We covered the PASTA (Process for Attack Simulation and Threat Analysis) framework for risk assessment and threat modeling. We explained the seven different components of the framework and how to apply it to a practical threat modeling scenario. This was part of TryHackMe Threat Modeling
The Seven Stages of the PASTA Framework
I outline the seven stages of the PASTA framework:
- Define Objectives: This involves understanding the goals of using the PASTA framework and what needs to be prioritized.
- Define Technical Scope: This stage focuses on creating an inventory of assets, including hardware, software, and data, and understanding the system architecture and data flow.
- Decompose the Application: Here, I break down the system or application into its components to research weaknesses, entry points, and attack surfaces.
- Analyze Threats: This involves identifying potential threats, such as insider threats, accidental data exposure, or external attackers.
- Analyze Vulnerabilities and Weaknesses: I use methods like vulnerability scanning or penetration testing to find weaknesses.
- Analyze Attacks: In this stage, I simulate potential attack scenarios based on the identified vulnerabilities and threats, possibly referencing frameworks like MITRE ATT&CK.
- Risk and Impact Analysis: Finally, I prioritize the identified threats and risks based on their potential impact and likelihood, ensuring countermeasures align with the organization’s risk tolerance and security objectives.
Practical Scenario
I then walk through a practical scenario involving an online banking platform. In this scenario, I interact with different teams (stakeholders) to apply the PASTA framework:
- Business Analyst (Strategic Planning): To define objectives and identify critical assets like customer data and transaction systems.
- System Architecture Team: To understand the infrastructure, which includes Amazon EC2, RDS, and S3.
- Development Team: To decompose the application by understanding its main features like user registration, account management, and fund transfers.
- Information Security Department: To identify potential threats (e.g., brute force, SQL injection, XSS, DDoS) and vulnerabilities (e.g., insecure AWS configurations like exposed S3 buckets). They also discuss mitigation strategies like account lockouts, secure coding, input filtering, load balancers, and hardening AWS services.
- Business Analyst (Strategic Planning again): To understand the potential impact of a successful attack, such as financial loss, regulatory penalties, and reputational damage.
Finally, I answer a series of questions based on this scenario to reinforce the concepts discussed, culminating in revealing a flag to complete a TryHackMe task. I conclude by mentioning that this video is part of a larger series on threat modeling and that future topics will include risk management and vulnerability management.
Room Answers
During which step of the PASTA framework do you simulate potential attack scenarios?
In which step of the PASTA framework do you create an inventory of assets?
Provide the flag for the simulated threat modelling exercise.