# Defense Modeling [[Defense Modeling]] is a [[Control Development]] capability. A defensive model can be developed using a variety of techniques and establishes the plan for how to reduce adversary opportunities overall. It is best developed when aligned to adversary intelligence, taking into consideration compliance requirements, and becomes operationalized when it can be used to establish resilience thresholds. As a plan, it also provides the basis for testing and verifying cybersecurity defenses and compliance controls. A defensive model also provides a the basis for root cause analysis when an incident occurs, allowing for incidents and control failures to be traced back to defenses. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- B[[Control Development]] B --- B.1[[Defense Modeling]] B --- B.2[[Standards Management]] B --- B.3[[Policy Management]] B --- B.4[[Test Plan Management]] B --- B.5[[Threshold Management]] B.1 --- B.1.1[[Target Definition]] B.1.1 --- B.1.2[[Threat Modeling]] B.1.2 --- B.1.3[[Control Modeling]] B.1.3 --- B.1.4[[Mitigation Plan]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class B.1 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!success] Definition > **Defense Modeling** provides a method for assessing resource threats and developing a documented model for protecting these assets with planned mitigations and monitoring, if necessary. ## Goals >[!cm-goal] Goal 1 >**Identify Known Risks** - Develop a documented understanding of critical and targeted resources for the purpose of defending them against attack. >[!cm-goal] Goal 2 >**Develop Resilience Strategies** - Develop a plan for increasing resilience of critical and targeted resources to surface mitigation and monitoring needs. >[!cm-goal] Goal 3 > **Improve Incident Containment Capabilities** - Identify the core work for responders to enable better detection and containment for known risks. >[!cm-goal] Goal 4 >**Reduce Potential Impact** - Identify assets and their defenses to achieve adversary resilience and prioritize any additional mitigating controls narrowly to achieve best defenses. ## Scope Defense modeling is applied to all assets and resources either defined as crown jewels or that have an adversary interest profile. ## Process ```mermaid flowchart LR A1[Compliance <br /> Requirements as Input] --> A3[Capability Architecture] A2[Adversary <br /> Intelligence as Input] --> A3 A3 --> D[1. Identify <br /> Threats] A2 -.->|Informs| A1 A1 ~~~~ A2 ~~~~ A3 D --> E[2. Analyze <br /> Attack Surface] E --> F[3. Assess <br /> Vulnerabilities] F --> G[4. Evaluate <br /> Risks] G --> H[5. Develop <br /> Mitigation Strategies] H --> Stakeholders H -.->|Informs| A3 ``` ## Metrics >[!cm-metric] Metric: [[% of In-scope assets with a defined defensive plan]] >[!cm-metric] Metric: [[% of In-scope assets that require mitigations]] > [!cm-metric] Metric: [[% of Identified Threats Mitigated]] > [!cm-metric] Metric: [[% of Assets with Updated Defensive Models]] > [!cm-metric] Metric: [[% of Vulnerabilities Addressed]] > [!cm-metric] Metric: [[% of Successful Mitigation Strategies]] ## Inspiration & Resources + https://www.mitre.org/sites/default/files/publications/characterizing-effects-cyber-adversary-13-4173.pdf + [Microsoft Security Development Lifecycle Threat Modeling](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) + [Threat Modeling | OWASP Foundation](https://owasp.org/www-community/Threat_Modeling) + [Threat Modeling: 12 Available Methods (cmu.edu)](https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/) + [Introduction to the OCTAVE Approach (cmu.edu)](https://insights.sei.cmu.edu/library/introduction-to-the-octave-approach/) + [OWASP Threat Dragon | OWASP Foundation](https://owasp.org/www-project-threat-dragon/) + [Trike | octotrike.org](https://www.octotrike.org/) + [Writing Secure Software: PASTA Process for Attack Simulation and threat analysis (PASTA) Risk-centric Threat Modeling](https://securesoftware.blogspot.com/2012/09/rebooting-software-security.html) + [D3FEND Matrix | MITRE D3FEND™](https://d3fend.mitre.org/) ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.