Threat Modelling: What It Is and Why It Matters
This blog was originally published by Contino here.
Written by Marcus Maxwell, Contino.
Identifying the security threats that your systems face is one step towards mitigating potential vulnerabilities as part of a wider risk management strategy. But on its own, awareness of threats is not enough to protect against attack.
IT teams and security engineers must go further by leveraging threat modelling, which allows them to assess and defend against the various threats they face in a systematic and proactive way.
Keep reading for an explanation of what threat modelling means, how it works, leading threat modelling frameworks and tools and best practices for getting the most out of threat modelling.
What is a ‘Threat’?
A Threat is an actor or group of actors, also known as Threat Actors who perceive there to be value in compromising a solution. Different Threat Actors will have varying levels of motivation and skills with which to exploit a vulnerability.
The exploitability of a vulnerability will depend upon aspects such as: knowledge of existence, level of access required and any mitigations which have been put in place.
For discussion purposes we will assume the following key Threat Actors:
- Advanced Persistent Threats (APTs) - Highly capable, highly motivated, high capacity. Includes directly state-sponsored groups or indirectly nation-sponsored, e.g. some OCGs.
- Organised Crime Groups (OCGs) - Varying capability, varying motivation, limited capacity. Non-state-sponsored groups.
- Motivated External Individuals - Varying capability, varying motivation, limited capacity. Varying sponsorship.
- Internal Threats - People who have direct access to the design, implementation, operation or usage of the solution.
What Is Threat Modelling?
Threat modelling is an engineering and risk based-approach of identifying, evaluating and managing security threats with the aim of developing and deploying better software and IT systems in-line with an organizations’ company's security and risk objectives. It can be broken down into several distinct stages:
- Threat identification: Teams start threat modelling by asking themselves which threats their systems are potentially vulnerable to.
- Threat assessment: After identifying threats, teams evaluate each one to determine how likely they are to turn into real attacks, as well as what the impact of such an attack would be.
- Mitigation planning: Once threats are fully evaluated, the organization determines which steps it can take to prevent each threat from turning into a successful attack.
- Mitigation implementation: Mitigation strategies can then be put into place to provide an active defence against the threats.
- Feedback and improvement: The final step is to determine how well the overall threat modelling process worked, then take steps to improve it. If the team failed to anticipate certain types of threats that led to attacks, or didn’t implement the proper threat mitigation measures, these shortcomings can be addressed.
By following these steps, teams can take a systematic, highly structured approach to identifying threats as part of their software development lifecycle. They also gain the ability to respond proactively to threats that may impact their systems, rather than waiting for a live attack to begin planning a response.
Threat modelling can be applied to any type of IT resource. You can perform threat modelling on applications, servers, on-premises environments, public cloud and so on.
Threat modelling can also be used to help manage any type of threat. From DDoS and ransomware attacks to insider threats and accidental data leakage, threat modelling techniques are an effective way to get ahead of risks before they lead to an active security event.
That said, threat modelling techniques may vary depending on which type of resource and threats you are focusing on. For example, threat management strategies that work for on-prem environments are different in certain important ways than those for public cloud because of the shared responsibility model in place with the Cloud Service providers, thereby requiring a different mitigation strategy.
Why Threat Modelling?
By enabling a systematic, structured response to security threats, threat modelling provides a range of benefits.
Some threats are more serious than others. For example, a threat against a dev/test environment may not be as critical as one that could impact a production system. Evaluating the potential severity of each threat helps teams determine which ones to prioritize during mitigation.
As noted above, threat modelling allows businesses to take a proactive approach to threat management. Instead of waiting for an attack to occur and only then responding, they can stay one step ahead of attackers.
Identifying New Types of Threats
The threat landscape changes constantly as attackers discover new vulnerabilities and invent new exploit techniques. By allowing teams to take a step back and assess existing threats which could impact them, threat modelling helps businesses stay ahead of emerging threats which they might otherwise not plan for.
Improved Security Posture
Sometimes the best way to mitigate a threat is to make a change to your system design. For example, maybe you have a public-facing resource that could be moved behind a firewall to mitigate a network-based security risk. In these cases, threat modelling helps businesses take steps to harden their fundamental security posture and reduce their attack surface.
More Efficient Use of Resources
Resources available for IT security are always finite. By enabling a systematic approach to threat management, threat modelling helps businesses derive the most protection from the resources they have in place.
Threat modelling makes it easier for teams to communicate about threats in a consistent, centralized way. Rather than focusing only on threats that could impact the particular system they manage, each team of engineers and developers can share threat assessment information and insights across the organization, and work collectively to mitigate them.
Demonstrated Commitment to Security
The simple act of performing threat modelling helps demonstrate that the business takes security seriously. This can be important for auditing and compliance purposes, especially in cases where compliance mandates include rules requiring businesses to take reasonable measures to protect sensitive data and applications.
5 Threat Modelling Best Practices
The most efficient and effective threat modelling strategies are rooted in several core best practices.
Collaborate with Other Teams
In many businesses, IT organizations are divided into disparate teams, each of which manages its own systems and resources.
Instead of leaving each team to create its own threat models and mitigate threats as needed, strive to collaborate across the organization on threat modelling. It’s very likely that at least some of the threats that one team faces also impact other teams. Collaborating on threat modelling enables more efficient use of resources, while also allowing teams to share insights that may lead to more effective threat mitigation.
Assess Threats Collectively
It’s also often the case that a threat against one resource could lead to an indirect threat against a secondary resource. For example, a threat against an application could also jeopardize data accessed by the application in the event that attackers compromise the app.
For this reason, it’s important to assess threats collectively, rather than in isolation. Evaluate the potential severity of each threat based not just on the primary resources it threatens, but on the total damage it could cause to the business.
Likewise, take steps to mitigate threats at multiple levels. If a threat to application security creates an indirect threat to data security, for example, you can take steps within both your application and your data to help mitigate the threat. You could require two-factor authentication on the app to reduce the risk of a breach, while also implementing off-site backups of the data so that you’ll have a clean copy in the event that an application breach allows attackers to access the data and hold it for ransom.
Think Comprehensively about Threats
It may be tempting to focus threat modelling on threats associated with recent high-profile attacks, or those that your business has faced in the past. But the best threat modelling strategy is one that involves identification of each and every threat that could impact the business, regardless of how newsworthy it is or whether it has ever translated into a live attack in the past.
When identifying threats, look not only at cybersecurity blogs for coverage of recent breaches, but also at threat databases and threat intelligence reports that provide insight into types of threats your team may not otherwise consider.
Perform Threat Modelling Early in the Development Lifecycle
The best time to create threat models is at the start of a project or application development sprint. At that point, it’s relatively easy to build resistance to the threat into your system.
If you wait until you’ve already written your code or (worse) until it has been deployed into production, you’ll likely find that it is much more difficult to implement the best threat mitigations. Doing so may require changes to your code, which means you’ll have to rebuild, retest and redeploy -- a (potentially) time-consuming and inefficient process.
Think Beyond Apps
When performing threat modelling, it can be easy to focus only on applications, rather than the broader environment in which they exist. After all, applications are usually at the center of your user experience; everything else is just a backdrop.
But when it comes to security, a threat at any layer of your environment and any stage of your development lifecycle could turn into a breach. That’s why you should think not just about your applications, but also about threats to the servers or cloud infrastructure that hosts them. If you deploy applications in containers, you’ll have to factor in threats to container registries, container images and container orchestration tools as well. And don’t forget threats that could impact data, such as improperly configured IAM roles that could expose your cloud storage buckets to the public.
Threat Modelling Methodologies
A variety of methodologies are available to help teams structure their threat modelling processes:
- Attack trees: With this approach, you model your threats as sets of paths (or trees) that identify which resources would be impacted by an attack associated with each threat. Attack trees are useful when you have a large, highly interdependent set of resources and you want to know which direct and indirect threats impact each one.
- Security cards: The security cards technique takes an open-ended approach to threat modelling. It’s based on a set of 42 cards that ask questions about the threats an organization faces. By working through the cards, teams think through the threats that they face, as well as strategies for mitigating them.
- PASTA: Short for Process for Attack Simulation and Threat Analysis, the PASTA technique focuses on helping teams assess threats in terms of business priorities. It starts with identification of business objectives and the technical resources required to support them. Then, teams determine which threats could impact those resources -- and, by extension, they find threats that could compromise business priorities,
- STRIDE: STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Privilege Escalation. Each of these terms refers to a different category of threat, broadly defined. The core concept behind the STRIDE methodology is to divide threats up by type, then respond to each threat based on the category it falls under.
Threat Modelling Tools
Threat modelling tools integrate a set of core features for finding, analyzing and mitigating threats within a single platform. Key features to expect in a threat modelling tool include:
- Threat intelligence data: Threat intelligence is information about known threats. It’s typically collected from major vulnerability databases, such as the NIST National Vulnerability Database and MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC).
- Threat visualizations: Most threat modelling tools offer visualization features, such as diagrams that map threats to different parts of your IT environment, to help teams analyze threats.
- Threat monitoring: Monitoring features, such as a dashboard, allow teams to track threats that they have identified and validate that the threats were effectively mitigated.
- Reporting: By generating reports about threats, organizations can track their threat identification and mitigation effectiveness.
A number of software vendors offer tools with features designed to help teams perform threat modelling. Microsoft Threat Modelling Tool, a downloadable Windows desktop app, is one popular option. ThreatModeler is a similar threat modelling platform that is Web-based. OWASP’s Threat Dragon and pytm tools are widely used open source threat modelling tools.
Threat Modelling Use Cases
To understand how to put threat modelling into practice, it’s helpful to walk through a few common use cases or examples of threat modelling in action.
Cloud Threat Modelling
When you move workloads from on-prem into the cloud, the threats you face can change substantially. Issues related to lack of physical security largely disappear, and new threats like insecure IAM configurations arise.
Teams can use threat modelling for the cloud to help identify and manage the risks that impact workloads during and after cloud migration. In this way, cloud threat modelling allows them to anticipate risks that they may not otherwise address if they stick to the same security strategy that they used on-prem.
Network Threat Modelling
Network-borne threats can vary tremendously in scope and form depending on how networks are configured and how much exposure they have to the public internet. The use of cloud services like virtual networks adds another layer of complexity to network threats.
Threat modelling that focuses on the network provides a way of assessing and managing these threats. It can also help teams understand the inherent security strengths and weaknesses of their network architecture, and take steps to improve.
Threat Modelling for Containers
Moving workloads from virtual machines to containers also presents new threats, such as the potential for malware to sneak into container images or insecure container registry access controls. Modelling these threats allows teams to identify, understand and take steps to mitigate the specialized threats that can impact containerized environments.
In short, threat modelling allows businesses to keep ahead of security risks, no matter which form the risks take or which types of resources they address. While threat modelling requires some upfront investment of time, it pays enormous dividends when it allows teams to respond proactively to threats that, if left unchecked, could lead to costly attacks.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.