of the architecture; Overview of all protocols, services and types of data identified, servers and services; Overview of hosts and servers, network devices. |
Stage Three: Decompose the Application
Decomposing the application means performing a deep dive into the application's internal workings and how key security concepts are implemented. This stage typically involves creating Data Flow Diagrams (DFDs).
| Category | Specific Details | Source |
|---|---|---|
| Input | Architectural and sequence diagrams; Use cases; User roles and permissions (e.g., RBAC implementation); Network diagrams. | |
| Activities | Creating a Data Flow Diagram (or multiple DFDs); Identify users, roles and permissions (and making this clear if not already available as part of existing documentation); Identify assets, data, hardware & software; Identify data entry points and trust levels. | |
| Output | Data Flow Diagrams; Access Control Matrix (readable); List of assets, interfaces and their trust levels; Mapping of use cases x actors x assets. |
Stage Four: Analyze the Threats
This stage involves identifying and analyzing potential threats based on the application environment and details identified in previous steps. It includes incorporating threat intelligence and evidence that threats are truly exploited in the real world.
| Category | Specific Details | Source |
|---|---|---|
| Input | Threat agents and their motives; Security Incidents; Security logging / Secure Incident Event Monitoring (SIEM) reports; Application / server logs; Threat intelligence reports. | |
| Activities | Analyze scenarios (using probability); Analyze security incidents; Analyze application logs, system logs; Analyze all various sources for correlations and learnings. | |
| Output | Attack scenario-landscape; List of threat agents and attack vector; Incident events related to threats an attack scenarios; Threat intelligence related to attack scenarios. |
Stage Five: Vulnerability Analysis
The main goal of this stage is to correlate vulnerabilities with assets to gain a strong understanding of potential threats related to risks. Vulnerability sources can include static analysis, design reviews, penetration testing, and vulnerability management reports.
| Category | Specific Details | Source |
|---|---|---|
| Input | Library of threat trees; Attack scenarios; Vulnerability Management reports; Vulnerability information (i.e., MITRE CWE, CVE, CVSS, CWSS). | |
| Activities | Cross reference vulnerabilities and assets; Map threats to vulnerabilities; Map security flaws to use and abuse cases; Include vulnerability scoring. | |
| Output | Mapping of vulnerabilities to threat tree; Overview of vulnerabilities using CVE-CWE; Scoring of vulnerabilities. |
Stage Six: Attack Analysis
Attack analysis links the identified threats and vulnerabilities and includes proof of viability, often using Attack Trees. This enhances the knowledge of likelihood, which is a key component of identifying and quantifying risk.
| Category | Specific Details | Source |
|---|---|---|
| Input | Application technical scope and decomposition; Attack libraries/patterns; List of threats, attacks and vulnerabilities. | |
| Activities | Identify application attack surface; Develop Attack Trees (for assets in scope); Map attacks and attack vectors; Identify exploits and attack paths. | |
| Output | Application attack surface; Attack Trees with scenarios, and mapping with vulnerabilities; Overview of attack paths. |
Stage Seven: Risk and Impact Analysis
As PASTA is an end-to-end threat modelling method, the final stage includes defining countermeasures that mitigate threats, as risk reduction is a part of the process.
| Category | Specific Details | Source |
|---|---|---|
| Input | All the output from previous steps, including: business scope, technical scope, application decomposition, threat/vulnerability/attack analysis; Mapping of attacks to controls; Technical standards for controls; Business impact. | |
| Activities | Identify gaps in security controls and security countermeasures; Identify residual risks and impact; Identify risk mitigation. | |
| Output | Application risk profile; Risk overview; Threats, attacks, vulnerabilities, business impact; Residual risk; Risk mitigation strategy. |
Bon Apetit!
back to more articlessecurity Application Decomposition Application risk profile Attack Analysis Attack Surface Attack Trees Business Impact Analysis CVE CVSS CWE CWSS DFD Data Flow Diagram DevSecOps GRC GRC Management Governance Risk & Compliance Management PASTA Process for Attack Simulation and Threat Analysis Risk Analysis Risk Mitigation Risk and Impact Analysis SecDevOps SecOps Technical Scope Threat Analysis Threat Intelligence Vulnerability Analysis Vulnerability Scoring objectives secure engineering security architecture stages 2024
