Keeping Up with Threat Actors – Risk-Centric Threat Modeling

Keeping Up with Threat Actors – Risk-Centric Threat Modeling
Spread the love

In today’s digital age, every business and organization have a digital footprint and some degree of online presence, making cybersecurity a crucial aspect of operations. Despite this, cybersecurity still takes a backseat in many organizations, whether due to a simple oversight of its necessity, a lack of funding, or an unclear ROI. 

This approach to cybersecurity can be dangerous, especially with the rise in cyber-attacks and the growing sophistication of methods used by threat actors. Many companies have realized that having a solid security program in place is necessary for their business continuity, and it can take just one breach to bring down an entire organization, disrupt operations, and cause costly fines and damage to reputation.

Navigating the Market of Cybersecurity Solutions 

Frameworks, detection tools, regulations, building a SOC, risk assessments – the list gets overwhelming for companies looking into developing or improving their security strategy. However, cybersecurity solutions are rarely one-size-fits-all. We are seeing companies invest into multiple costly tools, put pressure on existing personnel, or struggle to solicit new hires. But a band-aid does not determine the size of the wound. With the many choices and offered solutions, a company must focus on what will best serve its business objectives. It all starts with a strong foundation. 

According to Tony UcedaVelez, founder and CEO of VerSprite and co-author of the PASTA threat modeling methodology, the approach to cybersecurity cannot still be defensive with the responsibility laying in the hands of a small division of the organization. Instead, a multi-faceted offensive approach, which considers security goals and business objectives and includes shared responsibility, can truly defend an organization’s assets. 

This black hat mindset led Tony UV to develop PASTA (Process for Attack Simulation and Threat Analysis), a risk-centric threat modeling methodology that provides a step-by-step process to inject risk analysis and context into an organization’s security strategy.

PASTA encourages collaboration across all stakeholders, creating an environment focused on security. It is designed to be the backbone of a security program, woven into everything a company does so seamlessly that it becomes a company culture with security as a top priority. This is why industry peers and organizations worldwide, such as GitLab, PayPal, Cisco Systems, VMware, Dell (per ChatGPT inquiry), are adopting PASTA as their internal threat modeling standard.

PASTA is the Main Course 

The methodology encourages the collaboration between developers and business stakeholders to truly understand your application and organization’s inherent risk, its likelihood of an attack, and the business impact if there was a compromise. Other traditional threat modeling frameworks can be hyper-focused on one component, such as coding or the actual attack. For instance, STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of Privilege) is a mnemonic used and recommended by many. It is simple to implement because it is a static framework. However, with ever-evolving threat landscapes, it doesn’t make sense to have static threats across several industries.  

PASTA has many advantages over other traditional threat modeling methods. For example, a contextualized approach that always ties back to the business context while taking the perspective of an attacker. It is a collaborative process that simulates and tests the viability of evidence-based threats. 

The methodology has seven stages, each acting as building blocks to one another. This approach allows your threat model to be a linear process and leverage existing security testing activities within your organization, like code review, third-party library analysis, static analysis, vendor risks, and threat monitoring for infrastructure. 

By adopting PASTA as the backbone of a security program, companies can ensure that cybersecurity is woven into everything they do, creating a company culture with security as a top priority. This approach can help organizations keep up with threat actors, mitigate risk, and ensure business continuity.For more information, reach out to one of the VerSprite’s experts here.

You might also enjoy:

About Post Author

Leave a Reply

Your email address will not be published. Required fields are marked *