Microsoft Threat Assessment & Modeling

By Bozidar Spirovski | Nov 11, 2009 | Print this Page

Every organization has some form of Information Security Risk Assessment - some perform a formal risk assessment, others simply use their practical experience.

Whatever method is chosen, it always helps to use a tool which will assist the organization in performing the risk assessment in a controlled and reproducible manner.

The Tool

There aren't that many tools that assist the organization in performing risk assessment. The most widely used one is Excel, but it is far from a good choice.

Microsoft has also created MS Threat Assessment and Modeling - a tool that although designed for a slightly different purpose, can easily be used for Risk Assessment.

The Process

Performing risk assessment with MS TAM is easy once you understand the components and the process.
Components of the MS TAM Analysis:

  • Roles – Functional Identities involved in the assessed process/system; these can include both service identities and human identities
  • Components – System elements used in the involved in the assessed process/system – most commonly servers or subsystems
  • Data – Data stored and processed in the involved in the assessed process/system – in effect ANYTHING THAT TRAVERSES THE components
  • External Dependencies – Any external elements including data, components or roles from other processes or systems
  • Use Cases – the steps involved in operating the system/performing the process
  • Relevancies – characteristics attributed to any component that relevant to the components method of operation and open a possible vector of attack
  • Attacks – methods of compromising or destroying a component via misuse of characteristics of one or several relevancy attributed to the component
  • Threats - the assessed threats to the system. This component will be used to generate and assess the risks

The Process Consists of Six Steps/Phases

  • Step 0 – Before starting anything, know your system/process/company. You will need to simulate and configure all relevant elements of the assessed system/process/company.
  • Step 1 – Define Roles - Define the logical groups of users involved in the system/process/company that is assessed
  • Step 2 – Define Components and Data - These are the building blocks of the system/process. Data traverses components and is accessed by users and components
  • Step 3 – Update and Define Relevancies - Create or update relevant attributes that define behavior of a component. For instance, a relevancy is that a component uses power supply, therefore it is susceptible to the risk of power failure. Add new relevancies for your specific components
  • Step 4 – Update attacks - Attacks are methods of misusing relevancies. Update the current attacks with specific ones - if you have them. If you have created new relevancies, create the attacks that compromise them. For each attack, include countermeasures that mitigate this attack. For instance, if the attack is power supply brownout, one possible countermeasure is an in-line UPS that acts as a voltage stabilizer.
  • Step 5Define Use Cases and Calls- The Use cases are the steps in the process, or the way a system is operated/used. Without the use cases, the risk assessment cannot be performed. For instance, one use case for a mail server system is the reception of an e-mail from an external mail server (from the Internet).
  • Step 6 – Model Risks - After you have modeled your system, generate the Threats, and analyze them one by one to assess frequency and impact, and define countermeasures from the offered possibilities. At the end of the process, the finalized threats are the risks to your system.

NOTE: It's very important to be very meticulous about the relevancies – the attributes of the components. Choosing well in this step allows good modeling of attacks and the more automated risk model is created

The Results

After completing the process, the end result is the report set. The MS TAM has a predefined set of reports.

Since MS TAM is primarily targeted at software development, the generic reports may be found to be lacking.

The most useful report is the comprehensive report, which includes nearly all information. But it is still lacking a report which summarizes the risk assessment parameters:

  1. Impact
  2. Probability
  3. Risk Rating
  4. Risk Response
  5. Countermeasures

To address this, Shortinfosec has created a custom report for MS TAM 2.1 which can be downloaded here.

Just place the file in the MS_TAM_INSTALL_FOLDER\Graphics\Reports\Custom and choose Custom Reports, risk_report.xslt


MS Threat Assessment and Modeling 2.1.2 may not be the best tool for Risk Assessment. It may not match your Risk assessment methodology to the letter, nor does it deliver the final result out of the box.

But unless you have a better tool, it is very usable, since it controls the process, and with MS TAM you will always follow the mindset of risks, threats and impact.

And of course, until you have a better product, use the one that is readily available!