Cybersecurity Threat Modeling with OCTAVE

Let's say your job is to lead a task team to ensure the cybersecurity of an enterprise of over 300 employees. Your enterprise is a multi-layered hierarchy that maintains its own computing infrastructure and is able to run and assess vulnerability evaluations. Where should you start? What to do next? And how do you ensure you haven’t left any risk unexamined?

For a formidable task as this, it is imperative to have a systematic and tried-and-true approach. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) offers just that—it is a thorough and well-documented formal risk assessment framework that allows you to comprehensively and systematically assess and then address the IT risks of your organization.

OCTAVE is a flexible methodology that allows a small team consisting of personnel from operations and IT to work together to address the security needs of an organization. At its core, it helps the team elicit knowledge from employees in an organized and systematic manner to identify the current state of security, risks to critical assets, and set a security strategy. OCTAVE was developed in 2001 at Carnegie Mellon University (CMU) for the US Department of Defense, and therefore has been proven tried and true for two decades.

There are a couple variations on OCTAVE that are good to know in case the standard OCTAVE doesn’t fit your situation. There is OCTAVE-S, which is aimed at a situation where the analysis is performed by a team that has extensive knowledge of the organization, hence assumes there is no need for knowledge elicitation workshops. And there is OCTAVE Allegro, which is meant to be more streamlined and is even suitable for being managed by individuals without extensive organizational involvement. Note that even though chronologically Allegro came after S, which came after the original OCTAVE, none of these supplant the others. Each has its own merits and situations of applicability. In fact, there are some situations when a hybrid approach is most appropriate.

Note: Recently, OCTAVE Forte was announced, which is meant to be more adaptable and robust. You can learn more about it here.

In this guide, you will find a high-level overview of how to use OCTAVE. Really drilling down into the details of how to implement OCTAVE is involved enough to require several volumes and hundreds of pages. You can find these guides under OCTAVE-Related Assets on the CMU webpage:

For an intermediate level of detail, see the Pluralsight course Performing Threat Modeling with the OCTAVE Methodology.

Implementing the OCTAVE methodology consists of three phases.

Phase 1: Build Asset-Based Threat Profile. In this phase, the analysis team determines what information-related assets are important to the organization and how they are currently being protected. There are four processes in this phase. These are:

Process 1: Identify enterprise knowledge (e.g., create and distribute an asset questionnaire, gather knowledge from senior management)

Process 2: Identify operational area knowledge (e.g., create and distribute an asset questionnaire, gather knowledge from operational area management)

Process 3: Identify staff knowledge (e.g., create and distribute an asset questionnaire, gather knowledge from staff)

Process 4: Establish security requirements (e.g., combine the different perspectives from processes 1-3 to create a composite picture of assets and threats)

With Phase 1 complete, your team will have a well-researched list of security requirements.

Phase 2: Identify Infrastructure Vulnerabilities. The goal of this phase is to identify important infrastructure vulnerabilities as well as develop policies and practices that will address these vulnerabilities.

Process 5: Map high-priority information assets to information infrastructure (e.g., identify the configuration of the organization’s information infrastructure, examine data flows and all access paths)

Process 6: Perform infrastructure vulnerability evaluation (e.g., select intrusion scenarios and examine infrastructure)

Phase 3: Develop Security Strategy and Plans. In this phase, you will create a prioritized list of risks which will then be translated to an overarching security risk management strategy, to be used on a continual basis.

Process 7: Conduct multi-dimensional risk analysis (e.g., determine points of vulnerability in potential intrusion scenarios, examine assets exposed by the validated intrusion scenarios)

Process 8: Develop protection strategy (e.g., identify candidate mitigation approaches, develop a comprehensive plan to manage security risks)

Following the above phases, you will have a comprehensive security risk management plan to be used on a regular and ongoing basis. To learn more about OCTAVE, enroll in the Pluralsight course Performing Threat Modeling with the OCTAVE Methodology.