Most security protocols are reactive - threats are isolated and patched after they've been injected into a system. Threat modelling, on the other hand, is a proactive approach to cybersecurity, whereby potential threats are identified and anticipated. This allows targeted prevention methods to be preemptively deployed to maximize the chances of mitigating data breaches.
The threat modelling process typically consists of four steps - identify assets, identify threats, analyse vulnerabilities, and create countermeasures or safeguards to protect against identified risks.
In this post, we'll discuss different threat modeling frameworks to help you establish a confident first-line of defense in protecting networks, applications, and data from threats.
What is the Difference Between Threat Modelling and Threat Analysis?
Threat modeling is a process of predicting all potential threats to an organization's ecosystem and the vulnerabilities at risk of being explored by them. Threat analysis, however, focuses on how an attacker could exploit vulnerabilities in order to gain access to resources or sensitive data.
The two processes have overlapping approaches that together to achieve the same threat mitigation goal.
Threat modeling is heavily dependant on metrics such as mean time between failure (MTBF) when calculating vulnerability severity, whereas threat analysis will take into account factors such as attack vector complexity when assessing the likelihood of exploitation.
A more concise summary of the difference is Threat Modelling is more theoretical in nature while Threat Analysis requires a technical understanding.
How Can You Identify Threats Through Threat Modelling?
By modeling cyber threats within different attack scenarios, we're able to clearly understand the behavior of each potential adversary which leads to an identification of all the different threats linked to them.
This reverse engineering identification process will become clearer as discuss the different Threat Modelling frameworks further along this post.
What are the Benefits Of Threat Modelling?
The primary benefit of Threat Modeling is that it helps organizations paint a clear picture of all the cyber that could cripple their security. Not only does this help security teams optimize their cyber defenses, but this foresight could make your security posture appealing to potential customers should they request proof of due diligence.
Because Threat Modelling can be conducted at any point of the software development process, it could help identify overlooked security loopholes in the codebase that could be remediated with improved security coding practices.
The Threat Modelling Process
The Threat Modelling process consists of the following objectives:
1. Asset Identification
All assets within the ecosystem that could potentially be targetted should be identified. This process has become increasingly complicated with the recent global acceleration of digital transformation. With the majority of vendor collaborations now occurring in the cloud, the boundaries between assets are blurred.
2. Threat Identification
Before threats can be identified, all vulnerabilities in the ecosystem need to be known. This will then identify the particular threats capable of exploiting them.
For a list of vulnerabilities your organization could be impacted by, reference the Open Web Application Security Project (OWASP) top 10 list. This list outlines the 10 most prevalent web application vulnerabilities each year.
This list is a great starting point when performing threat modeling for web applications. It outlines the most common vulnerabilities in web applications, and due to its popularity, it's usually the first stage of reconnaissance by cybercriminals looking for potential attack vectors.
The most efficient method of identifying all vulnerabilities is through an attack surface monitoring solution such as UpGuard.
UpGuard can instantly identify all vulnerabilities located internally and throughout the third-party network from one clean interface.
Once all vulnerabilities are identified they can be compared to the behaviours of common cyber threats to identify potential risk.
Common types of threats
The spectrum of possible threat actors is vast. Here's is a list of question that will help surface potential threat actors across common categories:
Threat Category: Internal Threats
- Can your infrastructure be accessed by unauthorized internal users?
- If the infrastructure is deployed in a SoftLayer account, can an administrator of one solution bring down another environment?
Threat Category: External Threats
- Is it possible for a customer to pretend to be another customer?
- Can your infrastructure be accessed by unauthorized external users?
- Are end-user credentials being compromised?
- Can users escalate their privileges?
- In the event that a privileged user turns rogue, is there anything in place to discover and disarm them?
Threat Category: Application Hosting
- Can your VPN be penetrated?
- Are there any data leaks linked to your application on the dark web?
- Can your sensitive data be accessed by your hosting provider?
- Are there risks of data or IP loss?
- Is there any risk of unsecured ports or services?
Threat Category: Data Access
- Is there a risk of your UI being exploited to access customer data?
- Is there a risk of a vendor with access to your sensitive data being breached?
- Are there any unencrypted data flows?
- Can a production user modify code?
3. Vulnerability Analysis
This involves a thorough investigation in each specific vulnerability so that the most effective remediation efforts can be designed.
This process becomes complicated when vulnerabilities are detected in the vendor network, In these situations, a third-party risk assessment can be sent to the impacted vendor to request further details about the exposure.
4. Threat Countermeasure Design
With all vulnerabilities identified and. the threats that could exploit them, high-targeted defenses can be implemented.
An attack surface monitoring solution will provide remediation suggestions, as well as a team of cybersecurity experts that can implement them on your behalf. This is the most efficient method of threat mitigation as it can be readily scaled without exhausting internal resources.
What are Some Popular Threat Modeling Techniques?
Threat modelling techniques map the flow of data within your network and the different stages of a prospective cyber attack. The most popular Threat Modelling techniques are Data Flow Diagrams and Attack Trees.
Data Flow Diagrams (DFD)
A data flow diagram is a schematic that illustrates the flow of data through an organization's network. In the example below, the dashed lines indicate trust boundaries which are points A trust boundary is the point at which one entity trusts another entity to carry out an action on its behalf, without any verification of what happens after that point
Data Flow Diagrams may not represent all of the information useful for security teams. For a more comprehensive, and therefore relevant, analysts, a Process Flow Diagram should also be created
Attack trees simplify the identification of potential threats. They break down the different stages of an attack starting from the primary malicious objective.
Here's an example of an attack tree.
As an attack tree is constructed, the specific conditions required for a successful cyberattack will become clear.
10 Threat Modelling Methodologies
There are various threat modelling frameworks, each with its own benefits and limitations. Some frameworks are more appropriate for certain use-cases than others. The list below outlines the key differences between each use case to help you make an informed decision about what's best for your security needs.
The STRIDE methodology was originally developed by Microsoft making It the oldest methodology in this list. It outlines all potential threats within a system and the specific properties being violated.
The STRIDE methodology is used as a framework in Microsoft's Threat Modelling Tool.
The term STRIDE is a mnemonic for the different tenants of the methodology:
S - Spoofing: When a threat assumes a false identity. This violated the Authentication property.
T - Tampering: The modification of system data to achieve malicious goals. This violates the Integrity property.
R - Repudiation: An intruder's ability to deny malicious activity in the absence of sufficient proof. This violates the non-repudiation property.
I - Information Disclosure: The exposure of information an intruder it not authorized to access. This violates the confidentiality property.
D - Denial of Service: An adversary exhausts system resources through malicious means. This violates the availability property.
E - Elevation of privilege - The execution of commands beyond the jurisdiction of account privileges. This violates the authorization property.
The STRIDE methodology is limited in certain cases by its generality. For more prescriptive guidance on element and trust boundary exposures, Microsoft developed higher dimension variations of STRIDE, known as STRIDE-per-element and STRIDE-per-interaction respectively.
The Process for Attack Simulation and Threat Analysis (PASTA). Is a risk-centric methodology consisting of seven steps. The process offers dynamic threat enumeration and assigns each of them a score.
The PASTA methodology opens threat modelling to the strategic input of stakeholders. It's very effective at identifying commonly overlooked exploitation scenarios because it creates an attacker-centric produce asset-centric outputs.
Trike is a security auditing framework that turns a threat model into a risk management tool. A Trike audit begins by creating a matrix summarizing the relationships between actors, actions, and assets.
The column of this matrix represents system assets and the rows represent actors. Each element of the matrix is divide into four parts representing the actions of CRUD:
Each of these sections is assigned one of the following values:
- Action with rules
Each element of this matrix is then mapped to actors and assets with a Data Flow Diagram (DFD) to identify any threats. An attack tree is then created with all discovered threats becoming root nodes.
The goal is to assign each actor a score based on level of risk (0= no risk and 5 = maximum risk) for each action, or asset interaction. Each action should be assigned a permission rating - always, sometimes, or never).
The Visual, Agile, and Simple Threat (VAST) model is a security method that assumes the attacker has an unlimited number of ways to attack. It was developed by Bruce Schneier, a well-known American cryptographer.
The VAST model allows security teams to assess risk from two different perspectives - architectural and operational.
Architectural threat models are represented through process-flow diagrams and operational threat models are represented through Data Flow Diagrams.
5. Attack Trees
An attack tree started with a root node denotes an attacker's primary objective and children nodes that branch off it. Each child node represents a condition that makes the parent node a possibility. These child nodes can further branch out into "AND" and "OR" conditions.
The Common Vulnerability Scoring System (CVSS) was developed by NIST. It classifies each vulnerability by a severity score out of 10, with 10 being the most critical. The CVSS provides a standardized scoring system for all network vulnerabilities.
The NIST publishes a regularly updated list of CVEs that organizations can use to optimize their threat mitigation efforts.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method is a risk-based assessment. OCTAVE focuses on organizational risks and not technological risks.
The OCTAVE method is comprised of three phases:
- Evaluate an organization by building asset-based threat profiles.
- Identify and Evaluate all infrastructure vulnerabilities.
- Identification of all risks to critical assets by developing a security strategy
8. Quantitative Threat Modeling Method (QTTM)
Quantitative Threat Modeling Methodology (QTMM) uses of quantitative methods to measure and evaluate the risk posed by identified threats. QTTM uses empirically based statistical models, such as logistic regression or Poisson processes, to identify potential attacks on all exposed assets.
This method combines STRIDE, attack trees, and CVSS methods. This method is ideal of systems with specific interdependencies between components.
First, attack trees are created for each STRIDE category to map a relationship between attack categories and attack tree components. Then, each of these components is assigned a severity score with the CVSS method.
This method is last in this list since its effectiveness as a threat model has been called into question. Microsoft discontinued using DREAD in 2008 due to inconsistent ratings.
The DREAD model uses 5 categories to rank each security risks:
- Damage Potential: Ranks the damage quotient caused by an exploited weakness.
- Reproducibility: Ranks how easily a cyberattack and be reproduced.
- Exploitability: Rates the difficulty of launching a specific cyber attack.
- Affected Users: Assigns a value representing the number of users impacted if an exploitation is proliferated.
- Discoverability: Assigns a value denoting how easy it is to discover a given threat.
MITRE ATT&CK is a framework for cybersecurity, that breaks down the lifecycle of an attack into 14 stages (called “Tactics” by MITRE).
Each stage has its own set requirements but still following six overarching themes:
- Pre-attack planning;
- Post-attack features
- Adversary interaction/behavioral analysis;
- Tools and techniques used (i.e., what malware was deployed)
- Intelligence gathering after an incident has been detected
- Application log review
MITRE ATT&CK does not cover a comprehensive list of all cyberattack methods, but it offers a simple checklist for a quick assessment of potential vulnerabilities in your system.