Find out how different threat modeling methods can help your business catalog potential threats and find solutions for threat mitigation.
The most important element of the risk management process is the ability to identify and prioritize threats to your organization’s cybersecurity before any damage occurs. How rapidly you can identify these threats will determine how quickly you’re able to find solutions for mitigation.
One way to execute this process of identifying and prioritizing cybersecurity threats is through threat modeling. Threat modeling is an umbrella term that encompasses numerous approaches to identifying and prioritizing threats for mitigation.
Although the specifics for each method are different, threat modeling methodologies all generally aim to assure that your assets are protected and that your organization’s resources are used as fully as possible to improve your overall security posture.
In this article we will further explore some of the top threat modeling methodologies so that you can determine which method (or combination of methods) is right for your business. But first it’s important to gain a more thorough understanding of threat modeling as a practice.
The average person probably incorporates some form of threat modeling into his or her daily life without even realizing it.
For instance, if you make a daily commute to work, you probably use threat modeling to consider what might go wrong on your route so you can take preemptive action to avoid an accident or incident.
More formally, threat modeling has been used by militaries to prioritize defensive preparations since the dawn of human conflict.
At its core, threat modeling is simply the act of identifying and ranking the threats that are most likely to affect your environment. In the context of cybersecurity, threat modeling exists as a tool to help you answer the question, “how do I decide which vulnerabilities to fix first?”
Threat Modeling and Cybersecurity
Threat modeling methodologies in technology first emerged in 1977 and were based on the concept of architectural patterns presented by Christopher Alexander in his book “A Pattern Language.”
In 1988, Robert Barnard was the first person to successfully develop and apply a profile for an IT-system attacker using threat modeling methodologies. Then Edward Amoroso introduced the concept of a “threat tree” in his book “Fundamentals of Computer Security Technology,” published in 1994. Threat trees are similar to attack trees, a method of threat modeling we’ll further explore later in the article.
In 1999, Microsoft cybersecurity professionals Loren Kohnfelder and Praerit Garg developed a model for considering attacks that were specific to the Microsoft Windows development environment: STRIDE (Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege). This is another threat modeling method that we will explore more thoroughly later on.
Today, threat modeling can use several methodologies that are particularly helpful for cyber-physical systems, including the Internet of Things (IoT). Cyber-physical systems integrate software technology into physical infrastructures (smart cars, for example). These systems are often more vulnerable to threats than traditional physical infrastructure, and threat modeling can help to identify these threats earlier in the development process.
Threat modeling is most useful for organizations that are focused on software development and application security. In these industries, security often receives less priority or is even ignored for the sake of hitting production deadlines.
Implementing security by design in the earlier stages of the software development life cycle (SDLC), however, will eliminate the possibility for more critical vulnerabilities later down the line that could result in an increased risk to your business — and exponentially greater remediation costs.
For this reason, threat modeling should be a design-time activity, meaning it occurs before code review, code analysis (static or dynamic), and penetration testing. Performing threat modeling early in the development cycle will allow you to catch any potential issues and remedy them before it’s too late.
Why Is Threat Modeling Important?
The most obvious benefit of threat modeling is an overall improved cybersecurity posture. Ultimately, the goal of threat modeling is to identify threat actors and postulate about the ways they might successfully exploit your vulnerabilities.
Threat modeling is also a great way to reinforce a more collaborative DevOps culture throughout your organization. After all, it’s best if your operations team and your development team work together as a single unit, sharing skill sets and a common goal.
Although education is one of the most overlooked benefits of threat modeling, it’s an important component of a thriving security culture. Threat modeling requires healthy discourse, and it’s an effective way to bring awareness about current threats to your team.
Unlike reactive security cycles, where security leaders and personnel only respond after a security incident has already occurred, threat modeling is a proactive security cycle. It works to defend against security incidents before they occur.
A more proactive approach to cybersecurity means saving time and costs for your business. Threat modeling in particular tends to deliver more value if it is executed consistently and repeatedly.
Using threat modeling to develop standard design patterns and requirements for your organization can go a long way towards reducing your risk. In addition, it will also reduce the variety and complexity in your security architecture, which can often lead to breaches.
While it might be a bit of an investment up-front, threat modeling has the potential to reduce costs of mitigation for your organization. That said, the threat modeling method you choose will ultimately determine how effectively you can identify and then mitigate those threats.
To help your organization determine which threat modeling methodology is best for you, we’ve included a list of common threat modeling methods with more information about each. They can be used on their own, or combined to create a more holistic view of potential threats to your cybersecurity.
Common Threat Modeling Methods
The threat modeling method you choose will depend on the specific needs of your organization. Fundamentally, however, the process is the same for each. Threat modeling typically involves the following steps:
- Identify all assets and any vulnerabilities or weaknesses to your networks, devices, or IT infrastructure. Typically this step involves a vulnerability scan and a vulnerability assessment.
- Based on the vulnerabilities and weaknesses you find, create a list of threats to your assets. Consider your existing countermeasures and safeguards. Use both generic and specific knowledge about threats and threat actors to inform your decisions.
- For each threat, outline all mitigation steps. This could also include security control implementations.
- Prioritize risks based on the harm they might bring to your organization and the level of criticality for your assets or applications that would be affected by a cyberattack.
When determining threats, there is no definitive list you can take as gospel. It’s up to your team to determine which threats are the highest risk within the context of your organization. You should also take into account any threats that are unique to your industry, geographical area, and so forth.
Developing a threat catalog that is specific to your organization will help accelerate your ability to identify threats in the future and develop consistency in your threat modeling methodology.
Still, coming up with threats is an exercise that requires a lot of brainstorming. To help get the ideas flowing, you can always reference threat lists like the OWASP Top 10 or HiTrust Threat Catalog.
You can also use a threat modeling methodology. Here are some of the most common threat modeling methods and how you can apply them to help identify threats to your organization’s security:
STRIDE is a mnemonic device developed by Microsoft that stands for Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
It’s currently the most mature threat modeling method, and it’s generally successful when applied to both cyber-only and cyber-physical systems.
STRIDE evaluates the system detail design, and models the in-place system. It’s used to identify system entities, events, and the boundaries of the system by building data-flow diagrams (DFDs), and it applies a general set of known threats based on its name.
|Threat||Property Violated||Threat Definition|
|Spoofing identity||Authentication||Pretending to be something or someone other than yourself.|
|Tampering with data||Integrity||Modifying something on disk, network, memory, or elsewhere.|
|Repudiation||Non-repudiation||Claiming that you didn’t do something or were not responsible; can be honest or false.|
|Information disclosure||Confidentiality||Providing information to someone not authorized to access it.|
|Denial of service||Availability||Exhausting resources needed to provide service.|
|Elevation of privilege||Authorization||Allowing someone to do something they are not allowed to do.|
Although Microsoft no longer maintains STRIDE, it’s still implemented as part of the Microsoft Security Development Lifecycle (SDL) with the Threat Modeling Tool, which is still available. More recently, Microsoft also developed a similar threat modeling method called DREAD (Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability) with a different approach for assessing threats.
The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling framework developed in 2012. It aims to bring business objectives and technical requirements together, and uses a variety of design and elicitation tools in different stages.
1. Define Objectives
2. Define Technical Scope
3. Application Decomposition
4. Threat Analysis
5. Vulnerability & Weakness Analysis
6. Attack Modeling
7. Risk & Impact Analysis
This method elevates the threat modeling process to a more strategic level by involving key decision-makers and requiring security input from operations, governance, architecture, and development. It employs an attacker-centric perspective that produces an asset-centric output built around threat enumeration and scoring.
The Common Vulnerability Scoring System (CVSS) is a method that captures the principal characteristics of a vulnerability and produces a numerical severity score. CVSS was created by the National Institute of Standards and Technology (NIST) and is maintained by the Forum of Incident Response and Security Teams (FIRST) with support and contributions from the CVSS Special Interest Group.
This method is often used in combination with other threat modeling methods, including attack trees. It provides users with a common and standardized scoring system that can be applied to various cyber and cyber-physical platforms. To calculate a CVSS score, you can use a calculator that is available online.
The CVSS consists of three metric groups: Base, Temporal, and Environmental. Each group includes a set of metrics for each. A CVSS score is derived from the values that are assigned by an analyst for each metric, and the metrics should be explained in detail within the documentation.
Attack trees are one of the oldest and most widely applied methods to model threats for cyber-only systems, cyber-physical systems, and purely physical systems. Initially, attack trees were applied as a stand-alone method, but have since been combined with other methods and frameworks such as STRIDE, PASTA, and CVSS.
An attack tree is a diagram that depicts attacks on a system in tree form; the root is the goal for the attack, and the leaves are ways to achieve that goal. You should create a different tree for each goal, ending up with a set of attack trees that represents your system threat analysis.
Trike was developed as a security audit framework using threat modeling from a risk-management and defensive perspective.
The method begins with an analyst defining a system — building a requirement model based on an understanding and enumeration of the system’s actors, assets, intended actions, and rules. This step should create an actor-asset-action matrix with columns representing assets and rows representing actors.
Each cell of the matrix should be divided into four parts, one for each action of CRUD (Creating, Reading, Updating, and Deleting), and an analyst will then assign one of three values: allowed action, disallowed action, or action with rules. You should then attack a rule tree to each cell.
After requirements are defined, you should build a data flow diagram (DFD) where each element is mapped to a selection of actors and assets. The analyst should then identify threats, which will fall into one of two categories: elevations of privilege or denials of service. Each threat then becomes a root in an attack tree.
Trike uses a five-point scale for each action to assess the risk of attacks that might affect assets through CRUD and is based on probability. Using the scale, actors are rated based on the risks they are assumed to present. In this case, a lower number equals higher risk, and actors are evaluated on a three-dimensional scale for each action they may perform on each asset (always, sometimes, never).
How to Choose a Threat Model Method
First, you need to consider which specific areas you want to target, whether they be risk, security, or privacy. You also need to think about how long you have to perform threat modeling, as well as how much experience you have.
Choosing which threat modeling method to use will depend on what you are trying to accomplish. Whichever method you choose, it’s important to maintain a risk-based perspective to create a balanced approach. You need to appropriately consider both the likelihood and impact of risks to reach this balance.
While too much emphasis on the “let’s build it and ship it” mindset has the potential to lead to significant costs and delays later on in the process, the other extreme of “let’s mitigate every conceivable threat” can lead to shipping late (or never) and your customers moving on.
Rather than revisit threat models for product features that are already live, you should ultimately aim to threat-model any new features that you are working on now and improve the security properties of the code you ship next, and for each feature you ship after that. Make adjustments, iterate, and improve.
To embrace the healthy tension between shipping a feature and mitigating threats, you should consider using governance, risk, and compliance (GRC) software.
Mitigate Cyber Risks and Threats with ZenGRC
Covering all the steps of risk management on your own is a big challenge. Being proactive about your risk management strategies starts with finding the right tools to help.
ZenGRC from Reciprocity is a software-as-a-service (SaaS) solution that can help you create a thorough risk management plan, whether you’re working with a reactive or proactive approach.
With Zen, a team of cybersecurity professionals is always looking out for your organization and its assets to make sure you get the best protection against security breaches and cyberattacks.
Its intuitive, easy-to understand platform not only keeps track of your workflow, but lets you find areas of high risk before that risk has manifested as a real threat.
User-friendly dashboards show you at a glance which risks need mitigating and how to do it; allow you to track workflows; and allow you to collect and store the documents you’ll need come audit time.
For more information on how ZenGRC can help your organization mitigate cyber risks and threats using threat modeling methodologies, contact us for a demo today.
That’s worry-free risk management — the Zen way!