By 2025, the global cost of cybercrime is projected to reach an estimated $10.5 trillion (INTRUSION, Inc., 2020). With 30,000 websites hacked every day (Bulao, 2022), companies of all sizes need to prioritize cybersecurity. As the prevalence and costs of cybercrime skyrocket, organizations have developed a variety of methods to model cyberthreats and assess cybersecurity risks and vulnerabilities. One of these risk analysis methodologies is DREAD, a threat modeling framework created by Microsoft (Meier et al., 2003). Although Microsoft has since abandoned the model, citing concerns about its subjectivity (Shostack, 2008), it’s still in use today by small businesses, Fortune 500 companies, and the military.
What Is the DREAD Model?
The DREAD model quantitatively assesses the severity of a cyberthreat using a scaled rating system that assigns numerical values to risk categories. The DREAD model has five categories (Meier et al., 2003):
◉ Damage: Understand the potential damage a particular threat is capable of causing.
◉ Reproducibility: Identify how easy it is to replicate an attack.
◉ Exploitability: Analyze the system’s vulnerabilities to ascertain susceptibility to cyberattacks.
◉ Affected Users: Calculate how many users would be affected by a cyberattack.
◉ Discoverability: Determine how easy it is to discover vulnerable points in the system infrastructure.
The DREAD model enables analysts to rate, compare, and prioritize the severity of threats by assigning a given issue a rating between 0 and 10 in each of the above categories. The final rating, calculated as the average of these category ratings, indicates the overall severity of the risk.
Damage Potential: How Much Damage Could the Attack Cause?
◉ 0: No damage
◉ 5: Information disclosure
◉ 8: Non-sensitive user data related to individuals or employer compromised
◉ 9: Non-sensitive administrative data compromised
◉ 10: Destruction of an information system; data or application unavailability
Reproducibility: How Easily Can the Attack Be Reproduced?
◉ 0: Difficult or impossible
◉ 5: Complex
◉ 7.5: Easy
◉ 10: Very easy
Exploitability: What’s Required to Launch the Attack?
◉ 2.5: Advanced programming and networking skills
◉ 5: Available attack tools
◉ 9: Web application proxies
◉ 10: Web browser
Affected Users: How Many People Would the Attack Affect?
◉ 0: No users
◉ 2.5: Individual user
◉ 6: Few users
◉ 8: Administrative users
◉ 10: All users
Discoverability: How Easy Is the Vulnerability to Discover?
◉ 0: Hard to discover the vulnerability
◉ 5: HTTP requests can uncover the vulnerability
◉ 8: Vulnerability found in the public domain
◉ 10: Vulnerability found in web address bar or form
Overall Threat Rating
The overall threat rating is calculated by summing the scores obtained across these five key areas. The risk severity categories for a threat are as follows:
◉ Critical (40–50): Critical vulnerability; address immediately.
◉ High (25–39): Severe vulnerability; consider for review and resolution soon.
◉ Medium (11–24): Moderate risk; review after addressing severe and critical risks.
◉ Low (1–10): Low risk to infrastructure and data.
Cyberthreat modeling using the DREAD framework is customizable based on your needs. However, to successfully apply a subjective risk analysis framework like the DREAD model, you need extensive cybersecurity expertise to ensure that your analysis of cyberthreats is accurate. Without up-to-date domain knowledge, you risk missing crucial information about system vulnerabilities and potential attack vectors.
EC-Council’s Certified Threat Intelligence Analyst (C|TIA) certification program can provide you with the knowledge base and practical skills you need to progress in your cybersecurity career. The program leverages insights from industry professionals to create one of the most robust and informative threat intelligence training courses in the cybersecurity industry.
Source: eccouncil.org
0 comments:
Post a Comment