Determining Impact and Probability in Risk-Centric Threat Modeling (With PASTA)
Determining the impact and probability values of threats and vulnerabilities is critical to managing risks associated with the threat model and having a strong cybersecurity program. PASTA, the risk-centric methodology, recognizes the significance of probability (likelihood) and introduces the concept of probability as a coefficient. This coefficient is quantifiable, allowing organizations to prioritize their security efforts effectively.
Beyond Compliance, FUD, and into Impact & Probability-led Risk Conversations
It is important to differentiate between impact and likelihood when assessing threats. While PASTA leverages the Rr = Tp x Vp x I / C x E formula (*formula explained below) inspired by military and financial models, we must note that impact and likelihood have separate calculations.
Impact refers to the potential consequences or harm from a cybersecurity threat. It assesses the severity of the damage that could occur if the threat occurs. This includes financial loss, reputational damage, data breaches, operational disruptions, and legal consequences.
Probability, however, focuses on the likelihood or chance of a cybersecurity threat occurring. It assesses the probability of the threat being successful or the vulnerability being exploited.
While impact and probability are distinct concepts, they are interrelated in assessing threats in cybersecurity. A high-impact threat with a low probability may still require attention and mitigation because the potential consequences are severe. Conversely, a low-impact threat with a high probability may also demand action due to its frequent occurrence or possible cumulative effect.
As a security professional, the focus must be on substantiating threat claims and providing executives with a quantifiable information chain. Fear-mongering is ineffective; executives expect security personnel to present well-supported threat claims.
Probability as a Coefficient to Threat
One of the critical aspects of threat modeling is assessing the probability of a threat being manifested. The PASTA methodology introduces the concept of probability as a coefficient tied to the probability that the threat objective can be successfully realized via the introduction of a successful exploit. This threat likelihood can be substantiated through various offensive/ adversarial tests that exemplify the feasibility of a given attack supporting a threat in an attack tree. Probabilities can be depicted on the branches that point from the vulnerability node and associated attack pattern nodes on the tree.
The key to success begins with substantiating threat claims. Firstly, analyzing threat data in your SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) systems can provide insights into specific events or incidents that align with the threat motive in your threat library: the more instances supporting a particular threat, the higher the coefficient value assigned to it.
Secondly, incorporating threat intelligence into the analysis allows you to operationalize the intel by correlating it with patterns that support the threat motive in your threat library. You can further enhance the coefficient value by examining exploits in the wild, observables, campaigns, and Indicators of Compromise (IoCs).
Probability as a Coefficient to Vulnerability
Assessing the probability of a vulnerability being discovered is equally crucial in threat modeling. Not all vulnerabilities can be discovered by a possible threat actor based on the affected node, the attack path, and other conditions. The PASTA methodology suggests considering several factors in this evaluation:
Analyzing the accessible attack vector to a threat actor while considering threat attribution can help gauge the likelihood of exploitation.
It is essential to determine whether the observed vulnerability, Common Vulnerabilities and Exposures (CVE), or Common Weakness Enumeration (CWE) has a known exploit associated with it. Contrary to popular belief, most CVEs do not have exploit code available.
Evaluating whether the vulnerability or weakness is exploitable via adversarial testing in Stage 6 of PASTA can provide valuable insights.
Why is assessing probability important?
By integrating probability as a coefficient into threat modeling and vulnerability assessment, organizations can make informed decisions, prioritize their security efforts, and effectively manage risk. The PASTA methodology offers a structured and comprehensive approach that aligns with executive expectations and enables security professionals to present well-supported threat claims.
The PASTA methodology provides a practical approach to threat modeling, emphasizing the substantiation of threat claims and considering the unique characteristics of each application. Download a FREE PASTA eBook here.
Dissecting the Risk Formula Referenced by PASTA
Formula Rr = Tp x Vp x I / C x E best illustrates the coefficient use of probability (vulnerability, attack) in threat modeling.
Rr – residual risk;
Tp – threat/attack probability;
Vp – vulnerability probability;
I – impact;
C – countermeasures;
E – exposure factor;
Let’s break down the formula:
· Tp represents the threat probability, which refers to the likelihood of a specific threat or attack occurring. It is usually measured on a scale from 0 to 1, where 0 indicates no probability and 1 indicates a certainty of occurrence.
· Vp represents the vulnerability probability, which denotes the likelihood of an attacker exploiting a vulnerability. Similarly, it is measured on a scale from 0 to 1, where 0 indicates no vulnerability and 1 indicates a high probability of successful exploitation.
· I stands for the impact, which measures the potential consequences or damage caused by a successful attack. It can be subjective but often quantified based on factors such as financial loss, data compromise, system downtime, reputation damage, etc.
· C represents the countermeasure effectiveness, which signifies the degree to which existing security measures and controls mitigate the risks. Measured on a scale from 0 to 1, where 0 indicates no effectiveness and 1 indicates complete risk mitigation.
· E represents the exposure factor, which considers the extent to which potential attacks can affect the system or network. It considers factors such as the system’s visibility, accessibility, and potential entry points for attackers.
By multiplying the threat probability (Tp), vulnerability probability (Vp), and impact (I) together and then dividing it by the countermeasure effectiveness (C) and exposure factor (E), we obtain the risk rating (Rr). The higher the risk rating, the greater the overall risk associated with the analyzed system or network.
This helps to provide a simple yet effective quantitative angle to assessing cybersecurity risks by incorporating multiple factors and assigning them numerical values. It allows organizations to prioritize security efforts and allocate resources effectively to mitigate the most significant risks. In the end, this is the mission of PASTA as the only risk-centric approach to threat modeling – to contextualize and substantiate risks by qualifying the variables in the risk equation.
For more information on how threat modeling can benefit your organization, contact us.
To learn more about risk-centric threat modeling, download our free PASTA methodology eBook.