What's Inside

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage risk-centric threat modeling methodology for application security. It integrates business context and an attacker mindset to uncover only viable threats and then prioritize and mitigate them, considering the level of risk associated with each. It is highly collaborative and customizable and provides a sound roadmap for building an accurate threat model for risk management.

This article presents a brief overview of the PASTA threat model before introducing some key best practices for its implementation.

PASTA Threat Modeling: a Seven-Stage Methodology

PASTA threat modeling is organized into seven related stages that describe the construction of a full risk mitigation strategy. 

The seven stages are the following:

1. Defining objectives: Understand the purpose of the target application and its different requirements. This necessitates considering business objectives, security and compliance requirements, and supporting assets whose loss could have a critical impact on the business.

2. Defining the technical scope: Understand what needs to be protected by establishing a technical map of the application under study. This includes determining the application’s boundaries and dependencies with networks, software, servers, and other infrastructure elements.

3. Application decomposition and analysis: Identify the application’s users and permissions, assets, data, services, hardware and software supporting the application, and the data entry points and trust levels.

4. Threat analysis: Leverage your previous understanding of the application environment to craft a list of credible threats to the attack surface. Probabilistic attack scenarios, incident management, application logs, and security events can be analyzed and correlated to threat intelligence reports.

5. Weakness and vulnerability analysis: Identify the correlations among vulnerabilities, threats, and application assets, for example, using attack trees. The vulnerabilities should be analyzed and prioritized depending on the affected assets and the impact of their compromise on the business.

6. Attack modeling and simulation: Identify the effective application attack surface, namely, exploitable attack paths that would compromise an asset. The viability of attack paths can be determined by mapping known vulnerabilities to attack tree nodes.

7. Residual risk analysis and management: Qualify and quantify business impacts and identify gaps in security controls to make objective decisions regarding countermeasures.

Align Business Goals to Security Requirements 

The first stage of PASTA focuses on identifying the business goals critical for your organization’s long-term success. Once identified, these goals should be contextualized to the specific application under study because each application will typically support only a subset of the overall business objectives. This contextualization results in a refined list of objectives effectively backed by the application.

From this refined list, each identified objective should be mapped to the corresponding security requirements they impose on the application. For example, if protecting intellectual property is a supported business objective, a related security requirement might be to leverage robust encryption to secure data at rest. Alternatively, if adhering to particular industry regulations is a business objective, the security requirements could include mechanisms for identifying and addressing regulatory gaps. Compliance automation platforms such as Drata can be particularly beneficial in that context by providing insights into an organization’s compliance status and helping identify additional security requirements that must be implemented to meet regulatory standards.

Performing this mapping process builds an initial view of which security requirements should be implemented in the application to meet the business objectives.

Footprint the Application Tech Stack

The PASTA model's second stage defines the application's technical scope. This represents a critical step in threat modeling, as protecting assets requires a comprehensive understanding of all components involved. 

For this stage, it is essential to be as thorough as possible to identify the components contributing to the application’s functionality without assuming that your dependencies’ providers have performed a similar threat modeling process on their components. Failure to identify a technical component can create blind spots in your defense, potentially serving as entry points for attackers. It is crucial to consider not only the application itself but also elements such as API endpoints, network infrastructure, operating systems (virtual or not), data storage, DNS and certificate servers, mobile clients, and third-party software and libraries.

When exhaustive documentation of the application and its dependencies is unavailable, various tools and techniques can be employed to uncover these components. Tools such as Nmap for network mapping, reverse engineering tools, packet capture analysis, and log examination can provide valuable insights into the application's technical scope.

Use Visualization to see the Flow of Data

A data flow diagram (DFD) is typically used to perform the third stage of PASTA—which is application decomposition and analysis.

DFDs allow for the simplification of complex systems and a better understanding of interactions between system components and application data. As such, DFDs can facilitate communication between technical and non-technical stakeholders. They clearly represent data movements, detailing how data enters, is processed, is stored, and exits the system. This visualization is crucial because it enables the identification of implicit trust boundaries within the application, thereby highlighting potential vulnerabilities that may require additional security measures. DFDs can also help with the audit and compliance checks for meeting regulatory requirements related to how data is handled in the system.

The data you should consider in your DFDs are the inputs and outputs handled by your processes. A non-exhaustive list could include authentication requests and responses, web requests and responses, reading/writing of configuration information, interactions with databases or audit stores, etc.

The OWASP project provides a catalog of data flow diagram templates that can serve as a basis and inspiration for crafting your diagrams.

Build a Customized Threat Library

Customization is key in the fourth stage of the PASTA model. Instead of relying on a static list, your security team should build a customized threat library for an accurate view of imminent threats. 

To achieve this, rely on a diverse range of threat intelligence sources, both internal and external, while ensuring that the information can be cross-validated and traced back to credible sources. These sources might include third-party assessments, internal log facilities, threat feeds, security operations, and incident reports. 

The threat library should comprise known threat actors, malware, threat campaigns, tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs) relevant to your environment. The figure below shows an example of intelligence data you can receive from open-source threat intelligence platforms or feeds. Since they cater to different industries and environments, you should filter the data to select the information relevant to your business and applications.

Identify Viable Vulnerabilities in the Environment

Focusing on viable vulnerabilities allows organizations to address relevant weaknesses that could potentially impact the business if exploited by attackers. Beyond merely enumerating vulnerabilities using various scanners, organizations should confirm the viability of identified vulnerabilities through penetration testing. This is a critical validation step, providing empirical evidence of the vulnerabilities' exploitability and helping organizations make informed decisions about remediation priorities.

Automated tools like Drata can reduce time spent on manual pentesting while providing valuable insights into the effectiveness of security controls. Since vulnerabilities typically require specific conditions to be exploitable, the mitigated ones can then be removed from the manually evaluated pool. This approach enhances efficiency and ensures that security efforts are focused on addressing the most actionable vulnerabilities. 

Prioritize Risks and Deploy Proper Countermeasures

Since the end goal of PASTA is risk reduction, it takes advantage of the work performed in the first six stages to assess, score, and categorize risks comprehensively. This process begins by establishing risk scores based on a thorough analysis of threats, identified vulnerabilities, and potential business impacts. Once these risk scores are established, they can be prioritized to identify the ones that should be mitigated first.

This prioritization lets your organization focus its resources on addressing the most significant risks first. By having an ordered list of contextualized risks, you can strategically allocate a budget for remediation efforts, ensuring that security investments yield the highest possible impact.

Leverage Existing Security Initiatives and Automate to Facilitate Reviews

To effectively implement threat modeling using the PASTA framework, it is imperative to analyze various data sources to gather the necessary inputs for each stage. However, different tools and platforms may already have the required information available. For instance, vulnerability assessment reports can be obtained from vulnerability scanners, while information security policies are typically provided by the governance, risk, and compliance (GRC) team. 

Centralizing this information provides a comprehensive view of the data. Automation tools like Drata can play a crucial role in this process by integrating with various security software and platforms to provide centralized security data repositories, aggregate data from disparate sources, and provide a unified view that facilitates threat modeling efforts. 

In addition, threat modeling is a dynamic process that should be seamlessly integrated into a company's life and evolution. It is not a one-time task but a continuous activity that evolves in response to the organization's changes. This iterative approach ensures that the threat model remains relevant and effective in identifying and mitigating risks as your organization grows and its environment changes. Automation that enables continuous monitoring provides the most up-to-date information. In rapidly changing configurations and environments, real-time data collection and analysis allow for the prompt identification of new vulnerabilities and emerging threats. This ongoing vigilance ensures that the threat modeling process can adapt to changes in the organizational landscape, thereby maintaining a robust security posture.

Threat modeling using the PASTA framework enables organizations to build a risk mitigation strategy closely aligned with their business objectives. By identifying threats relevant to the environment and prioritizing the associated vulnerabilities, companies can reduce costs and implement adequate security measures to mitigate the highest identified risks. This strategic alignment ensures that security efforts protect critical assets and support the organization's overall goals and operational efficiency. 

Since modern companies now have highly dynamic environments where configuration and deployments can change frequently, threat modeling inputs and outputs must be updated regularly to integrate these changes and provide an accurate view of the security exposure. With continuous monitoring, seamless integration, and automated workflows, automation tools like Drata can provide a centralized, updated data source to power PASTA modeling and help in risk reduction efforts.