For modern organizations, cyber threats are an ever-present danger. In 2020, cybercrime cost them over $1 trillion annually. By 2025, it will cost $10.5 trillion. To keep their networks, systems and data safe from bad actors, organizations are increasingly employing proactive cyber defence measures like threat modeling.
Threat modeling, a systematic and structured process, enables companies to identify and quantify potential security threats and prioritize techniques to mitigate them and minimize their damage. OWASP distils it as “a view of the application and its environment through security glasses”. Using a threat modeling process, enterprises can capture, organize and analyze the information that affects application security, and thus improve their decision-making.
A 1999 Microsoft document called “The Threats to Our Products” is widely considered the first definitive description of threat modeling. Since then, many methodologies have been developed, including STRIDE and DREAD. Although each methodology has its own approach to identify, quantify and prioritize security threats, they all follow a threat modeling process that answers four critical questions. This brief article highlights these general questions and threat modeling process steps.
Threat Modeling: A 4-Question Framework
For cybersecurity teams, trying to evaluate every possible combination of the threat agent, attack, vulnerability, and potential impact is time-consuming, and frequently, a wasted effort. By focusing on finding threats of high likelihood and high potential impact, they can increase their chances of preventing more threats, and thus strengthen their cybersecurity defence. To do this, they must ask and answer four critical questions:
What are we working on?
What can possibly go wrong?
What can we do (and are going to do) about it?
Did we do a good job?
The threat modeling process helps find the answers to these questions in a systematic manner.
The Threat Modeling Process
i. Decompose the application
In this first step, the goal is to decompose the application into its constituent parts and see how they interact with external entities. To do this, it’s critical to map its:
Entry points, like login pages and HTTP requests
Elements or assets that have value and are at risk of being attacked, such as data (e.g. customer information), and even the firm’s reputation
Interconnections and dependencies outside the application’s code that may pose a threat if not properly identified and managed
Trust levels representing the access rights granted to external entities
Further, by creating various use cases, threat modelers can understand how the application is used. With data flow diagrams, they can understand how data moves, and where it is altered or stored by various components. A process flow diagram is an alternative to a data flow diagram that more closely mirrors how attackers think.
ii. Determine threats and threat agents
A threat model is incomplete without identifying and characterizing the threat agents who might attack the application. These may be insiders or outsiders, and the threats could be inadvertent mistakes or deliberate, malicious attacks.
The STRIDE methodology provides one of the best ways to determine threats by representing six common security threats from the attacker’s perspective: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
Building attack trees is another threat modeling technique that shows which circumstances must come together for a threat to be successful.
iii. Understand existing counter-measures
A model with information about existing countermeasures enables the security team to analyze their effectiveness, and identify the right measures to eliminate any weaknesses.
iv. Prioritize risks
Although the security landscape is constantly expanding, there are many risks that don’t grab the attention or effort of security teams. To prevent wasting time and effort, it’s important to prioritize risks, which will then determine the required action. The best way to do this is by analyzing and estimating various likelihood and impact factors, to quantify the overall risk or severity level. The DREAD threat model provides a quantitative risk assessment system that enables enterprises to prioritize and take action against future threats.
v. Find ways to minimize the danger
In this final step, the security team identifies relevant countermeasures to eliminate the risk, or reduce it to acceptable levels. For instance, in the STRIDE model, a “Spoofing” threat can be mitigated by implementing Multi-factor authentication (MFA). Similarly, a “Tampering” threat can be minimized by deploying firewalls and partitioned storage.
Regardless of the methodology chosen, it’s important to make threat modeling a priority during development. Moreover, incorporating it early into the development lifecycle bakes in security from the outset, which can have a positive impact on later costs and efforts. The 5-step threat modeling process discussed here provides better visibility into the threat landscape and enables organizations to make better, more rational security decisions.