PASTA Threat Methodology
What Is PASTA?
The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step methodology for simulating attacks that combines an attacker-centric technical analysis with assessing and minimizing business risks and impacts. Developed in 2015 to address shortcomings found in other threat modeling frameworks, PASTA is designed to be scalable and adaptable to the needs of growing businesses. PASTA has become increasingly popular among organizations for its more intensive and strategic approach to threat modeling.
What Are the Elements of PASTA?
PASTA consists of seven distinct phases:
- Define objectives: identify the business objectives of what is being modeled, including compliance, regulatory and standards requirements
- Define technical scope: outline system components, their relationships and interdependencies with one another, and the attack surface
- Decomposition and analysis: explore the internal system structure, including computational and data components, to understand how they interact in the context of use cases, user roles, and permissions
- Threat analysis: uncover real-world threats and how they relate to the attack surface, based on lists of known attacks, threat intelligence, and analyst insights
- Vulnerabilities and weaknesses analysis: detail system and data flows for weak points in implementation, including faulty code, with penetration testing and lists of known vulnerabilities
- Modeling and simulation: create visual models (such as an attack tree) to show the required process steps for successful attacks
- Risk impact analysis: summarize the findings from the previous six steps and contextualize business risks to mitigate security gaps and manage other issues
How Is PASTA Implemented?
PASTA is designed to be compatible with agile and DevOps workflows, which enables ongoing risk assessment throughout the software development lifecycle. Like other threat modeling frameworks, it requires a collaborative, cross-functional approach involving stakeholders from across the business. Workshops are used to define objectives and scope, with security teams taking the lead on subsequent analyses and modeling. Finally, risk impact analysis is conducted with a cross-organizational lens, resulting in asset-centric outputs.
What Are the Benefits of the PASTA Model?
PASTA is primarily noted for its comprehensive, business-centric application, which requires both broad stakeholder buy-in and deep dives into risk and impact analysis. PASTA’s focus on attack vectors and emphasis on evidence-based threat modeling creates a rich, realistic assessment of potential threats. As such, its methodology elevates threat modeling from a software-only process to a strategic business exercise.
What Are the Shortcomings of the PASTA Model?
PASTA is complex to execute and resource-intensive, which can inhibit scaling and development agility. It is also data-reliant, requiring the availability of quality information about systems, their components, and threats to address relevant threats. However, PASTA’s biggest shortcoming may be that it provides only limited guidance for mitigation strategies. Organizations embracing PASTA may need to enlist external help if in-house expertise is not sufficient.
Other Threat Modeling Frameworks
PASTA is one of a variety of threat modeling frameworks that are commonly used to identify and address potential vulnerabilities:
- OCTAVE : The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology focuses on quantitative risk weighting and organizational risks to protect assets. OCTAVE is a self-directed, customizable approach, but it leaves security strategy largely to internal IT teams and thus does not scale well.
- STRIDE : One of the first threat modeling frameworks, STRIDE was designed to help developers remember common security threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. STRIDE has many variants but remains restricted by its static framework and manual processes.
- Trike Threat Modeling: This open-source framework emphasizes stakeholder-defined risk, meaning that the assigned level of risk for each asset is acceptable to stakeholders. This approach requires a high level of expertise for its quantitative evaluations.
- VAST : Visual, Agile, and Simple Threat modeling provides an enterprise-centric view of risks using a dual-track system that provides visual models for application and operational analysis.
Factors to Consider with Threat Modeling Frameworks
In selecting a threat modeling framework (or frameworks), an organization should consider these questions, among others:
- Organizational goals: How intensive an assessment is required? What are the key must-haves and considerations for implementation?
- System complexity: How complex is the system in question—does it include multiple connected components or third-party integrations?
- Resource availability: How much staff time is currently available? Do you have enough participation for a proper cross-functional exercise? Is the right technical expertise available in-house?
- Technology requirements: How does this framework integrate well with existing tools and workflows? Are you able to support modern development methodologies with it?
In some cases, employing multiple frameworks can lead to more thorough assessments. However, to produce the best results, the chosen framework should offer a practical way to integrate, scale, and improve security postures with the least friction possible.
VAST: A Scalable Enterprise Threat Modeling Framework
The VAST framework, which serves as the foundation for the ThreatModeler platform, was created to address the shortcomings of manual and labor-intensive threat modeling processes. It offers the ability to handle both application and operational threat modeling to ensure comprehensive coverage and scalability. Like PASTA, VAST is business-centric, but unlike PASTA, VAST requires lighter data and resource requirements while providing actionable guidance on mitigation strategies.