Threat modeling: Exploring the process and methodologies

While it may sound impossible, you can prepare for virtually anything. Threat modeling, various risk-assessment methodologies, can help you identify threats and find ways to deal with them efficiently. Here’s everything you need to know about how threat modeling works and how you can use it in your business.

What is threat modeling?

Threat modeling is the process of using hypothetical scenarios, system diagrams, and testing to help secure systems and data. By identifying vulnerabilities, helping with risk assessment, and suggesting corrective action, threat modeling helps improve cybersecurity and trust in key business systems.

But threat modeling has applications beyond cybersecurity. In the most basic sense, it can mean listing threats that can disrupt business processes such as earthquakes, floods, or theft and finding ways to counter these threats.

Benefits of threat modeling

Threat modeling is a simple and effective approach to improving security, but because its benefits can depend on individual circumstances, it may not be the best risk assessment method for your business. However, some of its benefits are universal and apply to businesses of all industries and sizes.

Efficiency

The threat modeling process requires input from many stakeholders, but when done correctly, it invites collaboration. As a result, risk evaluation and prioritization can be performed much faster compared to other methods. Moreover, due to its simplicity, you can review and fix various issues before they have the chance to cause harm.

A big-picture view of your business risks

Threat modeling includes assessment of possible risks and asset prioritization, providing a bird’s eye view of the entire organization and its partners. Knowing the risks associated with your business helps you implement effective cyber threat monitoring solutions.

Easier compliance

Many industries have specific regulatory requirements related to security and privacy, such as the GDPR and HIPAA. By applying threat modeling methodologies, organizations can identify and address specific risks such as data breaches.

Better security

Threat modeling aids in constructing a more secure application. It allows you to design a tailored security strategy uniquely suited for your product rather than relying on broad security measures. By identifying potential vulnerabilities and averting coding errors, you can protect your application from potential hacks, ultimately leading to a more robust product.

Saved costs

Early identification of security issues during the development stage can result in substantial cost savings. By being proactive in risk management, you can dodge the costly aftermath of security breaches, legal implications, and reputational harm that can stem from ignored security weak points.

How does the threat modeling work?

As you’ll see, threat modeling is adaptable because it consists of many methodologies. But in the most simple terms, you list your assets, identify threats, and come up with solutions.

How threat modeling works:

1. Identify scope. Security is incredibly complex, so determine how deep into the organization security architecture you want to go. If you’re just starting with threat modeling, it may be best not to overcomplicate things.
2. Identify assets. List the assets inside the defined scope you want to protect. This can include software, hardware, and intellectual property.
3. Identify potential threats. Gather various stakeholders who can help run brainstorming sessions and identify potential threats such as hackers, malicious insiders, natural disasters, or technical failures.
4. Identify vulnerabilities. Identifying threats will likely give you many answers about which areas within the system and its design you should strengthen to protect your assets.
5. Assess risks. Thinking about risks may not be pleasant, but going over worst-case scenarios is a valuable exercise in evaluating the likelihood and potential impact of each identified threat potentially harming your business. Answering these tough questions honestly will help you prioritize the vulnerabilities you should address.
6. Mitigate risks. Develop mitigation strategies and controls to address the identified risks. This can involve implementing security controls, improving system design, adding authentication mechanisms, applying encryption, or establishing incident response plans.
7. Validate and refine. Continuously validate the threat model by testing and verifying the effectiveness of the implemented mitigations. Update the threat model regularly as the system evolves or new threats and vulnerabilities emerge.

Threat modeling examples

Since threat modeling is such an adaptable method, you can apply it to virtually any industry or business. But that also means that mobile application threat modeling differs from cloud security, blockchain, or supply-chain threat modeling.

Let’s take online commerce as an example. Online shop customers trust the shop with private information such as passwords and payment details, so the business owner needs to know how to protect it. Using threat modeling, they’ll first list out all the ways a hacker might break in, such as a man-in-a-middle attack. Then, they’ll need to come up with a game plan to stop these attacks — using a strong firewall, for example.

Threat modeling can also apply to your home. The fast-emerging smart home technologies and Internet of Things (IoT) gadgets, as cool as they are, can open up your home network to hacking. So the developers of these technologies must identify ways someone could exploit these gadgets and find ways to ensure your new sound system or smart light bulb don’t weaken wireless network security overall. For example, they can push regular updates to fix bugs quickly.

The most common threats identified through threat modeling

Threat modeling requires a lot of work. Is it worth all that effort? For sure. It can help you identify a wide range of potential threats to your system and its architecture. Here are some examples of common threats you can identify with threat modeling:

• Unauthorized access. You can identify areas that an attacker can exploit to gain unauthorized access to your system and sensitive data. For example, you can find that passwords can be cracked through brute force or identify a weak authentication mechanism.
• Privilege escalation. Similar to unauthorized access, threat modeling can help you identify ways your system authentication methods can be manipulated.
• Social engineering. It involves a variety of strategies such as creating a convincing backstory to deceive the target. Social engineering is used to gain sensitive information, access restricted areas, or manipulate the victim into compromising system security.
• Information disclosure. Information can be disclosed to unauthorized parties accidentally through error messages or insecure transmission of data.
• Denial-of-service attacks (DoS). These threats aim to disrupt the availability of a system by overwhelming it with excessive traffic or resource consumption. Using threat modeling, you may find that IP blocking is a suitable solution.
• Insider threats. Every company must consider that one of its employees or contractors could harm the organization, either intentionally or unintentionally.

Threat modeling methodologies

Threat modeling methodologies vary widely, so make sure to take your time and find the one that’s right for you.

Security cards

In 2013, Tamara Denning, Batya Friedman, and Tadayoshi Kohno from the University of Washington developed a unique deck of cards aimed at exploring four dimensions of security: the adversary’s motives, resources, methods, and human impact. This approach, while not exhaustive, offers a practical way to prompt meaningful discussions about the system under development and specific examples of potential threats.

STRIDE

STRIDE, created by Praerit Garg and Loren Kohnfelder, is a mnemonic to help you remember the most common threats you should be prepared for:

• Spoofing, or pretending to be someone else.
• Tampering, or changing the data without other people’s knowledge or permission.
• Repudiation, or making sure we know the actions taken in our system.
• Information disclosure, or allowing unauthorized access to confidential information.
• Denial of service, or preventing third parties from using our resources.
• Elevation of privilege, or gaining unauthorized access to systems and resources.

DREAD

Just like STRIDE, DREAD is a mnemonic designed to help prioritize threats based on certain criteria and assign them scores to determine their relative risk levels:

• Damage. How bad would an attack be?
• Reproducibility. How easy is it to reproduce the attack?
• Exploitability. How much work is it to launch the attack?
• Affected users. How many people will be impacted?
• Discoverability. How easy is it to discover the threat?

Using DREAD, you can assess threats by rating each of the five categories, while the sum of all ratings would give you a natural priority list for all threats. Keep in mind that Microsoft stopped using the DREAD model in 2008 because rating can be subjective and inconsistent.

PASTA

PASTA, or process for attack simulation and threat analysis, is a seven-step, risk-centric approach. Here are its steps:

1. Define objectives. What is your business trying to achieve?
2. Define technical scope. What does the story map for your goals look like?
3. Application decomposition. Breaking the application architecture into its deployable artifacts.
4. Threat analysis. Consider the threats to your application security.
5. Vulnerability and weaknesses analysis. Define areas to strengthen.
6. Attack modeling. Run attack scenarios and evaluate the results.
7. Risk and impact analysis. Prioritize solutions based on the results.

Kill Chain

The cyber kill chain methodology focuses on preventing cyberattacks by breaking them down into seven common stages, such as reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.

This method provides a roadmap that highlights the various stages an attacker must go through to complete a successful attack, helping you understand and prepare for the attacker’s tactics. For example, if you know that an attack against your system could use phishing, you can prepare by training your employees.

Tools used in threat modeling

With plenty of commercial and free products to choose from, picking the right one may seem like an impossible task. Just keep in mind that most threat modeling methodologies can be done with a sheet of paper or a whiteboard.

• Microsoft’s Threat Modeling Tool. This tool a free app developers can use to create threat models. While it’s only available on Windows devices, its capabilities include automation, threat identification, integration with STRIDE, and data flow diagramming.
• ThreatModeler. Known as the first automated threat modeling tool for businesses, it can help you build software safely from code to deployment, offering features such as asset management, threat libraries, automated report generation, and integration with development tools.
• OWASP Threat Dragon. Threat Dragon is another open-source threat modeling tool that helps you mitigate potential risks, but it also draws diagrams allowing you to see vulnerable areas more clearly. Threat Dragon supports CIA, STRIDE, and LINDDUN and is available both as a desktop version (Windows, macOS, Linux) and a web app.
• Security Compass. SDElements by Security Compass is a web-based threat modeling tool created in 2011. Its Balanced Development Automation (BDA) helps companies develop secure applications by automating some critical but labor intensive manual processes.
• IriusRisk. IriusRisk is a strong, web-based threat modeling and SDL risk management platform that helps ensure security is built into the design process and carried through to production. With its free version, IriusRisk Community Edition, you can use templates to quickly model threats and manage steps to respond.

Threat modeling best practices

If you’re planning to implement threat modeling in your organization, you should first consider different methodologies and ways you can implement them best in your organization. Whatever you decide, start as early in the development stage as possible. Using threat modeling from the very beginning will prevent hardships in the future because you’ll be able to address all your security concerns during the creation phase.

Also, make sure that you start a threat modeling session by defining its scope and objectives. While sometimes looking outside the box can help you find answers you weren’t looking for, without limits, things can get out of hand pretty fast. Moreover, it’s incredibly important to involve all the stakeholders because each brings unique insights and perspectives that contribute to a more comprehensive threat assessment.

Last, documenting every step such as identified threats, vulnerabilities, and mitigation strategies will help improve communication and further improvement. Threat modeling should be handled as an iterative process that you need to perform regularly, especially if significant changes have occurred in the system.