Threat modeling is an activity that helps you identify and mitigate threats. This is important because it lets you look at security risks from top to bottom, focusing on decision making and prioritizing cyber security decisions and considering how you can best use your resources. There are many approaches to threat modeling, but they all have the same goal. These are tools to help you deal with potential damage to your security posture and what you can do about it.
Threat modeling is a form of risk assessment that models aspects of the attack and defense of a particular logical entity, such as a piece of data, an application, a host, a system or environment. The underlying principle of threat modeling is that there are always limited resources for security and it is necessary to determine how to use those limited resources effectively.
(NIST SP 800-154 Publications)
How is threat modeling performed?
In general, threat modeling helps you think of yourself as a potential attacker. It makes you ask questions like yourself Do you value that attack? How can it be attacked? Where will the attacker start? It also uses visual aids that allow you to see threats more clearly and easily detect attack vectors.
If you want to use threat modeling to protect your real estate, you should start by drawing on each floor of your home, then draw where there are windows and doors. You will then try to find out what the thief wants to steal, how they will try to break into your home to steal it and what you can install to avoid it (lock, alarm system, safe, etc.). This is very similar to how you perform threat modeling for software development, including web applications.
Web Application Security Threat Modeling is a part of threat modeling as a whole and should not be considered as a separate practice. Web applications are always interconnected with other system components: web servers, application servers, data stores, operating systems and other resources. Therefore, if you focus only on modeling for the web, you will miss a lot of threats, and threat modeling will be useless.
Who should perform threat modeling?
Threat modeling is most effective if it involves as many stakeholders as possible, not just security experts. People in different positions in the business bring a unique perspective and can help you notice the details that you would otherwise miss. In some cases, threat modeling even enlists the help of subcontractors, business partners or customers.
Ask your coworkers to pretend they want to attack the business. Do they think theft or compromise is worth it? How will they go about it? Development teams can remind you that your application source code is valuable because it contains not only open source but also unique proprietary algorithms. A marketing manager can remind you that if someone distorts your webpage, it can lower the value of your brand. An office administrator can help you understand that it is very easy for a stranger to enter your office and steal the server room key. IT system administrators may remind you to cover not only desktops and servers, but also IoT devices.
When and where to perform threat modeling?
Threat modeling processes should begin and never end when you start designing applications, data security has become an integral part of risk management. As you begin to think about your application, security teams need to think about the potential threats to exploits and models. The sooner you catch potential threats, the easier it will be for you to figure out how to protect yourself using various countermeasures, for example, redesigning parts of the system. Therefore, you must include threat modeling in your Software Development Lifecycle (SDLC) from the earliest levels of the drawing board across all DevOps.
Your system is constantly evolving, so threat modeling can never stop. Every change in your environment should be associated with a reassessment of potential threats. Even a small change can introduce a very serious new threat that you need to alleviate. At the same time, threat modeling should not be limited to just your own resources. For example, you need to consider auditing your users, business partners, and more. If your systems are part of a larger whole, the threat to your system may be indirect.
What are the threat modeling stages?
According to threat modeling theory, it is usually based on four main stages:
- What are we doing? (Diagramming)
- What could be wrong? (Threat count)
- What are we going to do about it? (Mitigation)
- Have we done a good job? (Proof)
Threat modeling begins with diagramming because it is the easiest way to communicate with others about how your system is built. Diagrams are easy to understand by most people. Threats are the most popular diagrams used for modeling Data Flow Diagram (DFD). They focus on data which is one of the main components of threat modeling, and they allow you to easily find the boundaries of trust.
Once the initial diagrams are ready, all parties involved can look at them from the attacker’s perspective and start thinking about finding security issues. Detailed threat calculation / mitigation includes multiple tools and strategies that help you cover all threat categories and meet your software security requirements, for example, creating attack trees and designing security controls. Verification allows you to ensure that mitigation is effective.
For example, when gathering threat intelligence for web applications, one of the main types of threats that should always be identified and mitigated is potential web application vulnerabilities. When calculating threats, you may notice that any web application is potentially vulnerable to OWASP Top 10 attacks such as SQL injection, Cross-site scriptingAnd more, but also users can use weak passwords, which exposes the system to attacks.
You can then use a web application vulnerability scanner to think like an attacker and try to find vulnerabilities. At the mitigation and verification stage, a complete web security solution such as Acunetix can help you automatically prioritize and manage to check if additional issues have been resolved. While such an automation-focused tool will not cover all threats and it is recommended to follow up with penetration testing, it is one of the essential elements for cyber threat calculation and mitigation for web applications.
What threat modeling methods to use?
There are several methods that you can use for threat modeling. The most popular was the creation of Stride by Microsoft in 1999. The name stands for six key aspects that you should consider when modeling a threat: spoofing, tampering, rejection, disclosure of information, denial of service, and the height of privilege. In addition, there are methods like PASTA (Process for Attack Simulation and Threat Analysis), Trike, VAST (Visual, Quick and Simple Threat Modeling) and many more.
You must choose the method depending on many factors. For example, the software development processes and methods you use in your company (Scrum, Kanban, Waterfall, etc.), the size of your organization, the business process, and the scope of your environment. Therefore, in order to choose the right method, you must do detailed research which goes beyond the scope of this article. You might start with a very useful example Articles by Carnegie Mellon University Software Engineering InstituteWhich introduces you to 12 methods.
What tools to use for threat modeling?
While threat modeling methods depend on the architecture of your system, business objectives, requirements, and more, automatic threat modelers depend on the method chosen. However, in the abundance of threat modelers available in the market, a tool is often mentioned because it is very easy to use and free: Microsoft Threat Modeling Tool. The advantage of using it is the number of training resources available online.
Get the latest content on web security
In your inbox every week.
Author
Senior technical content writer
Tomasz Andrzej Nidecki (also known as Tonid) is a senior technical content writer working for Aquinatics. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz was the managing editor of hakin9 IT security magazine in his early years and ran a major technical blog dedicated to email security.
