PioneerVisible
ExpertVisible
SimplifiedHidden
ManagementHidden
BusinessHidden
Execution Mode visibility.

The Automatic Threat Generation Extension Library provides a set of functionalities to automatically identify potential Threats and proper Mitigations.

This library can be used by both experts who want to create Templates supporting generation rules and by those who simply need to consume the rules to generate Threat Events and associate Mitigations on their own Threat Models. The current page describes the first use. For more information on how to use the rules generated by others, please refer to Auto Threat Generation.

The Automatic Threats Generation Extensions Library adds the following tools to Threats Manager Studio (TMS), dedicated to the creation of new generation rules or to editing the existing ones:

  • Auto Gen Rules button in the Analyze ribbon.
  • Edit Automatic Threat Generation Rule command in the context menu.
  • Edit Automatic Mitigation Association Rule command in the context menu.

Note that this list is partial: in fact, the tools dedicated to the consumption of existing generation rules are not included.

The Analyze ribbon.

Auto Gen Rules

The Auto Gen Rules button is shown in the Analyze ribbon. When you click it, the Auto Gen Rules tool will be shown.

The Auto Gen Rules tool

The Auto Gen Rules tool shows the list of all Threat Types defined in the Threat Model. For each Threat Type, there is a button with text “Edit Rule” or “Create Rule”, depending on the fact that a generation rule is already assigned or not. In any case, if you click the said button, the Auto Threat Gen Extension opens the Edit Threat Type Generation Rule dialog.

The Edit Threat Type Generation Rule dialog

The Edit Threat Type Generation Rule dialog.

This dialog allows to define a decision tree which will decide if the Threat Type will be generated or not.

The decision tree must be completed using operators and properties taken from 5 categories:

  • Boolean operators: the usual AND, OR and NOT. It also includes the TRUE constant.
  • Object Properties, which identifies properties of the current object.
  • Source Properties, which includes properties of the source object. Those properties may be evaluated to TRUE only if the current object is a Flow.
  • Target Properties, which includes properties of the target object. Those properties may be evaluated to TRUE only if the current object is a Flow.
  • And finally, Any Trust Boundary Properties, which are evaluated to TRUE only if the current object is a Flow crossing at least a Trust Boundary with the selected characteristics.

To understand how the decision tree works, it is important to know that the Auto Threat Gen Extension evaluates the decision tree on the Threat Model by trying it with each and every Entity defined, with each and every Flow and also with the Threat Model itself. This means that if the decision tree evaluates to true for any Entity, Flow, or for the Threat Model, then a Threat Event associated with the Threat Type is created and associated with that object.

Properties taken from the Object Properties category will therefore apply to the current object for the enumeration. Those properties are highlighted in the decision tree because they have an icon showing a tag.

Properties from the Source Properties and from the Target Properties will evaluate to false if the current object is an Entity. On the contrary, if it is a Flow, then they are evaluated respectively on the Source and the Target of the Flow. The properties belonging to those categories are respectively identified with an icon showing an outgoing arrow and with an icon showing an incoming arrow.

Properties from the Any Trust Boundary Properties category will evaluate to false if the current object is an Entity or if it is a Flow which does not cross any Trust Boundary. If instead the object is a Flow crossing one or more Trust Boundaries, the Auto Threat Gen Extension will evaluate them all and will return TRUE if at least one of them has the required property.

The Edit Threat Type Generation Rule dialog has a Test button which allows to check the current rule on the Threat Model without actually creating the Threat Event. This button is useful to validate the rule, because it identifies the objects which would receive the Threat Event.

The Edit Mitigation Association Rule dialog

If you go one level down in the Auto Gen Rules dialog, you would see a list of the Standard Mitigations for the selected Threat Type. Again, you will see a button with the text Edit Rule or Create Rule. If you click any of them, you will open the Edit Mitigation Association Rule dialog.

The Edit Mitigation Association Rule dialog.

This dialog is very similar to the previous Edit Threat Type Generation Rule dialog, therefore we will focus here only on the differences.

First of all, it is important to understand that the Mitigation association rules are evaluated after the Threat Type generation rules: this means that if a Threat Type generation rule evaluates to TRUE, then the Threat Event is generated, and only then each Mitigation association rule associated to the Standard Mitigations for the Threat Type will be evaluated. Therefore, those Mitigation association rules act as they were in AND with the corresponding Threat Type generation rule.

The Mitigation association rules allow also to define three different overrides:

  • The Strength Override allow to change the Strength of the Mitigation from the default value.
  • The Status Override allow to change the Status of the Mitigation.
  • If the Status Override is Existing or Implemented, then it is possible to change the Maximum Severity.

Those overrides allow for example to cover scenarios like Cloud environments, where Channel Encryption is enforced by the Cloud Provider itself.
To cover this scenario, it would be possible to design the decision tree to be TRUE if the solution is managed by the Cloud Provider. We may change the Strength to Strong instead of Average, to signify that we expect the Cloud Provider to implement Channel Encryption right. We may also impose a Status Override to Existing, and finally, we may lower the Maximum Severity from High to Low.

Edit Automatic Threat Generation Rule

Edit Automatic Threat Generation Rule is an action available from the context menu for Threat Types, which can be opened using the right mouse button over any Threat Type.

The Edit Automatic Threat Generation Rule action.

This action opens the Edit Threat Type Generation Rule dialog.

Edit Automatic Mitigation Association Rule

Edit Automatic Mitigation Association Rule is an action available from the context menu for Known Mitigations, which can be opened using the right mouse button over any Threat Type Mitigation.

The Edit Automatic Mitigation Association Rule dialog.

This action opens the Edit Mitigation Association Rule dialog.