What Is a Threat Model?
Every day seems to bring news of a new threat to the security of your information technology: hackers, denial-of-service attacks, ransomware, unauthorized information disclosure. It’s hard to know where to start to address them all. It’s just as hard to know when to stop. Threat modeling can help.
A threat model identifies risks and prioritizes them. Although often associated with information technology, a threat model may be used to identify many types of risk. For instance, a threat model may identify hurricanes as a risk for property owners in the southeastern United States. Once risks have been identified, the threat model helps to prioritize identified risks and weigh the costs and benefits of addressing them. For example, a threat model weighing better windows versus storm shutters may prioritize storm shutters as the better response.
When it comes to information technology, a threat model is used to profile probable attackers and hackers and to identify both the most likely avenues of attack and the hardware and software most likely to be targeted. Defenders can then determine the security controls needed to protect the system from those threats and decide which to implement based on the costs and benefits of each.
Goals of Threat Modeling
Threat modeling evaluates threats and risks to information systems, identifies the likelihood that each threat will succeed and assesses the organization’s ability to respond to each identified threat.
1. Identifying Security Requirements and Vulnerabilities
The threat modeling process requires identifying security requirements and security vulnerabilities. Security vulnerabilities are often best identified by an outside expert. Using an outside expert may actually be the most cost-effective way to assess security controls.
Start by diagramming how data moves through the system, where it enters the system, how it is accessed and who can access it. List all software and other applications in the system and identify the system architecture.
Then use threat modeling to identify potential threats to the system. For example, are there terminals in public spaces that are not password protected? Is the server in an unlocked room? Has sensitive data been encrypted?
2. Quantifying the Criticality of Threats and Vulnerabilities
The average IT system may be vulnerable to thousands, even millions, of potential threats. No organization can afford to treat all threats alike or ignore them all. No organization can afford to treat every potential threat as critical to its survival. Because budgets and time are both limited, more severe threats must be given priority over lesser threats.
The Common Vulnerability Scoring System (CVSS) ranks potential threats from one to 10 according to their inherent severity and whether the vulnerability has been exploited since it was first discovered. A CVSS score of 10 indicates the most severe threat. A CVSS score of one indicates the least severe threat. The CVSS threat scoring system allows security professionals to access a reliable source of threat intelligence developed by others.
A raw CVSS score does not consider the context of a vulnerability or its place within the information technology system. Some vulnerabilities will be more critical to some organizations than to others.
3. Prioritizing Remediation Methods
Once you know how critical each vulnerability is to your organization, you can decide which are the most important to correct, a process called threat analysis. Threat analysis identifies the weak spots in the system and the potential threat posed by attacks using each one. The most critical vulnerabilities may need immediate attention to add security controls. The least critical vulnerabilities may need no attention at all because there is little chance they will be exploited or they pose little danger if they are.
How Should You Approach Threat Modeling?
There are several approaches to threat modeling. Choosing the right methodology begins with a deeper understanding of the process of threat modeling.
Understanding the Process of Threat Modeling
Threat modeling identifies the types of threats to a software application or computer system. It’s best to do threat modeling during the design of the software or system, so that vulnerabilities can be addressed before the system goes live. Changes in software, infrastructure and the threat environment are also important opportunities to revisit threat models.
Threat modeling generally follows the following five steps:
- Set objectives for the analysis.
- Create a visual model of the system to be analyzed.
- Use the visual model to identify the threats to the system.
- Take steps to mitigate the threats.
- Validate that the threats have been mitigated.
Identifying the Differences in Threat Modeling Methodologies
Threat modeling identifies threats by focusing on potential attacks, system assets or the software itself. Asset-centric threat modeling focuses on system assets and the business impact of the loss of each targeted asset. For example, asset-centric threat modeling might ask what the impact on the business would be if a hacker denied access to the online order management system. The answer may be that there is a grave impact. On the other hand, a virus that infects a software program that is used only to track fixed assets may have little business impact because the fixed assets are also tracked on paper.
Attack-centric threat modeling identifies the threats against the system with the greatest chance of success. For example, attack-centric threat modeling asks how likely it is that a hacker could successfully tie up the online order management system in a denial-of-service attack. The answer may be that it is very likely because the system has an inherent and well-known vulnerability.
Finally, system-centric threat modeling focuses on understanding the system being modeled before evaluating the threats against it. For example, system-centric threat modeling begins by asking where the data in the online ordering system reside and how and where the system is accessed.
Choosing the Best Threat Modeling Methodologies
Which threat modeling methodology is best for your system? The right methodology for your system depends on the types of threats you are trying to model. You’ll want to consider the following:
- The types of threats and risks commonly faced by other companies in the industry
- The size and competence of your staff
- The available resources, financial and otherwise
- Your tolerance for risk
2022 CROWDSTRIKE GLOBAL THREAT REPORT
Download now to learn about the most significant cybersecurity events and threats.Download Now
Examples of Threat Modeling Frameworks
Here are some examples of the most popular threat modeling methodologies:
Attack trees are based on decision tree diagrams. The “root” or base of the tree represents the attacker’s goal. The branches and “leaves” of the attack tree represent the ways of reaching that goal. Attack trees demonstrate that attackers often have multiple ways to reach their target.
STRIDE was developed by Microsoft to systematically identify a broad range of potential threats to its products. STRIDE is an acronym for six potential threats:
- Spoofing identity: an attacker may gain access to the system by pretending to be an authorized system user.
- Tampering with data: an attacker may modify data in the system without authorization.
- Repudiation: the attacker claims no responsibility for an action, which may be either true or false.
- Information disclosure: the attacker provides information to someone not authorized to access it.
- Denial of service: the attacker exhausts the resources needed to provide services to legitimate users.
- Elevation of privilege: the attacker does something (such as access confidential data) they are not authorized to do.
Process for Attack Simulation and Threat Analysis (PASTA) views the application as an attacker would. PASTA follows seven steps:
- Define the business objectives, system security requirements and the impact on the business of various threats
- Define the technical scope of the environment and the dependencies between the infrastructure and the software
- Diagram the flow of data within the application
- Run attack simulations attacks on the system
- Map threats to existing vulnerabilities
- Develop attack trees
- Analyze the resulting risks and develop cost-effective measures to counter them
Trike uses threat models to manage, rather than eliminate, risk by defining acceptable levels of risk for various types of assets. For each system asset and each system user, Trike indicates the user’s level of access to each asset (create, read, update and delete) and whether the user has permission to take each action always, sometimes or never.
Visual, Agile and Simple Threat (VAST) is an automated threat modeling process applied to either application threats or operational threats. To model application threats, VAST diagrams the threat to the architecture of the system. To model operational threats, VAST diagrams the threat from the attacker’s perspective.
The Common Vulnerability Scoring System (CVSS) assigns a severity score to each vulnerability. This combines its intrinsic vulnerability, the evolution of the vulnerability over time and the security level of the organization.