threat-modeling

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Threat Modeling

威胁建模

Threat Modeling Methodologies

威胁建模方法论

STRIDE

STRIDE is a threat modeling framework developed by Microsoft that categorizes threats into six categories:

Spoofing: Impersonating something or someone else
- Examples: Fake authentication tokens, DNS spoofing, email spoofing
- Controls: Strong authentication, certificate validation, anti-spoofing measures
Tampering: Modifying data or code without authorization
- Examples: Man-in-the-middle attacks, code injection, data tampering
- Controls: Digital signatures, integrity checks, secure communication channels
Repudiation: Denying having performed an action
- Examples: Denying a transaction, denying access to resources
- Controls: Audit logging, non-repudiation services, digital signatures
Information Disclosure: Exposing information to unauthorized parties
- Examples: Data leakage, sensitive information in logs, insecure storage
- Controls: Encryption, access controls, data masking, secure logging
Denial of Service: Making a service unavailable
- Examples: DDoS attacks, resource exhaustion, application crashes
- Controls: Rate limiting, throttling, redundancy, monitoring
Elevation of Privilege: Gaining unauthorized higher-level access
- Examples: Privilege escalation, bypassing authorization checks
- Controls: Principle of least privilege, secure authorization, input validation

STRIDE是微软开发的威胁建模框架，将威胁分为六大类别：

Spoofing: 伪装成其他事物或他人
- 示例：伪造身份验证令牌、DNS spoofing、邮件冒充
- 控制措施：强身份验证、证书验证、反冒充措施
Tampering: 未经授权修改数据或代码
- 示例：中间人攻击、代码注入、数据篡改
- 控制措施：数字签名、完整性校验、安全通信通道
Repudiation: 否认已执行的操作
- 示例：否认交易行为、否认资源访问记录
- 控制措施：审计日志、不可否认服务、数字签名
Information Disclosure: 向未授权方泄露信息
- 示例：数据泄露、日志中的敏感信息、不安全存储
- 控制措施：加密、访问控制、数据掩码、安全日志
Denial of Service: 使服务不可用
- 示例：DDoS攻击、资源耗尽、应用崩溃
- 控制措施：速率限制、流量整形、冗余机制、监控
Elevation of Privilege: 获取未授权的高级别访问权限
- 示例：权限提升、绕过授权校验
- 控制措施：最小权限原则、安全授权、输入验证

PASTA Framework

PASTA框架

Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step risk-centric methodology:

Define Objectives: Establish business objectives and compliance requirements
Define Technical Scope: Identify assets, data flows, and technical architecture
Application Decomposition: Analyze application architecture and data flows
Threat Analysis: Identify threats using threat intelligence and attack patterns
Vulnerability Analysis: Identify and assess vulnerabilities in the system
Attack Modeling: Model potential attacks and their impact
Risk Analysis: Assess and prioritize risks based on business impact

攻击模拟与威胁分析流程（PASTA）是一种以风险为中心的七步方法论：

定义目标：确立业务目标与合规要求
定义技术范围：识别资产、数据流与技术架构
应用分解：分析应用架构与数据流
威胁分析：利用威胁情报与攻击模式识别威胁
漏洞分析：识别并评估系统中的漏洞
攻击建模：模拟潜在攻击及其影响
风险分析：基于业务影响评估并优先处理风险

LINDDUN Framework

LINDDUN框架

LINDDUN is a privacy-focused threat modeling framework:

Linkability: Ability to link data to individuals
Identifiability: Ability to identify individuals from data
Non-repudiation: Inability to deny actions
Detectability: Ability to detect data processing
Disclosure of Information: Unauthorized information disclosure
Unawareness: Individuals unaware of data processing
Non-compliance: Failure to comply with regulations

LINDDUN是一个以隐私为核心的威胁建模框架：

Linkability: 能够将数据与个人关联起来
Identifiability: 能够从数据中识别出个人
Non-repudiation: 无法否认已执行的操作
Detectability: 能够检测到数据处理行为
Disclosure of Information: 未经授权的信息泄露
Unawareness: 个人未察觉数据处理行为
Non-compliance: 未遵守法规要求

Attack Tree Analysis

攻击树分析

Attack Tree Structure

攻击树结构

Attack trees are hierarchical diagrams that represent different ways an attacker might achieve a goal:

Root Node: The attacker's ultimate goal
Intermediate Nodes: Sub-goals or attack vectors
Leaf Nodes: Specific attack techniques or exploits

攻击树是层级化图表，展示攻击者达成目标的不同途径：

根节点：攻击者的最终目标
中间节点：子目标或攻击向量
叶子节点：具体攻击技术或漏洞利用

Attack Tree Analysis Process

攻击树分析流程

Define Attack Goal: Identify what the attacker wants to achieve
Identify Attack Vectors: Brainstorm different ways to achieve the goal
Break Down Vectors: Decompose each vector into smaller steps
Assign Values: Assign difficulty, cost, and risk values to each node
Analyze Paths: Identify the most likely attack paths
Identify Mitigations: Determine controls to block each path

定义攻击目标：明确攻击者想要达成的目的
识别攻击向量： brainstorm达成目标的不同方式
分解攻击向量：将每个向量拆解为更小的步骤
赋值评估：为每个节点分配难度、成本与风险值
分析路径：识别最可能的攻击路径
确定缓解措施：制定阻断各路径的控制措施

Common Attack Patterns

常见攻击模式

Authentication Attacks: Credential stuffing, brute force, password spraying
Authorization Attacks: Privilege escalation, IDOR, broken access controls
Injection Attacks: SQL injection, command injection, XSS, LDAP injection
Cryptographic Attacks: Weak algorithms, key management issues, padding oracle
Network Attacks: MITM, DNS poisoning, ARP spoofing, BGP hijacking
Social Engineering: Phishing, pretexting, baiting, tailgating

身份验证攻击：凭证填充、暴力破解、密码喷洒
授权攻击：权限提升、IDOR、访问控制失效
注入攻击：SQL injection、命令注入、XSS、LDAP注入
密码学攻击：弱算法、密钥管理问题、填充预言机攻击
网络攻击：MITM、DNS投毒、ARP欺骗、BGP劫持
社会工程学攻击：钓鱼、 pretexting、 baiting、尾随

Common Attack Patterns

常见攻击模式

OWASP Top 10

Broken Access Control: Restrictions on authenticated users are not properly enforced
Cryptographic Failures: Failures related to cryptography and protection of sensitive data
Injection: Injection flaws allow attackers to execute malicious commands
Insecure Design: Flaws in design and architecture that enable security issues
Security Misconfiguration: Improperly configured security settings
Vulnerable and Outdated Components: Using components with known vulnerabilities
Identification and Authentication Failures: Weaknesses in identity and authentication
Software and Data Integrity Failures: Code and infrastructure without integrity protection
Security Logging and Monitoring Failures: Insufficient logging and monitoring
Server-Side Request Forgery (SSRF): Server makes requests to unintended locations

Broken Access Control：对已认证用户的限制未得到有效执行
Cryptographic Failures：与密码学及敏感数据保护相关的失效
Injection：注入漏洞允许攻击者执行恶意命令
Insecure Design：设计与架构中的缺陷导致安全问题
Security Misconfiguration：安全配置不当
Vulnerable and Outdated Components：使用存在已知漏洞的组件
Identification and Authentication Failures：身份与验证机制存在弱点
Software and Data Integrity Failures：代码与基础设施缺乏完整性保护
Security Logging and Monitoring Failures：日志与监控不足
Server-Side Request Forgery (SSRF)：服务器向非预期位置发起请求

Common Weakness Enumeration (CWE)

CWE-79: Cross-site Scripting (XSS)
CWE-89: SQL Injection
CWE-200: Information Exposure
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-400: Uncontrolled Resource Consumption
CWE-502: Deserialization of Untrusted Data
CWE-732: Incorrect Permission Assignment
CWE-798: Use of Hard-coded Credentials
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization

CWE-79：Cross-site Scripting (XSS)
CWE-89：SQL Injection
CWE-200：信息暴露
CWE-352：Cross-Site Request Forgery (CSRF)
CWE-400：不受控的资源消耗
CWE-502：反序列化不可信数据
CWE-732：权限分配错误
CWE-798：使用硬编码凭证
CWE-862：缺失授权
CWE-863：授权错误

Risk Assessment Frameworks

风险评估框架

CVSS (Common Vulnerability Scoring System)

CVSS（Common Vulnerability Scoring System）

CVSS provides a standardized way to assess vulnerability severity:

Base Score: Intrinsic qualities of the vulnerability (Exploitability, Impact)
Temporal Score: Characteristics that change over time (Exploit Code Maturity, Remediation Level)
Environmental Score: Characteristics specific to the user's environment

CVSS提供标准化的漏洞严重程度评估方式：

基础评分：漏洞的固有属性（可利用性、影响）
时间评分：随时间变化的特征（漏洞利用代码成熟度、修复级别）
环境评分：特定于用户环境的特征

DREAD

DREAD is a risk assessment model:

Damage: How much damage could be caused?
Reproducibility: How easily can the vulnerability be reproduced?
Exploitability: How easy is it to exploit?
Affected Users: How many users are affected?
Discoverability: How easy is it to discover?

DREAD是一种风险评估模型：

Damage（损害程度）：可能造成多大损害？
Reproducibility（可复现性）：漏洞被复现的难度如何？
Exploitability（可利用性）：漏洞被利用的难度如何？
Affected Users（受影响用户数）：有多少用户会受到影响？
Discoverability（可发现性）：漏洞被发现的难度如何？

OWASP Risk Rating

OWASP风险评级

OWASP provides a risk rating methodology:

Likelihood: Ease of discovery, ease of exploit, awareness, intrusion detection
Impact: Technical impact, business impact
Risk Score: Likelihood × Impact

OWASP提供风险评级方法论：

可能性：发现难度、利用难度、认知度、入侵检测能力
影响：技术影响、业务影响
风险评分：可能性 × 影响

Security Architecture Patterns

安全架构模式

Defense in Depth

Defense in Depth（纵深防御）

Layered security controls provide multiple levels of protection:

Perimeter Security: Firewalls, WAFs, DDoS protection
Network Security: Network segmentation, IDS/IPS, VPN
Host Security: Endpoint protection, HIDS, application whitelisting
Application Security: Input validation, authentication, authorization
Data Security: Encryption, access controls, data loss prevention

分层安全控制提供多层保护：

边界安全：防火墙、WAF、DDoS防护
网络安全：网络分段、IDS/IPS、VPN
主机安全：终端防护、HIDS、应用白名单
应用安全：输入验证、身份验证、授权
数据安全：加密、访问控制、数据丢失防护

Zero Trust Architecture

Zero Trust Architecture（零信任架构）

Never trust, always verify:

Identity Verification: Strong authentication for all access requests
Device Trust: Verify device health and compliance
Least Privilege: Grant minimum necessary access
Micro-segmentation: Segment networks to limit lateral movement
Continuous Monitoring: Monitor and log all access and activity

永不信任，始终验证：

身份验证：对所有访问请求执行强身份验证
设备信任：验证设备健康状态与合规性
最小权限：授予必要的最小访问权限
微分段：对网络进行分段以限制横向移动
持续监控：监控并记录所有访问与活动

Secure by Design

Secure by Design（设计安全）

Incorporate security from the beginning:

Threat Modeling: Identify threats early in design
Secure Defaults: Default to secure configurations
Principle of Least Privilege: Minimize permissions
Defense in Depth: Multiple layers of security
Fail Secure: Fail to a secure state
Security by Design: Design security into the system

从一开始就融入安全理念：

威胁建模：在设计早期识别威胁
安全默认配置：默认采用安全配置
最小权限原则：最小化权限
纵深防御：多层安全防护
安全失效：故障时进入安全状态
设计安全：将安全融入系统设计