Threat modeling: Exploring the process and methodologies

What is threat modeling?

Threat modeling in cybersecurity means using hypothetical scenarios, system diagrams, and testing to help secure systems and data. By identifying security vulnerabilities, helping with risk assessment, and suggesting corrective action, threat modeling helps improve cybersecurity and build trust in key business systems.

However, threat modeling has applications beyond cybersecurity. In the most basic sense, it can mean listing threats that can disrupt business processes, such as earthquakes, floods, or theft, and finding ways to counter these threats.

How does the threat modeling work?

To build a threat model, you’d need to follow seven steps, which include listing your assets, identifying threats, and coming up with solutions.

1. Identify scope. Security is incredibly complex, so determine how deep into the organization’s security architecture you want to go. If you’re just starting with threat modeling, it may be best not to overcomplicate things.
2. Identify assets. List the assets inside the defined scope you want to protect. This can include software, hardware, and intellectual property.
3. Identify potential threats. Gather various stakeholders who can help run brainstorming sessions and identify potential threats such as hackers, malicious insiders, natural disasters, or technical failures.
4. Identify vulnerabilities. Identifying threats will likely give you many answers about which areas within the system and its design you should strengthen to protect your assets.
5. Assess risks. Although thinking about risks may not be pleasant, reviewing worst-case scenarios is a valuable exercise in evaluating the likelihood and potential impact of each identified threat targeting your business. Answering these tough questions will help you prioritize the vulnerabilities you should address.
6. Mitigate risks. Develop mitigation strategies and controls to address the identified risks. This can involve implementing security controls, improving system design, adding authentication mechanisms, applying encryption, or establishing incident response plans.
7. Validate and refine. Continuously validate the threat model by testing and verifying the effectiveness of the implemented mitigations. Update the threat model regularly as the system evolves or new threats and vulnerabilities emerge.

Why is threat modeling important?

Knowing the soft spots of your security system means knowing which threats are the most critical and must be prioritized. Threat modeling methods can help identify those risks and enable you to build an effective plan of action in case the system you use is ever at risk. Being prepared typically results in shorter downtime, minimal financial losses, and less damage overall.

The best part is that threat modeling tools are highly adaptable, which means they can be used in virtually any industry or business.

Benefits of threat modeling

Threat modeling is a simple and effective approach to improving security. However, its benefits depend on individual circumstances, so building a threat model may not always be the best solution for your business. On the other hand, some of the threat modeling benefits are universal and can apply to companies of all industries and sizes.

Efficiency

The threat modeling process requires input from many stakeholders, but when done correctly, it invites collaboration. As a result, evaluating and prioritizing risk can be performed much faster compared to other methods. Due to threat modeling’s simplicity, you can review and fix various issues before they have the chance to cause harm.

A big-picture view of your business risks

Threat modeling includes assessing possible risks and asset prioritization, providing a bird’s-eye view of the entire organization and its partners. Knowing the risks associated with your business helps you implement effective cyber threat monitoring solutions.

Easier compliance

Many industries have specific regulatory requirements related to security and privacy, such as the GDPR and HIPAA. By applying threat modeling methodologies, organizations can identify and address specific risks such as data breaches.

Better security

Threat modeling aids in constructing more secure applications. It allows you to design a tailored security strategy uniquely suited for your product rather than relying on broad security measures. By identifying potential vulnerabilities and averting coding errors, you can protect your application from potential hacks, ultimately leading to a more robust product.

Saved costs

Early identification of security issues during the development stage can result in substantial cost savings. By being proactive in risk management, you can dodge the costly aftermath of security breaches, legal implications, and reputational harm that can stem from ignored security weak points.

Threat modeling methodologies

Threat modeling methodologies vary widely, so make sure to take your time and find the one that’s right for you.

Security cards

In 2013, Tamara Denning, Batya Friedman, and Tadayoshi Kohno from the University of Washington developed a unique deck of cards aimed at exploring the four dimensions of security: the adversary’s motives, resources, methods, and human impact. While not exhaustive, this approach offers a practical way to prompt meaningful discussions about the system under development and specific examples of potential threats.

STRIDE

STRIDE, created by Praerit Garg and Loren Kohnfelder, is a mnemonic to help you remember the most common threats you should be prepared for:

1. Spoofing, or pretending to be someone else.
2. Tampering, or changing the data without other people’s knowledge or permission.
3. Repudiation, or making sure we know the actions taken in our system.
4. Information disclosure, or allowing unauthorized access to confidential information.
5. Denial of service, or preventing third parties from using our resources.
6. Elevation of privilege, or gaining unauthorized access to systems and resources.

DREAD

Just like STRIDE, DREAD is a mnemonic designed to help prioritize threats based on specific criteria and assign them scores to determine their relative risk levels:

1. Damage. How bad would an attack be?
2. Reproducibility. How easy is it to reproduce the attack?
3. Exploitability. How much work is it to launch the attack?
4. Affected users. How many people will be impacted?
5. Discoverability. How easy is it to discover the threat?

Using DREAD, you can assess threats by rating each of the five categories, while the sum of all ratings would give you a natural priority list for all threats. Keep in mind that Microsoft stopped using the DREAD model in 2008 because rating can be subjective and inconsistent.

PASTA

PASTA, or process for attack simulation and threat analysis, is a seven-step, risk-centric approach. Here are its steps:

1. Define objectives. What is your business trying to achieve?
2. Define technical scope. What does the story map for your goals look like?
3. Application decomposition. Breaking the application architecture into its deployable artifacts.
4. Threat analysis. Consider the threats to your application security.
5. Vulnerability and weaknesses analysis. Define areas to strengthen.
6. Attack modeling. Run attack scenarios and evaluate the results.
7. Risk and impact analysis. Prioritize solutions based on the results.

Kill chain

The cyber kill chain methodology focuses on preventing cyberattacks by breaking them down into seven common stages, which are:

1. Reconnaissance.
2. Weaponization.
3. Delivery.
4. Exploitation.
5. Installation.
6. Command and control.
7. Actions on objectives.

This method provides a roadmap that highlights the various stages an attacker must go through to complete a successful attack, helping you understand and prepare for the attacker’s tactics. For example, if you know that an attack against your system could use phishing, you can prepare by training your employees.

Threat modeling tools

With plenty of commercial and free products to choose from, picking the right one may seem like an impossible task. Just keep in mind that most threat modeling methodologies can be done with a sheet of paper or a whiteboard.

• Microsoft’s Threat Modeling tool. This tool a free app developers can use to create threat models. While it’s only available on Windows devices, its capabilities include automation, threat identification, integration with STRIDE, and data flow diagramming.
• ThreatModeler. Known as the first automated threat modeling tool for businesses, it can help you build software safely from code to deployment, offering features such as asset management, threat libraries, automated report generation, and integration with development tools.
• OWASP Threat Dragon. Threat Dragon is another open-source threat modeling tool that helps you mitigate potential risks, but it also draws diagrams allowing you to see vulnerable areas more clearly. Threat Dragon supports CIA, STRIDE, and LINDDUN and is available both as a desktop version (Windows, macOS, Linux) and a web app.
• Security Compass. SDElements by Security Compass is a web-based threat modeling tool created in 2011. Its Balanced Development Automation (BDA) helps companies develop secure applications by automating some critical but labor intensive manual processes.
• IriusRisk. IriusRisk is a strong, web-based threat modeling and SDL risk management platform that helps ensure security is built into the design process and carried through to production. With its free version, IriusRisk Community Edition, you can use templates to quickly model threats and manage steps to respond.

The best practices of threat modeling

If you’re planning to implement threat modeling in your organization, you should:

• Consider different methodologies and ways to implement them in your organization. Start as early in the development stage as possible so you can address all your security concerns during the system’s creation phase.
• Define threat modeling scope and objectives. It’s important to involve all stakeholders in this step because each can bring a unique insight and perspective that would contribute to a more comprehensive threat assessment.
• Document every step, including identifying threats, vulnerabilities, and mitigation strategies. This will help improve communication between stakeholders and, later, create a thorough threat model.
• Perform threat modeling regularly, especially if significant changes have been made within the system.