Why PASTA as a Threat Modeling Framework has been Adopted Worldwide
The Process for Attack Simulation and Threat Analysis (PASTA) provides businesses a strategic process for mitigating cybercrime risks by looking first and foremost at cyber threat mitigation as a business problem. The purpose of PASTA is to provide an in-depth process for simulating attacks to your applications. By analyzing cyber threats that originate from the simulated attacks, organizations can address posed threats and mitigate potential cyber risk.
The process provides the tactical steps that can be followed to provide effective countermeasures for mitigating existing vulnerabilities by analyzing the attacks that can exploit these vulnerabilities and mapping these attacks to threat scenarios that specifically focus on the application as a business-asset target.
The foundation of VerSprite’s penetration testing methodology is based on emulating realistic attacks by a malicious actor through the use of Process for Attack Simulation and Threat Analysis (PASTA).
PASTA consists of a seven-stage process for simulating attacks and analyzing threats to the organization and application in scope with the objective of minimizing risk and associated impact to the business. This risk-based threat modeling approach goes beyond traditional threat modeling by enabling a company to make security decisions driven by business objectives.
This posture to both application and network security that VerSprite takes by assessing the operational impact and the threats to the business before evaluating the security of the applications, services, and infrastructure in scope helps not only to understand the vulnerabilities, but remediate them in a business rationalized manner.
Thus, each penetration test exercise begins by modeling the threat to understand attacker motivation and possible targets. Then we identify likely attacks that can cross technologies, people, and processes, and assess the strength of the countermeasures to resist attacks. This allows for decisions on mitigation of vulnerabilities to be made based on the operational risk to the business.
As a result of this very first phase for every engagement, VerSprite will have acquired at least the following information to then walk through the corresponding methodology, selected based on the type of engagement:
- – Business objectives for the application/service/infrastructure in scope
- – Business use cases that are the most critical/sensitive
- – Abuse cases that are the most critical/sensitive for the business
- – Possible Threat Actors targeting the application/service/infrastructure in scope
- – Principal Threat Motives
- – Type of targeted information and assets in scope
This approach allows VerSprite to understand security from both a business and attacker perspective in order to model and simulate realistic attacks during the engagement, pressure test the security posture being targeted, and provide key insights and recommendations that align security with business.
VerSprite’s methodology during client engagements is commensurate to the type of security effort that is provided and the objectives for the exercise. As seasoned security professionals, the team recognizes the effectiveness of industry frameworks and standards that exist across an array of security disciplines but at the same time understands that there are no one-size-fits all solutions.
As a result, VerSprite successfully employs the use of both in-house developed, as well as renowned and well-regarded methodologies as part of the consulting engagements in order to align the client deliverables and security services to an industry acceptable level of security management.