Threat Modeling

๐Ÿšง ์ €๋„ ๊ณต๋ถ€์ค‘์ธ ๋ถ€๋ถ„์ด ๋งŽ์•„์„œ ์ž˜๋ชป๋˜๊ฑฐ๋‚˜ ์ด์ƒํ•œ ๋ถ€๋ถ„์ด ์žˆ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ๊ธ€์„ ์‹ ๋ขฐํ•˜์ง„ ๋งˆ์‹œ๊ณ , ํ˜น์‹œ๋‚˜ ์ž˜๋ชป๋œ ๋ถ€๋ถ„์ด ์žˆ์„ ๊ฒฝ์šฐ ๋Œ“๊ธ€๋กœ ์•Œ๋ ค์ฃผ์‹œ๋ฉด ์ •๋ง ๊ฐ์‚ฌํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค :D

๐Ÿ” Introduction

Threat modeling์€ ๊ฐ€์น˜ ์žˆ๋Š” ๋ฌด์–ธ๊ฐ€๋ฅผ ๋ณดํ˜ธํ•˜๊ธฐ ์œ„ํ•ด ์œ„ํ˜‘๊ณผ ์™„ํ™” ๋ฐฉ์•ˆ์„ ์‹๋ณ„ํ•˜๊ณ , ์‰ฝ๊ฒŒ ์ดํ•ดํ•  ์ˆ˜ ์žˆ๋„๋ก ํ‘œํ˜„ํ•ฉ๋‹ˆ๋‹ค. Application, System, Service ๋“ฑ์—์„œ ๋ณด์•ˆ์— ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์žˆ๋Š” ๋ชจ๋“  ์ •๋ณด๋ฅผ ๊ตฌ์กฐํ™”ํ•˜์—ฌ ํ‘œํ˜„ํ•˜๊ณ  ์ด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ๋ณด์•ˆ์ ์ธ ๋ฌธ์ œ๋ฅผ ์‹๋ณ„ํ•˜๋Š” ๋ฐฉ๋ฒ•๋ก ์ž…๋‹ˆ๋‹ค. ์ €๋Š” ํฌ๊ฒŒ ์•„๋ž˜์™€ ๊ฐ™์€ ํ”Œ๋กœ์šฐ๋กœ ์ •๋ฆฌํ• ๊นŒ ํ•ฉ๋‹ˆ๋‹ค.

  • Decompose the Application: ์ž์‚ฐ ์‹๋ณ„ ๋ฐ DFD, PFD ์™ธ ์—ฌ๋Ÿฌ๊ฐ€์ง€ Diagram ์ž‘์„ฑ
  • Identify threats (modeling): ์œ„ํ˜‘ ์‹๋ณ„
  • Mitigate: ์™„ํ™” ๋ฐฉ๋ฒ• ๋„์ถœ
  • Validate: ์กฐ์น˜ํ™•์ธ

๐Ÿ– Decompose the Application

OWASP ๋ฌธ์„œ ๊ธฐ์ค€์œผ๋ก  ์•„๋ž˜์™€ ๊ฐ™์€ ํ•ญ๋ชฉ๋“ค์„ ์ •์˜ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

Attribute Description
Threat Model Information ์‚ฌ์šฉํ•  Treat model์„ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค.
External Dependencies ๋””ํŽœ๋˜์‹œ๋ฅผ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค. (๊ด€๋ฆฌํ•  ์ˆ˜ ์—†๋Š” ์˜์—ญ)
Entry Points ์‹œ์ž‘์ง€์ , ์ฆ‰ ์ƒํ˜ธ์ž‘์šฉํ•  ์ˆ˜ ์žˆ๋Š” ์ธํ„ฐํŽ˜์ด์Šค๋ฅผ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค. (+Trust Levels)
Exit Points ์ข…๋ฃŒ์ง€์ , ํด๋ผ์ด์–ธํŠธ ๋“ฑ ๊ตฌ์„ฑ ์™ธ๋ถ€๋กœ ๋‚˜๊ฐ€๋Š” ๊ตฌ๊ฐ„์„ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค.
Assets ์ž์‚ฐ์„ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค. (+Trust Levels)
Trust Levels ์‹ ๋ขฐ ๋ ˆ๋ฒจ์„ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค.
Data Flow Diagrams DFD๋ฅผ ๊ทธ๋ฆฝ๋‹ˆ๋‹ค.

DFD (Data Flow Diagrams)

DFD๋Š” ๋ฐ์ดํ„ฐ์˜ ํ๋ฆ„์„ ๊ทธ๋ฆฌ๋Š” Diagram์ž…๋‹ˆ๋‹ค. ๋ชจ๋ธ๋ง ๋ฐฉ๋ฒ•์— ๋”ฐ๋ผ ์•ฝ๊ฐ„์”ฉ์€ ๋‹ค๋ฅด์ง€๋งŒ ๋ณดํ†ต ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜, ์‹œ์Šคํ…œ, ์„œ๋น„์Šค์—์„œ์˜ ์ „์ฒด์ ์ธ ๋ฐ์ดํ„ฐ ํ๋ฆ„์„ ํ‘œํ˜„ํ•ฉ๋‹ˆ๋‹ค.

OWASP

PFD (Process Flow Diagrams)

PFD๋Š” ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์˜ ๋™์ž‘ ํ”„๋กœ์„ธ์Šค๋ฅผ ํ‘œํ˜„ํ•˜๋Š” Diagram์ž…๋‹ˆ๋‹ค. DFD์™€ ๋‹ค๋ฅด๊ฒŒ ์„œ๋น„์Šค์˜ ๋™์ž‘ ํ๋ฆ„์— ์ดˆ์ฒจ์„ ๋งž์ถ”์–ด ์•…์šฉํ•˜๋Š” ์‚ฌ๋ก€๋ฅผ ์–ป์–ด๋‚ด๋Š”๋ฐ ์œ ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

PFD

Other

Security model of a system. by Synopsis

๐ŸŒ€ Identify Threats

STRIDE Model

STRIDE๋Š” Microsoft์—์„œ ๋งŒ๋“  Threat modeling framework๋กœ ์—ฌ๊ธฐ์— ํฌํ•จ๋˜๋Š” ์ฃผ์š” ์œ ํ˜•์ธ Spoofing, Tampering, Repudiation, Information disclosure, Denial of service์˜ ์•ž์ž๋ฆฌ๋ฅผ ๋”ฐ์„œ ๋งŒ๋“ค์–ด์กŒ์Šต๋‹ˆ๋‹ค. ์ด STRIDE ์œ ํ˜•์„ ์ค‘์‹ฌ์œผ๋กœ DFD๋‚˜ PFD ๊ฐ™์€ Flow Diagram์„ ๊ทธ๋ฆฌ๊ณ  ์ด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ Treat๊ณผ ๋Œ€์‘๋ฐฉ์•ˆ์„ ์‹๋ณ„ํ•ฉ๋‹ˆ๋‹ค.

โš”๏ธThreat ๐Ÿ“„Description ๐Ÿ›กDesired property
S Spoofing ๊ณต๊ฒฉ์ž๋Š” ๋‹ค๋ฅธ ์‚ฌ์šฉ์ž๋กœ ์œ„์žฅํ•ฉ๋‹ˆ๋‹ค. Authenticity
T Tampering ๊ณต๊ฒฉ์ž๋Š” ์‹œ์Šคํ…œ๊ณผ ์‚ฌ์šฉ์ž ๊ฐ„์— ๊ตํ™˜๋˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ์ˆ˜์ •ํ•˜๋ ค๊ณ  ์‹œ๋„ํ•ฉ๋‹ˆ๋‹ค. Integrity
R Repudiation ๊ณต๊ฒฉ์ž๋Š” ์ž‘์—…ํ•œ ๋‚ด์šฉ์— ๋Œ€ํ•ด ๋ถ€์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Non-repudiability
I Information Disclosure ๊ณต๊ฒฉ์ž๋Š” ์‹œ์Šคํ…œ์ด ์ „์†กํ•˜๊ฑฐ๋‚˜ ์ €์žฅํ•˜๋Š” ์ค‘์š” ๋ฐ์ดํ„ฐ๋ฅผ ์ฝ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Confidentiality
D Denial of Service ๊ณต๊ฒฉ์ž๋Š” ์‹œ์Šคํ…œ์˜ ๊ฐ€์šฉ์„ฑ์„ ์ €ํ•˜ํ•˜๊ฑฐ๋‚˜ ํ•ด์น  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Availability
E Elevation of Privileg ๊ณต๊ฒฉ์ž๋Š” ๊ถŒํ•œ ์ƒ์Šน์„ ํ†ตํ•ด ์‹œ์Šคํ…œ์—์„œ ๊ถŒํ•œ์„ ๋ฐ›๊ฑฐ๋‚˜ ๊ถŒํ•œ ์™ธ ์ •๋ณด์— ์•ก์„ธ์Šคํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Authorization

STRIDE-per-interaction

Interaction(์ƒํ˜ธ์ž‘์šฉ)์„ ๊ธฐ๋ฐ˜์œผ๋กœ Threat์„ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค. ์•„๋ž˜ STRIDE-per-element ๋ณด๋‹ค ์‹œ๊ฐ„, ๋ฆฌ์†Œ์Šค์ ์œผ๋กœ ์ด๋“์ด ์žˆ์–ด์„œ ์ด ํ˜•ํƒœ๊ฐ€ ์„ ํ˜ธ๋œ๋‹ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

STRIDE-per-element

๊ฐ Element๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ Threat์„ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค.

DREAD Model

DREAD Model์€ Risk management์ ์ธ ๋ชจ๋ธ์ด์ง€๋งŒ ์ผ๋ถ€ Threat modeling ์œผ๋กœ ์“ฐ์ด๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

โš”๏ธThreat ๐Ÿ“„Description
D Damage ๊ณต๊ฒฉ์˜ ๋ฐ๋ฏธ์ง€
R Reproducibility ๊ณต๊ฒฉ์„ ์–ผ๋งˆ๋‚˜ ์‰ฝ๊ฒŒ ์žฌํ˜„ํ•  ์ˆ˜ ์žˆ๋Š”์ง€
E Exploitability ๊ณต๊ฒฉํ•˜๋Š”๋ฐ ์–ผ๋งˆ๋‚˜ ๋งŽ์€ ์ž‘์—…์ด ํ•„์š”ํ•œ์ง€
A Affected users ์–ผ๋งˆ๋‚˜ ๋งŽ์€ ์œ ์ €๊ฐ€ ์˜ํ–ฅ์„ ๋ฐ›๋Š”์ง€
D Discoverability ์‰ฝ๊ฒŒ ์ฐพ์„ ์ˆ˜ ์žˆ๋Š”์ง€

P.A.S.T.A

P.A.S.T.A๋Š” 7๋‹จ๊ณ„์˜ ํ”„๋กœ์„ธ์Šค์— ๋”ฐ๋ผ Threat modelingํ•ฉ๋‹ˆ๋‹ค.

Step Description
1 Define the Objectives Object๋ฅผ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค.
2 Define the Technical Scope Scope๋ฅผ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค.
3 Decompose the Application ์„œ๋น„์Šค๋ฅผ ์ƒ์„ธํ•˜๊ฒŒ ๋‚˜๋ˆ•๋‹ˆ๋‹ค.
4 Analyze the Threats ์œ„ํ˜‘์„ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค.
5 Vulnerability Analysis ์ทจ์•ฝ์ ์„ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค.
6 Attack Analysis ๊ณต๊ฒฉ์„ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค.
7 Risk and Impact Analysis ๋ฆฌ์Šคํฌ์™€ ์˜ํ–ฅ๋ ฅ์„ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค.

VAST

Agile ํ”„๋กœ์„ธ์Šค์— Threat modeling ํ•ฉ๋‹ˆ๋‹ค. ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์˜ ๋™์ž‘ ํ๋ฆ„์— ๋”ฐ๋ผ PFD๋ฅผ ์ž‘์„ฑํ•˜๊ณ , ์ธํ”„๋ผ ๊ตฌ์„ฑ์—์„œ DFD๋ฅผ ์ž‘์„ฑํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ DFD๋Š” ๋‹จ์ˆœํžˆ ๋ฐ์ดํ„ฐ์˜ ํ๋ฆ„์ด ์•„๋‹ˆ๋ผ ๊ณต๊ฒฉ์ž ๊ด€์ ์—์„œ ์ง„ํ–‰ํ•œ๋‹ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ›ก Mitigate

Threat modeling์œผ๋กœ ๋ฐœ๊ฒฌ๋œ ์œ„ํ˜‘ ๋ฐ ๋ณด์•ˆ ์ทจ์•ฝ์ ์€ ๋‹น์—ฐํžˆ ์™„ํ™” ๋˜๋Š” ์กฐ์น˜๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. ์‹œ์Šคํ…œ ๊ตฌ์„ฑ์— ๋”ฐ๋ผ์„œ ์ ์ ˆํ•œ ์กฐ์น˜ ๋˜๋Š” ์™„ํ™” ๋ฐฉ์•ˆ์„ ์ฐพ์•„ ์œ„ํ˜‘์„ ์ค„์ด๋Š”๊ฒŒ ์ข‹์Šต๋‹ˆ๋‹ค.

โœ… Validate

์‹ค์ œ๋กœ ์ ์šฉ๋˜์—ˆ๋Š”์ง€ ์œ„ํ˜‘์ด ์™„ํ™”๋˜์—ˆ๋Š”์ง€ ์ฒดํฌํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

Draw.io

Diagram์„ ๊ทธ๋ฆฌ๋Š” ๋ชฉ์ ์ด๋ผ๋ฉด draw.io๋Š” ์ •๋ง ์ข‹์€ ์„ ํƒ์ž…๋‹ˆ๋‹ค. threat modeling์ด ์•„๋‹ˆ์—ฌ๋„ flow chart ๊ทธ๋ฆด ๋•Œ ์œ ์šฉํ•˜๊ธฐ๋„ ํ•ด์„œ ์ต์ˆ™ํ•ด์ง€๋ฉด ์ข‹์€ ๋„๊ตฌ์ž…๋‹ˆ๋‹ค.

OWASP Threat Dragon

๐Ÿชด Resources

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0