Top Threat Modeling Methodologies

Find out how different threat modeling methods can help your business catalog potential threats and find solutions for threat mitigation.

One crucial element of the risk management process is the identifying and prioritizing of threats to your organization before any damage occurs. How rapidly you can identify these threats will determine how quickly you can find solutions for mitigation.

One way to execute this process is through threat modeling. Threat modeling is an umbrella term that encompasses numerous approaches to identifying and prioritizing threats so that you can take necessary mitigation steps.

Although the specifics for each method are different, threat modeling methodologies generally aim to assure that your assets are protected and that your organization’s resources are used as fully as possible to improve your overall security posture.

In this article, we will further explore several popular threat modeling methodologies so that you can determine which method (or combination of methods) is suitable for your business. First, it’s essential to gain a more thorough understanding of threat modeling as a practice.

Threat Modeling

The average person probably incorporates some form of threat modeling into his or her daily life without realizing it. For instance, if you commute daily to work, you probably use threat modeling to consider what might go wrong on your route so that you can take preemptive action to avoid an accident or incident.

More formally, threat modeling has been used by militaries to prioritize defensive preparations since the dawn of human conflict.

At its core, threat modeling is simply identifying and ranking the threats that are most likely to affect your environment. In cybersecurity, threat modeling exists as a tool to help you answer the question, “How do I decide which vulnerabilities to fix first?”

Threat Modeling and Cybersecurity

Threat modeling methodologies in technology emerged in 1977 and were based on the architectural patterns presented by Christopher Alexander in his book “A Pattern Language.”

In 1988, Robert Barnard was the first to successfully develop and apply a profile for an IT-system attacker using threat modeling methodologies. Then Edward Amoroso introduced the concept of a “threat tree” in his book “Fundamentals of Computer Security Technology,” published in 1994. Threat trees are similar to attack trees, a method of threat modeling we’ll further explore later in the article.

In 1999, Microsoft cybersecurity professionals Loren Kohnfelder and Praerit Garg developed a model for considering attacks specific to the Microsoft Windows development environment: STRIDE (Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege). This is another threat modeling method that we will explore more thoroughly later on.

Today, threat modeling can use several methodologies particularly helpful for cyber-physical systems, including the Internet of Things (IoT). Cyber-physical systems integrate software technology into physical devices (smart cars, for example). These systems are often more vulnerable to threats than traditional physical infrastructure, and threat modeling can help to identify these threats earlier in the development process.

Threat modeling is most useful for organizations focused on software development and application security. In these industries, security often receives less priority or is even ignored for the sake of hitting production deadlines.

Implementing security-by-design in the earlier stages of the software development life cycle (SDLC), however, will reduce the possibility for more critical vulnerabilities later down the line that could result in an increased risk to your business – and at exponentially higher remediation costs.

For this reason, threat modeling should be a design-time activity, meaning it occurs before code review, code analysis (static or dynamic), and internal penetration tests. Performing threat modeling early in the development cycle will allow you to catch any potential issues and remedy them before it’s too late.

Why Is Threat Modeling Important?

The most apparent benefit of threat modeling is an overall improved cybersecurity posture. Ultimately, the goal of threat modeling is to identify threat actors and posit ways that they might successfully exploit your vulnerabilities.

Threat modeling also reinforces a more collaborative culture for your software development teams. After all, it’s best if your operations team and development team work together as a single unit, sharing skill sets and common goals.

Although education is one of the most overlooked benefits of threat modeling, it’s an essential component of a thriving security culture. Threat modeling requires healthy discourse, and it’s an effective way to strengthen risk awareness and detect supply chain threats.

Unlike reactive security cycles, where security leaders and personnel only respond after a security incident, threat modeling is a preventive security cycle. It works to defend against security incidents before they occur.

A more preventive approach to cybersecurity means saving time and costs for your business. Threat modeling, in particular, tends to deliver more value if executed consistently and repeatedly.

Using threat modeling to develop standard design patterns and requirements for your organization can significantly reduce risk. In addition, it will also reduce the variety and complexity of your security architecture, which can often lead to breaches.

While it is an investment up-front, threat modeling can reduce mitigation costs for your organization. That said, your chosen threat modeling method will ultimately determine how effectively you can identify and mitigate those threats.

To help your organization determine which threat modeling methodology is best for you, we’ve included a list of common threat modeling methods with more information about each. They can be used on their own or combined to create a more holistic view of potential threats to your cybersecurity.

What Are Examples of Threat Modeling Tools?

You can discover and address potential security threats to your software, data, or device with the help of a threat modeling tool. It typically starts during the product’s design phase, with many iterations to maintain security.

Here are five instances of threat modeling tools you may obtain online and conduct an in-depth study on.

1. Cairis

   A threat modeling program called Cairis was made available for free in 2012. It is among the complete open-source utilities on the market.

   • Platform: Web-based
   • Core capabilities: The utility essentially takes over when inputting the appropriate system data. It enables the creation of attacker personas. Personas are information about potential attackers, such as their objectives, available resources, and probable assault strategy. Cairis provides 12 various perspectives on your systems, one from a risk viewpoint and another from an architectural standpoint. The Cairis APIs make it simple to incorporate new workflows. It identifies attack patterns and enables you to explain the rationale behind each mitigation strategy using a data flow diagram.
   • Unique characteristics: You may specify the “environments” or settings in which each item is used. These might be temporal, social, or bodily. For instance, some factory processes could require more time during the day.
   • Usability: Cairis’s existing users say the system is easy to use. The system information entry is reportedly time-consuming, while the remainder of the program is smooth-running.
   • Customer service: Cairis offers extensive online documentation, demos, and video guides.
   • Pricing model: Cairis is a free and open-source utility.
   • Editorial remarks: Businesses with security expertise considering open-source choices may benefit the most from Cairis.

2. Microsoft Threat Modeling Tool (MTMT)

   One of the market’s oldest and most tried-and-true threat modeling products is Microsoft Threat Modeling Tool. The STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) approach is used by this open-source program.

   • Platform: The desktop application MTMT operates on the Windows operating system.
   • Core capabilities: This tool may create a threat model based on Data Flow Diagrams (DFDs) you can construct inside the app. Azure and Windows services are the main topics. You can list potential threats and consider the possible mitigation strategies for each hazard. The models’ reports may also be created and exported.
   • Unique characteristics: MTMT is the most sophisticated methodology. It is supported by thorough documentation and tutorials.
   • Usability: If your company wants to learn the fundamentals of threat modeling or is researching the subject, MTMT can be the best option. Regarding the currently available components, the DFD creation could be more sophisticated. Additionally, the way the mitigation information is presented needs to be clarified.
   • Customer service: This tool is ideal for research due to the abundance of online documentation and support forums.
   • Pricing: The Microsoft Threat Modeling Tool is a free source. Thus there is no cost associated with it.
   • Editorial remarks: MTMT is helpful for a company that wants to develop and comprehend its initial threat model for a simple application. Remember that it is a Windows-based program.

3. SDElements by Security Compass

   SDElements has been available on the market since 2011. It provides an easy transition from policy to practice.

   • Platform: SDElements is a web-based application.
   • Core capabilities: SDElements uses friendly surveys to gather system information, categorizes it based on vulnerabilities, and enables validation using integrated risk management test cases. The system becomes audit-ready and straightforward to monitor with robust reporting.
   • Unique characteristics: Its extensive integration with a range of testing tools is one of its USPs. The technology aids in the threat modeling process before, during, and after development, making it the world’s first Business Development Automation (BDA) platform (so the authors claim).
   • Usability: Users claim that the setup and integration into current systems included a substantial learning curve. But once this obstacle is overcome, they report no problems.
   • Customer service: To assist with configuration and deployment, SDElements provides security specialists.
   • Pricing: SDElements has a usage-based pricing approach considering the volume of apps used. Express, Professional, and Enterprise are the three available versions.
   • Editorial Remarks: SDElements by Security Compass is excellent for businesses searching for scalable, automated solutions.

4. Foreseeti’s SecuriCAD

   A threat modeling tool called SecuriCAD generates attack simulations based on the design of apps. It comes in Community, Professional, and Enterprise versions.

   • Platform: SecuriCAD is one of the few desktop-based options available, although the Enterprise edition may be locally or in the cloud.
   • Core capabilities: SecuriCAD is an entirely automated tool that lets you build application models and simulate repeating attacks on any component. Based on the present design, it also provides reports of the most likely attack vectors, weaknesses, proposed countermeasures, and risk exposure. It also contains a crucial attack path visualization that demonstrates where security measures may be put in place to obstruct the path.
   • Unique characteristics: SecuriCAD has distinctive features, including assault simulations. For instance, SecuriCAD can estimate how long it would take an experienced attacker persona to exploit a weakness in your system. This gives the danger ranking additional procedure significance.
   • Usability: SecuriCAD has an intuitive and fluid user interface.
   • Customer service: SecuriCAD’s Community version offers an online learning environment. Foresee provides maintenance, training, and consulting services for the Enterprise edition.
   • Pricing: Edition, model size, and the number of simulations are factors in the pricing structure. It begins at $1,380. The Community edition is free.
   • Editorial remarks: The best threat modeling tool for businesses with somewhat complicated IT infrastructure is SecuriCAD by Foresee. Some current clients are defense forces, airports, and financial organizations.

5. Tutamantic

   The goal of Tutamantic is to develop a dynamic threat model.

   • Platform: Tutamantic is a SaaS product.
   • Core capabilities: With diagrams made in diagramming.net, Visio, and Lucidcharts, Tutamantic strives to give its threat modeling users a simple experience. Standard taxonomies used by Tutamantic include STRIDE, CWE, and CAPEC. Tutamantic provides several reports for various parties. In addition to information, raw data is offered as downloadable JSON, and CSV reports. Users are now able to experiment with metadata.
   • Unique characteristics: Rapid Threat Model Prototyping, accomplished with a consistent framework, repeatable procedure, and quantifiable data, is one of this tool’s distinctive advantages.
   • Usability: Tutamantic is currently online and has MVP status.
   • Customer service: Tutamantic Team offers the possibility of an ongoing feedback loop.
   • Pricing: Tutamantic’s beta version is available for free to all users.
   • Editorial remarks: Before switching to a more complicated tool, start-ups should experiment and learn about the threat modeling process. Users are now able to test with metadata.

Common Threat Modeling Methods

The threat modeling method you choose will depend on your organization’s specific needs. That said, the process is fundamentally the same for each. Threat modeling typically involves the following steps:

1. Identify all assets and vulnerabilities or weaknesses in your networks, devices, or IT infrastructure. Typically this step involves a vulnerability scan and a vulnerability assessment.
2. Create a list of threats to your assets based on the vulnerabilities and weaknesses you find. Consider your existing countermeasures and safeguards. Use generic and specific knowledge about hazards and actors to inform your decisions.
3. For each threat, outline all mitigation steps. This could also include security control implementations.
4. Prioritize risks based on the harm they might bring to your organization and the criticality level of your assets or applications that would be affected by a cyberattack.

When determining threats, there is no definitive list you can take as gospel. It’s up to your team to decide which threats are the highest risk within the context of your organization. It would help if you considered any hazards unique to your industry, geographical area, and so forth.

Developing a threat catalog specific to your organization will accelerate your ability to identify threats in the future and build consistency in your threat modeling methodology. Still, coming up with threats is an exercise that requires a lot of brainstorming. To help get the ideas flowing, you can always reference threat lists like the OWASP Top 10 or HiTrust Threat Catalog.

You can also use a threat modeling methodology. Here are some of the most common threat modeling methods and how you can apply them to help identify threats to your organization’s security:

STRIDE

STRIDE is a mnemonic device developed by Microsoft that stands for Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.

It’s currently the most mature threat modeling method, and it’s generally successful when applied to both cyber-only and cyber-physical systems.

STRIDE evaluates the system detail design, and models the in-place system. It’s used to identify system entities, events, and the boundaries of the system by building data-flow diagrams (DFDs), and it applies a general set of known threats based on its name.

Threat	Property Violated	Threat Definition
Spoofing identity	Authentication	Pretending to be something or someone other than yourself.
Tampering with data	Integrity	Modifying something on disk, network, memory, or elsewhere.
Repudiation	Non-repudiation	Claiming that you didn’t do something or were not responsible; can be honest or false.
Information disclosure	Confidentiality	Providing information to someone not authorized to access it.
Denial of service	Availability	Exhausting resources needed to provide service.
Elevation of privilege	Authorization	Allowing someone to do something they are not allowed to do.

Although Microsoft no longer maintains STRIDE, it’s still implemented as part of the Microsoft Security Development Lifecycle (SDL) with the Threat Modeling Tool, which is still available. More recently, Microsoft also developed a similar threat modeling method called DREAD (Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability) with a different approach to assessing threats.

PASTA

The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling framework developed in 2012. It aims to bring business objectives and technical requirements together, and uses a variety of design and elicitation tools in different stages.

1. Define Objectives	Identify business objectives. Identify security and compliance requirements. Business Impact Analysis (BIA).
2. Define Technical Scope	Capture the boundaries of the technical environment. Capture infrastructure, application, and software dependencies.
3. Application Decomposition	Identify use cases, define application entry points and trust levels. Identify actors, assets, services, roles, and data sources. Data-flow diagrams (DFDs) and trust boundaries.
4. Threat Analysis	Probabilistic attack scenarios analysis. Regression analysis on security events. Threat intelligence correlation and analytics.
5. Vulnerability & Weakness Analysis	Queries of existing vulnerability reports and issues tracking. Threats to existing vulnerabilities mapping using threat trees. Design flaw analysis using use and abuse cases. Scoring (CVSS/CWSS) and enumeration (CWE/CVE).
6. Attack Modeling	Attack surface analysis. Attack tree development and attack library management. Attack to vulnerability and exploit analysis using attack trees.
7. Risk & Impact Analysis	Qualify and quantify business impact. Countermeasure identification and residual risk analysis. ID risk mitigation strategies.

This method elevates the threat modeling process to a more strategic level by involving key decision-makers and requiring security input from operations, governance, architecture, and development. It employs an attacker-centric perspective that produces an asset-centric output built around threat enumeration and scoring.

CVSS

The Common Vulnerability Scoring System (CVSS) captures a vulnerability’s principal characteristics and produces a numerical severity score. CVSS was created by the National Institute of Standards and Technology (NIST) and is maintained by the Forum of Incident Response and Security Teams (FIRST) with support and contributions from the CVSS Special Interest Group.

This method is often combined with other threat modeling methods, including attack trees. It provides users with a standardized scoring system that can be applied to various cyber and cyber-physical platforms. To calculate a CVSS score, you can use an online calculator.

The CVSS consists of three metric groups: base, temporal, and environmental. Each group includes a set of metrics for each. A CVSS score is derived from the values assigned by an analyst for each metric, and it should explain the metrics in detail within the documentation.

Attack Trees

Attack trees are one of the oldest and most widely applied methods to model threats for cyber-only systems, cyber-physical systems, and purely physical systems. Initially, attack trees were used as a stand-alone method but have since been combined with other methods and frameworks such as STRIDE, PASTA, and CVSS.

An attack tree is a diagram that depicts attacks on a system in tree form; the root is the goal for the attack, and the leaves are ways to achieve that goal. It would be best if you created a different tree for each purpose, ending up with a set of attack trees representing your system threat analysis.

Trike

The trike was developed as a security audit framework using threat modeling from a risk-management and defensive perspective.

The method begins with an analyst defining a system — building a requirement model based on an understanding and enumeration of the system’s actors, assets, intended actions, and rules. This step should create an actor-asset-action matrix with columns representing assets and rows representing actors.

Each cell of the matrix should be divided into four parts, one for each CRUD action (Creating, Reading, Updating, and Deleting). An analyst will then assign one of three values: allowed action, disallowed action, or action with rules. You should then attack a rule tree for each cell.

After requirements are defined, you should build a Data Flow Diagram (DFD) where each element is mapped to a selection of actors and assets. The analyst should then identify threats, which will fall into two categories: elevations of privilege or denials of service. Each threat then becomes a root in an attack tree.

Trike uses a five-point scale for each action to assess the risk of attacks that might affect assets through CRUD and is based on probability. Using the scale, actors are rated based on the risks they are assumed to present. In this case, a lower number equals higher risk, and actors are evaluated on a three-dimensional scale for each action they may perform on each asset (always, sometimes, never).

How to Choose a Threat Model Method

First, consider which areas you want to target: risk, security, or privacy. It would help if you also consider how long you have to perform threat modeling and how much experience you have.

Choosing which threat modeling method to use will depend on what you are trying to accomplish. Whichever way you choose, it’s essential to maintain a risk-based perspective to create a balanced approach. To reach this balance, you need to consider both the likelihood and impact of risks appropriately.

While too much emphasis on the “let’s build it and ship it” mindset has the potential to lead to high costs and delays later on in the process, the other extreme of “let’s mitigate every conceivable threat” can lead to shipping late (or never) and your customers moving on without you.

Rather than revisit threat models for product features already live, it would help if you aimed to threat-model any new features you are working on now and improve the security properties of the code you ship next. Then, for each component, you send it after that. Make adjustments, iterate, and improve.

To embrace the healthy tension between shipping a feature and mitigating threats, you should consider using governance, risk, and compliance (GRC) software.

Manage Risk With ZenGRC

Covering all the risk management steps on your own is a big challenge. Taking the initiative with your risk management strategies, however, starts with finding the right tools to help.

ZenGRC is a software-as-a-service (SaaS) solution that can help you create a thorough risk management plan, whether working with a reactive or proactive approach.

With ZenGRC, a team of cybersecurity professionals always looks out for your organization and its assets to ensure you get the best protection against security breaches and cyberattacks. Its intuitive, easy-to-understand platform keeps track of your workflow and lets you find areas of high risk before it has become a real threat.

User-friendly dashboards show you at a glance which risks need mitigating and how to do it; they allow you to track workflows and will enable you to collect and store the documents you’ll need come audit time.

For more information on how ZenGRC can help your organization mitigate cyber risks and threats using threat modeling methodologies, schedule a demo!

That’s worry-free risk management — the ZenGRC way!