Threat Modeling is a security design process to identify potential threats that may impact web and mobile digital applications and determine the correct controls to produce effective countermeasures. Discover essential steps, concepts, and best practices in this guide created with insights by Accenture.
An introduction to Threat Modeling
In recent years, the need for Threat Modeling has grown as the number and types of attacks have increased. With the rise in popularity of web and mobile applications, attackers have more opportunities to exploit vulnerabilities. Threat Modeling can be used to assess risk in digital applications and to determine the best security controls to mitigate those risks. The process of Threat Modeling involves identifying potential threats, determining the impact of those threats, and selecting the appropriate countermeasures. There are a variety of benefits that can be gained from performing Threat Modeling. First, it can help organizations to prioritize their security efforts by identifying the most critical risks. Second, it can provide a structured approach for thinking about security. Third, it can help to uncover hidden risks that may be difficult to identify using other methods. Performing Threat Modeling is a valuable step in the security design process of any digital application. By taking the time to identify potential threats and determine the best security controls to mitigate those risks, organizations can improve the security of their applications and reduce the likelihood of a successful attack. Threat modeling can be applied to software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes.
Which are the objectives of Threat Modeling?
- Identify Potential Threats that may impact the digital application
- Identify the Security Controls to apply as countermeasures
- Identify critical areas of design that need to be protected
1) When conducting a threat modeling exercise, the first objective is to identify potential security threats that may impact the digital application. This can be done by focusing on the assets, drawing and analyzing architectural diagrams, and then brainstorming with the development team and other stakeholders to identify what could go wrong. Once potential threats have been identified, they can be prioritized based on their likelihood and potential impact. This will help the team focus on the most serious threats first.
2) The second objective of threat modeling is to identify the security controls that can be implemented to mitigate the identified threats. The controls should be selected based on their efficacy in mitigating the threat and their feasibility to implement. Some controls may not be feasible to implement, so the team needs to weigh the benefits and costs of each control before deciding which to implement.
3) The third objective of threat modeling is to identify critical areas of design that need to be protected. This can be done by identifying which parts of the application are most critical to its functioning and security. Once these critical areas have been identified, additional security controls can be put in place to protect them.
The 4-question framework of Threat Modeling
The threat model process can be explained with a 4-questions framework. Each question has a corresponding threat modeling phase with sub-steps that allow finding the correct answers.
1) Model System – What are you building?
2) Find Threats – What can go wrong with it once it’s built?
3) Address Threats – What should you do about those things that can go wrong?
4) Validate – Did you do a decent job of analysis?
1) The first step, modeling the system, is about understanding what you are building. This means having a clear picture of the system’s components, how they interact, and the system’s environment. This step involves creating a diagram of the system under attack and identifying the assets that need to be protected. What are its component parts? What purpose does it serve? What data does it process? What are its interfaces? Knowing the answers to these questions is necessary in order to identify potential threats to the system. In particular, data flow diagrams and architectural diagrams should be generated for the assets that the analysis is focusing on, and that need to be protected. You should also identify the system’s assets and what needs to be protected. This understanding forms the basis for the next step of finding threats.
2) In the second step, you find potential threats to the assets identified in the previous step. This is done by brainstorming, using threat catalogues, reviewing similar systems, and looking at common attack patterns, or by using a tool such as the Microsoft Threat Modeling Tool. Strategies like STRIDE, described in the following section, can help identify threats and categorize them. The goal is to generate a list of threats that could potentially exploit the weaknesses of the system. Once you have a list of potential threats, you can begin to prioritize them. Some threats may be more serious than others, and some may be more likely to occur. It is important to consider both the severity of the threat and the likelihood of it occurring when prioritizing threats. You need to understand both the attacker’s goals and the capabilities in order to identify the threats that are most relevant.
3) The third step is about addressing the threats that were identified in the previous step. This means finding ways to mitigate or eliminate the risks that these threats pose. This can be done by redesigning components, changing assumptions, or adding security controls.
4) The fourth and final step is to validate the results of the previous three steps. This means checking if the threats have been properly addressed and if the security controls are effective.
Popular Threat Modeling Strategies
There are a variety of different threat modeling strategies out there, each with its own strengths and weaknesses. In this section, we’ll take a look at some of the most popular threat modeling techniques and tools.
STRIDE is a mnemonic for the six most common types of attack: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. It was originally developed by Microsoft in the 90s. By identifying which of these attacks are possible against a given system, you can start to put together a plan to mitigate them. Teams can use the STRIDE to spot threats while designing software architectures.
STRIDE aims to ensure that an asset fulfills the CIA triad (confidentiality, integrity and availability).
STRIDE can be used on a model or diagram of the system to protect, that should include a breakdown of processes, data stores, data flows and trust boundaries.
The DREAD model
The DREAD model is a quantitative model that rates the severity of threats on a scale of 1 to 10, based on the following factors: D- Damage potential R- Reproducibility E- Exploitability A- Affected users D- Discoverability. By analyzing threats across these different categories and assigning a value to each, your organization can better understand what are the most important vulnerabilities in your assets and architecture, and design a plan to address them based on the priority and values assigned to each.
The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling framework. It allows companies and businesses to follow a series of steps to perform risk analysis and improve the overall security strategy. PASTA has a broad range and can easily scale up or scale down as needed, and many other threat modeling frameworks can map into it.
The Visual, Agile, and Simple Threat (VAST) framework is based on Threat Modeler, a threat-modeling tool.
Its strengths are usability and scalability, that helps large organizations use it in their infrastructures,
Trike is a tool for conducting security threat assessments. As their website says, the project began in 2006 as an attempt to improve the efficiency and effectiveness of existing threat modeling methodologies and is being actively used and developed.
OCTAVE is a risk management methodology that focuses on identifying the Operational, Cyber, Technical, and Administrative Vulnerabilities present in a system. This information can then be used to assess the risks posed to each asset and determine how best to protect it. At its core, it helps the team share knowledge in a systematic way, so as to identify the current state of security, possible vulnerabilities, risks to critical assets, and set a security strategy.
NIST is a government-sponsored risk management framework that provides guidance on how to identify, assess, and mitigate security risks. It includes a threat modeling methodology that can be used to identify potential security risks and develop mitigation plans.
These are just a few of the many threat modeling strategies and tools that are available. Which one you choose to use will depend on your specific needs and preferences. However, all of these techniques can be useful in helping you proactively identify and address potential security risks.
Some, like OCTAVE, focus on the practice of reviewing systems for potential threats. Others, like STRIDE or PASTA, focus on the point of view of a developer or an attacker.
Tools for threat modeling
There are a number of different tools available for threat modeling. The following are some of the most popular:
1. Microsoft Threat Modeling Tool – The Microsoft Threat Modeling Tool is a free tool that helps organizations identify, quantify, and prioritize risks. It includes a library of common threats and vulnerabilities and provides a step-by-step guide for creating threat models.
2. OWASP Threat Dragon – OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. As discussed before, creating these diagrams for the assets that need to be protected is a fundamental step in threat modeling, and should be always incorporated into the development cycle of components that can be at risk of attacks. Threat Dragon also supports STRIDE; it provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.
3. IriusRisk – IriusRisk is a product that allows you to generate a diagram of your architecture through easy drag and drop methods, like draw.io. It then generates a threat model in minutes, highlighting the possible risks your architecture may have, and it generates a series of possible countermeasures to hypothetical attacks. It also allows to receive real-time threat scores and quickly generates reports.
4 – draw.io – https://www.diagrams.net/ are online tools that allow you to create diagrams using most cloud provider resources and objects, useful to analyze the possible vulnerabilities of your architecture and assets.
Cybersecurity is among the most fundamental areas any company should invest in. Malicious hackers are always eager to find vulnerabilities to steal valuable information or inject dangerous software into a company’s private network (e.g., ransomware).
Every company should follow threat modeling guidelines to ensure that their infrastructure is safe from all attacks. In this article, we described the main steps to follow. Accenture provides companies with their extensive expertise in cybersecurity, computer networks, and threat modeling. Through their support, your company can be guided in each step when building critical infrastructure and pipelines, so that they’re safer from external attacks. A threat modeling report will analyze the assets involved, generating an overall diagram, an architecture and data flow, and it will identify and highlight potential threats with relative priorities, also suggesting security controls that can mitigate the threat impacts.