Skip to content

Instantly share code, notes, and snippets.

@syncom
Last active July 10, 2019 23:56
Show Gist options
  • Save syncom/de44e01b440a0e3bc11d4f18558f659f to your computer and use it in GitHub Desktop.
Save syncom/de44e01b440a0e3bc11d4f18558f659f to your computer and use it in GitHub Desktop.
The GTM method for risk documentation

The Goal-Threat-Mitigation (GTM) Method for Documenting Security Risks

The Goal-Threat-Mitigation (GTM) method is a framework for documenting security risk analysis (SRA). It is meant to be simple, scientific, and yet scalable with respect to the size of the scenario to analyze. The artifact of GTM is a document/write-up that consists of the following sections.

  1. System overview (or scenario description)

    This is where we define the problem space, describe the use case scenarios, and discuss and highlight system components that are the most relevant to the risk analysis.

  2. Security goals

    Security goals are the properties we would like to have or preserve for the assets we have identified. A good way of thinking about these security relevant properties is the CIA: confidentiality, integrity, and availability. Example:

    • [G1] The confidentiality (property) of kernel address space layout (asset)
    • [G2] The integrity of audit logs
    • [G3] The availability of a cryptography-strength random number generator
  3. Threats (or attacks) with assessment of risk

    A threat or an attack is an operation or a series of operations, performed by an entity (or entities), that compromise one or multiple security goals. Example:

    • [T1] An unprivileged user-space program can learn the kernel stack layout by reading leaked kernel pointer values from the /proc file system.
      • This threat compromises Security Goal G1
      • The risk rating of the threat is medium

    The author of the GTM document may also add a more detailed description of the threat/attack.

  4. Mitigations with assessment of residual risk

    The four ways to address a threat can be abbreviated as ACTS:

    • Accept the risk associated with a threat, and take no further action
    • Control the threat by providing a (usually technology-based) mechanism to make the compromise more difficult to be achieved.
    • Transfer the risk associated with a threat to another entity
    • Suppress the threat by removing the feature that introduces it

    Usually, and in a narrow sense, by "mitigation" we mean a mechanism that controls a threat. In a broad sense, a mitigation can refer to any of the four ways above. A mitigation may counter one or multiple threats. Multiple mitigations may be used to counter one (or multiple) threats. Example:

    • [M1] Enable kptr_restrict and use %pK to print out kernel pointer values
      • This mitigates Threat T1
      • The residual risk rating after this mitigation is applied is medium (because kptr_restrict requires developer opt-in and is easy to bypass)

Note that the decision to address threats needs to be made and documented, separately from the security risk assessment. The GTM is a tool to help guide the decision making.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment