Skip to main content

What is Threat Modeling?

Threat modeling is the process of examining a system's numerous business and technical needs, identifying potential threats, and documenting the system's vulnerability to those threats. Any incident in which an unauthorized party gains access to sensitive information, applications, or the network of an organization is referred to as a threat.

The objectives of threat modeling are to establish security needs, locate security threats and probable vulnerabilities, quantify threat and vulnerability criticality, and prioritize remedial strategies.

IT systems are becoming more risky and vulnerable as businesses become increasingly digital and cloud-based. The danger landscape is also expanding as more mobile and Internet of Things (IoT) devices are used. While hacking and distributed denial-of-service (DDoS) attacks are frequently in the news, dangers can also emerge from within an organization, such as workers attempting to steal or modify data.

As a result, threat modeling is gaining traction in the cybersecurity field. We're going to take a closer look at the threat modeling process in cybersecurity, including what it is, why it's important, and the approaches that are available.

How does Threat Modeling Work?

Threat modeling identifies the many forms of threat agents that can affect a computer application or system. It puts itself in the shoes of a malevolent hacker to see how much harm they may cause. Threat Modelling can be defined as a simulation for learning what could go wrong and what we'll do about It.

Organizations make a detailed investigation of the software architecture, business environment, and other artifacts while undertaking threat modeling (e.g., functional specifications, user documentation). This method allows for better knowledge and discovery of key components of the system. Threat modeling is typically done at the design stage (although it may happen at any point) of a new application to assist developers to identify vulnerabilities and understanding the security implications of their design, coding, and configuration decisions. Threat modeling is often done in four phases by developers:

  • Diagram: What exactly are we attempting to build?
  • Threats should be identified: What could possibly go wrong?
  • Mitigate: What are we doing to protect ourselves against threats?
  • Validate: Have we accomplished each of the preceding steps?

What is the Threat Modeling Process?

You may make your threat modeling process as basic or as complex as you like. Begin with simple threat models and utilize them to teach additional team members and familiarize other corporate stakeholders with the notion. It's simple to leverage internal brain trust and ensure involvement by brainstorming your main shortcomings and picking a target area. Another alternative is to create a few distinct situations and try them out in real-time. Finally, incorporating this into a corporate governance program is the optimal threat modeling outcome.

Six steps to successful threat modeling are as follows:

  1. Identify the criminal masterminds within your company: Contact the different technical teams with which you collaborate, such as engineers, developers, analysts, architects, help desk, and support. Choose those that aren't scared to express their thoughts and think outside the box. Start with a few business analysts when threat modeling a process, and ask them how they would bypass their processes.
  1. What would you do if you had to break in?: Send an email to this "criminal" group, urging them to come up with ways to breach your system or goods, as well as any third-party solutions your company employs. Bring them together a week later for an open conversation. Inquire of each of them how they would destroy your system, and then how they would harm it. Remember, this is an open and honest dialogue, so don't take it personally if you're told there are gaps. The majority of my past threat modeling sessions revealed weaknesses in our infrastructure, security plan, and security incident response plan. The goal is to think about how an attacker may get in rather than come up with remedies.
  1. Prioritize, again: It's easy to become overwhelmed with the situations produced by your criminal gang. Consider this: "Which of these situations is most likely to happen?" Which will be the most destructive? What are the royal jewels of our company?" Your website being pulled offline may be irritating, but intellectual property theft would be disastrous.
  1. You may begin to grasp your situation after you have a list of probable threat actors and models: To do so, start mapping in both active and passive countermeasures at each level of the model to assist minimize the danger. If someone phishes your company through its workers, for example, you may require education (people), incident handling (passive process), and anti-phishing technologies
  1. Implement the solution and test it: Now that you've laid the groundwork, it's time to fill up the gaps in your security and put it to the test. If you have the funds, hire an independent company to conduct the testing. If not, make use of the "criminal gang" . They are, after all, insiders. In any case, this will offer some signs of successful models and indicate where your security team should focus its efforts. You must also challenge your vendor partners to fill the gaps. Inform them that you've found threat models against some of your most valuable assets and would like to learn how they can assist you in solving your business challenge.
  1. Innovate: At least once a quarter, CSOs should revisit the threat modeling process. Cybercriminals are always coming up with new and inventive ways to sneak in, get around your protections, and steal data. Working with your creative-thinking rock stars can help you remain ahead of them. They will gladly assist you if you ask.

What are Threat Modeling Methods and Tools?

The following is a list of the top threat modeling tools that you should keep on hand for threat modeling:

  • IriusRisk
  • Threagile
  • Tutamen
  • Cairis
  • Kenna.VM
  • OWAPS Threat Dragon
  • SecuriCAD by Foreseeti
  • ThreatModeler
  • Microsoft Threat Modeling Tool
  • SD Elements by Security Compass

Also, some of the threat modeling methods can be listed as follows:

  • VAST
  • CVSS
  • OWAPS Top Ten
  • MITRE ATT&CK framework

What are the Goals of Threat Modeling?

Threat modeling's goal is to offer defenders a systematic examination of what controls or protections are required, given the system's structure, the likely attacker's profile, the most likely attack paths, and the assets most wanted by an attacker.

Threat modeling is a set of actions that aims to improve security by detecting risks and then developing countermeasures to minimize or reduce the consequences of such threats on the system. A threat is a possible or current undesirable event that might be malevolent (such as a DoS assault) or unintentional (such as a data breach) (failure of a Storage Device). Planned activity for discovering and analyzing application risks and vulnerabilities is threat modeling.

After all, the fundamental purpose of threat modeling is to identify threat actors and their potential to affect an application. Once discovered, security controls and mitigations are used to address the threats, necessitating security to be integrated throughout the design phase of the SDLC. This incorporates security by design concepts into the application architecture, reducing risks and vulnerabilities even before code is developed and lowering defect and repair costs.

What are the Benefits of Threat Modeling?

Threat Modeling your application or another system during the design process gives the following advantages:

  • Design Agreement: All parties concerned are gathered around a table to discuss the system's design. Any differences on how things (should) operate may readily arise and be resolved.
  • Completeness of Vision: A Threat Model illustrates the system at a high level. As needed, the analysis might be further in-depth. This top-down strategy ensures that individuals comprehend the whole system, including all of its relations.
  • Threat Modeling enables consensus on how to address security rather than merely pointing out flaws as a traditional penetration test does. It connects your system's security with the organization's security policy.
  • Early on in the process, Threat Modeling will reveal problems that might evolve into vulnerabilities. It is less expensive to prevent issues than it is to solve them after they have occurred.
  • Threat modeling not only identifies weaknesses but also assists in risk estimation. As a result, you may prioritize mitigations and manage risk in the system in accordance with the company's standards.
  • Prioritize development based on risk: Once risk is identified and evaluated, it becomes easy to prioritize development such that the biggest risk is addressed first. When it comes to planning the development of your system, the risk becomes an issue.
  • Planning a penetration test: A Threat Model data flow diagram quickly identifies any design flaws or areas where pressure might undermine the system. Those are excellent targets for penetration testing. Penetration testing becomes more focused, efficient, and hence more cost-effective in large systems (you may save money!).
  • Proof of 'Security-by-Design': Threat modeling is the most effective technique to demonstrate that you considered security and privacy throughout the design of your system. This is really Design-for-Security (and Privacy-by-Design).
  • Proof of compliance: If you're being audited for compliance or need to show a third party that you're on top of security and privacy, just bring out your most recent Threat Model. For more sophisticated systems, Threat Models are an excellent supplement to GDPR-related Data Protection Impact Assessments (DPIAs).

What is the Importance of Threat Modeling in Cyber Security?

Any program or system must be built to be resistant to attacks. However, determining the security standards required to do this might be difficult. Developers and users think and act differently than attackers.

As the number of information security risks grows, your ability to construct models becomes more critical, since better models mean stronger defenses for your organization - defenses that typically boost an application's resistance against both external and internal threats.

Threat modeling is a proactive approach to identifying dangers that aren't formally evaluated or discovered through code reviews or other sorts of audits. It helps a project team to decide the security controls an application needs, as well as how to implement effective countermeasures against possible attacks and handle issues quickly. This strategy results in considerably more secure applications, and resources are properly utilized by prioritizing expected risks.

Threat models are an important aspect of the creation of an effective security system. Developers may embed security into a project during the development and maintenance stages when threat modeling is part of the DevOps process. This eliminates errors including failing to validate input, poor authentication, insufficient error handling, and failing to encrypt data.

What Are Threat Modeling Frameworks?

It can be difficult and error-prone to spot threats in a cyber environment. Using a threat modeling framework gives the threat modeling process structure and may contain additional advantages like proposed detection tactics and countermeasures.

What Are Threat Modeling Frameworks

Figure 1. What Are Threat Modeling Frameworks?

Take a look at some of the most well-known threat modeling frameworks.

  • OWASP Top Ten: The Open Web Application Security Project's OWASP Top Ten list is one of its most well-known projects (OWASP). The group's -and the Top Ten list's- emphasis is on web application vulnerabilities, as the name indicates. Every few years, this well-known list is updated with the most prevalent and dangerous web application vulnerabilities found. The list is usually a combination of exploitable vulnerabilities (such as Injection or Cross-Site Scripting) and bad development practices, such as failing to log properly and monitoring those logs and other data sources for indicators of an attack.
  • MITRE ATT&CK Framework: MITRE is a United States government-funded research and development center (FFRDC). One of its study areas is cybersecurity, and one of the results of this research is the MITRE ATT&CK framework - as well as the associated Shield framework. MITRE ATT&CK is a cybersecurity framework that allows for threat modeling, penetration testing, defense creation, and other cybersecurity activities. MITRE ATT&CK divides the lifetime of a cyberattack into fourteen stages (which MITRE refers to as "Tactics"). Each of these Tactics explains a particular aim that an attacker may need to accomplish on their approach to attaining their broader goal, such as acquiring access to account credentials or escalation privileges.
  • STRIDE: STRIDE is a threat modeling framework created and released by Microsoft employees in 1999. The STRIDE threat model examines the probable consequences of several threats to a system:
    • Spoofing
    • Tampering
    • Repudiation
    • Information disclosure
    • Denial of service
    • Escalation of privileges
  • DREAD: DREAD was designed as a supplement to the STRIDE model, allowing modelers to rate risks after they've been found. DREAD is an acronym that stands for six questions you should ask about each possible threat:
    • Damage potential: How great is the damage if the vulnerability is exploited?
    • Reproducibility: How easy is it to reproduce the attack?
    • Exploitability: It refers to how simple it is to initiate an attack.
    • Affected users: How many users are affected, on a percentage basis?
    • Discoverability: How simple is it to locate the flaw?

Each of these questions is graded on a scale of one to three stars.

  • PASTA: The Process for Attack Simulation and Threat Analysis (PASTA) offers organizations a strategic approach to reducing cybercrime risks by treating cyber threat mitigation as a business problem first and foremost. By analyzing the attacks that can exploit these vulnerabilities and mapping these attacks to threat scenarios that specifically target the application as a business-asset target, the process provides tactical steps that can be followed to provide effective countermeasures for mitigating existing vulnerabilities.

The 7 Stages of PASTA are as follows:

  1. Define the Application's Business Context: This takes into account the application's inherent risk profile and other business impact factors early in the SDLC or for a specific Sprint in Scrum activities.
  2. Technology Enumeration: The theory underlying this stage is that you can't safeguard what you don't understand. Its goal is to break down the technical stack that enables the application components that achieve the Stage 1 business goals.
  3. Decomposition of the Application: In the application threat model, it focuses on understanding data flows between application components and services.
  4. Threat Assessment: Threat claims from data inside the environment are reviewed, as well as threat intelligence from the industry that is relevant to the service, data, and deployment model.
  5. Identifying Weaknesses and Vulnerabilities: Identifies vulnerabilities and flaws in the application's design and code, and compares them to the threat claims made in the previous step.
  6. Simulation of an Attack: This step focuses on simulating attacks that potentially exploit the previously found weaknesses/vulnerabilities. It also aids in determining the threat's survivability based on assault patterns.
  7. Analysis of Residual Risk: This stage focuses on fixing vulnerabilities or flaws in code or design that might make threats and underlying attack patterns easier to come by. It may be necessary for larger application owners or development managers to assume some risk.
  • VAST Threat modeling: Visual, Agile Threat Modeling (VAST) is an acronym for Visual, Agile Threat Modeling. ThreatModeler, an automated threat modeling platform that separates between application and operational threat models, is based on this concept. VAST was created with the goal of integrating into processes based on the DevOps concept.

  • TRIKE Threat Modeling: The trike is an open-source framework and tool for threat modeling and risk assessment that takes a defensive approach rather than attempting to mimic an attacker's thought process. Trike lets you model the system you're trying to defend, evaluating each component from the perspective of CRUD who has the capacity to create, read, update, or delete that thing. Threats are recognized by iterating through a data flow diagram, with just two types of threats: denial of service and elevation of privilege.

  • OCTAVE: OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a threat modeling technique established at Carnegie Mellon University that focuses on organizational risks rather than technology threats. It is divided into three stages:

    • Create threat profiles based on assets.
    • Determine the vulnerability of your infrastructure.
    • Make security preparations and a strategy.
  • CVSS: The Common Vulnerability Scoring System (CVSS) assigns a numerical severity score to vulnerabilities based on their main features. The Forum of Incident Response and Security Teams (FIRST) maintains CVSS with assistance and contributions from the CVSS Special Interest Group. CVSS was established by NIST and is maintained by the Forum of Incident Response and Security Teams (FIRST). Within multiple cyber and cyber-physical systems, the CVSS offers users with an uniform and standardized scoring methodology. A CVSS score may be calculated with the help of an online calculator.

The History of Threat Modeling

Early IT-based threat modeling approaches were based on Christopher Alexander's 1977 notion of architectural patterns. In 1988, Robert Barnard created the first profile for an IT-system attacker, which he successfully implemented. Separately, the NSA and DARPA worked on a structured graphical description of how certain attacks against IT systems may be carried out.

The idea of attack trees was used to launch the first attempts at threat modeling in the 1990s. As a result, Microsoft's Loren Kohnfelder and Prerit Garg distributed a document titled "The Threats to Our Products," largely regarded as the first formal definition of a threat modeling approach.

Loren Kohnfelder and Praerit Garg, two Microsoft cybersecurity experts, devised a methodology for assessing threats relevant to the Microsoft Windows development environment in 1999. (STRIDE stands for spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and privilege elevation.) The resulting mnemonic helps security experts in carefully determining how a possible attacker would use each STRIDE danger.

The OCTAVE approach (Operationally Critical Threat, Asset, and Vulnerability Evaluation) was created in 2003 as an operations-centric threat modeling technique with an emphasis on organizational risk management.

"Threat Modeling", by Frank Swiderski and Window Snyder, was published by Microsoft Press in 2004. They created the idea of employing threat models to construct secure apps in it.

Ryan Stillions presented the DML (Detection Maturity Level) paradigm in 2014, arguing that cyber threats should be communicated at distinct semantic levels.