What Is Threat Modeling?

What Is Threat Modeling?

Everything you need to know about Threat modeling

Threat modeling is the process of using hypothetical scenarios, system diagrams, and testing to help secure systems and data. By identifying vulnerabilities, helping with risk assessment, and suggesting corrective action, threat modeling helps improve cybersecurity and trust in key business systems.

Why is threat modeling necessary?

As organizations become more digital and cloud-based, IT systems face increased risk and vulnerability. The growing use of mobile and Internet of Things (IoT) devices also expands the threat landscape. And while hacking and distributed denial-of-service (DDoS) attacks repeatedly make headlines, threats can also come from within--from employees trying to steal or manipulate data, for example.

Smaller enterprises are not immune to attacks either. In fact, they may be more at risk because they don't have adequate cybersecurity measures in place. Malicious hackers and other bad actors make risk assessments of their own and look for easy targets.

What are the benefits of threat modeling?

The process of threat modeling can:

  • Provide an enhanced view of systems. The steps involved in threat modeling--creating data flow diagrams (DFDs) and graphical representations of attack paths, as well as prioritizing assets and risks--help IT teams gain a deeper understanding of network security and architecture.

  • Help enable better collaboration on security. Proper threat modeling requires input from many stakeholders. Participating in the process can help instill cybersecurity consciousness as a core competency for all participants.

  • Facilitate risk prioritization. Businesses can use the threat data provided by modeling to make decisions about which security risks to prioritize--a helpful process for understanding where to allocate people and budget resources.

Does threat modeling require special software?

While basic threat modeling can be performed in a brainstorming session, larger enterprises with more potential vulnerabilities can use software and hardware tools to improve the security of complex systems with multiple points of entry. Software helps provide a framework for managing the process of threat modeling and the data it produces. It can also help with risk and vulnerability assessment and suggest remediation.

What is involved in the threat modeling process?

Steps involved in threat modeling include:

  • Identify assets. An asset could be account data, intellectual property, or simply the reliable functioning of a system.

  • Diagram the system. DFDs provide a high-level, asset-centric view of systems and the data flows of attacks. An attack tree, or graphic representation of an attack path, illustrates the possible origins and paths of attacks.

  • Analyze threats. Use threat modeling methods such as STRIDE, ASF, and DREAD to further analyze specific threat types, identify potential threats, map data flows, and quantify risk.

  • Perform risk management and prioritization. Many threat modeling tools produce threat scores and data for calculating risk. Stakeholder input is essential to this step.

  • Identify fixes. Once you identify the areas, assets, or threats that matter most to the organization, the next steps may be apparent. Changing firewall, encryption, or multi-factor authentication settings are examples of steps to address a threat

Threat modeling methods and tools

CIA method

As a starting point, use the CIA (confidentiality, integrity, availability) method to define what needs protection in the organization. For example, there may be sensitive customer information (confidentiality), company operational or proprietary data (integrity), or reliability of a service such as a web portal (availability).


Attack trees

Attack trees are charts that display the paths that attacks can take in a system. These charts display attack goals as a root with possible paths as branches. When creating trees for threat modeling, multiple trees are created for a single system, one for each attacker goal.

This is one of the oldest and most widely used threat modeling techniques. This kind of approach is often included as part of internal reviews of data flow when examining vendor risk and the interoperability of systems like web, CRM, back-end data, etc. While once used alone, it is now frequently combined with other methodologies, including PASTA, CVSS, and STRIDE.


STRIDE

STRIDE is a threat model, created by Microsoft engineers, which is meant to guide the discovery of threats in a system. It is used along with a model of the target system. This makes it most effective for evaluating individual systems.

STRIDE is an acronym for the types of threats it covers, which are:

  • Spoofing — a user or program pretends to be another

  • Tampering — attackers modify components or code

  • Repudiation — threat events are not logged or monitored

  • Information disclosure — data is leaked or exposed

  • Denial of service (DoS) — services or components are overloaded with traffic to prevent legitimate use

  • Elevation of Privilege — attackers grant themselves additional privileges to gain greater control over a system


PASTA

PASTA is an attacker-centric methodology with seven steps. It is designed to correlate business objectives with technical requirements. PASTA’s steps guide teams to dynamically identify, count, and prioritize threats.

The steps of a PASTA threat model are:

  1. Define business objectives

  2. Define the technical scope of assets and components

  3. Application decomposition and identify application controls

  4. Threat analysis based on threat intelligence

  5. Vulnerability detection

  6. Attack enumeration and modeling

  7. Risk analysis and development of countermeasures


Trike

Trike is a security audit framework for managing risk and defense through threat modeling techniques. Trike defines a system, and an analyst enumerates the system’s assets, actors, rules, and actions to build a requirement model. Trike generates a step matrix with columns representing the assets and rows representing the actors. Every matrix cell has four parts to match possible actions (create, read, update, and delete) and a rule tree — the analyst specifies whether an action is allowed, disallowed, or allowed with rules.

Trike builds a data-flow diagram mapping each element to the appropriate assets and actors with the requirements defined. The analyst uses the diagram to identify denial of service (DoS) and privilege escalation threats.

Trike assesses attack risks using a five-point probability scale for each CRUD action and actor. It also evaluates actors based on their permission level for each action (always, sometimes, or never).


Visual, Agile, and Simple Threat (VAST)

Visual, Agile, and Simple Threat (VAST) is an automated threat modeling method built on the ThreatModeler platform. Large enterprises implement VAST across their entire infrastructure to generate reliable, actionable results and maintain scalability.

VAST can integrate into the DevOps lifecycle and help teams identify various infrastructural and operational concerns. Implementing VAST requires the creation of two types of threat models:

  • Application threat model — uses a process-flow diagram to represent the architectural aspect of the threat

  • Operational threat model — uses a data-flow diagram to represent the threat from the attacker’s perspective


Persona non grata

This method is similar to criminal profiling in law enforcement. To anticipate attacks in more detail, brainstorming exercises are performed to create a detailed picture of a hypothetical attacker, including their psychology, motivations, goals, and capabilities.


LINDDUN

The LINDDUN framework focuses on the analysis of privacy threats, based on the categories that form its acronym: linkability, identifiability, non-repudiation, detectability, disclosure of information, unawareness, and non-compliance. It uses threat trees to help users choose the relevant privacy controls to apply.

How do I measure the effectiveness of threat modeling?

Two ways to measure effectiveness are:

  • Common Vulnerability Scoring System (CVSS). CVSS produces standardized scores for application vulnerabilities, IT systems and elements, and IoT devices; the scores can be calculated with a free online tool. For additional perspective, scores can be compared against a database of existing scores crowdsourced from similar enterprises.

  • Penetration testing. Sometimes referred to as "ethical hacking," penetration testing is the process of staging dummy attacks on a system to measure its strengths and weaknesses. Pen tests may require a good deal of time-consuming data analysis, so organizations should be wary of running too many tests, or tests on assets that are not sufficiently high-risk to justify the cost.

Is threat modeling available as a service?

Yes. Threat modeling as a service (TMaaS) can allow an organization to focus on remediation and high-level network architecture decisions while leaving necessary data-crunching to TMaaS providers. TMaaS also can perform continuous threat modeling, automatically running testing anytime a system is updated, expanded, or changed. TMaaS solutions incorporate threat intelligence--such as data about threats and attacks crowdsourced from organizations worldwide--that can inform threat hypotheses for networks and improve network security.