Last Updated: 10th July, 2020
Threat Modeling Methodologies: Threat modeling enables you to perform a proactive threat assessment. Security teams use threat modeling insights to evaluate risks and prioritize mitigation. You can design your own threat modeling process or you can use ready-made threat modeling software.
A typical threat modeling process includes five components — threat assessment, threat intelligence, asset identification, mitigation capabilities, risk assessment, and threat mapping. Each of these processes provides unique insights and visibility into your security perimeter.
There are six main methodologies you can use while threat modeling — STRIDE, PASTA, CVSS, Attack Trees, Security Cards, and hTMM. Each of these methodologies provides a different way to assess the threats facing your IT assets.
Table Of Contents
- What Is Threat Modeling?
- What Is The Importance Of Threat Modeling?
- Five Threat Modeling Process Components
- Six Threat Modeling Methodologies
What Is Threat Modeling?
Threat modeling is a proactive strategy for evaluating risks. It involves identifying potential threats, and developing tests or procedures to detect and respond to those threats. This involves understanding how threats may impact systems, classifying threats and applying the appropriate countermeasures.
What Is The Importance Of Threat Modeling?
Threat modeling can help security teams prioritize threats, ensuring that resources and attention are distributed effectively. This prioritization can be applied during planning, design, and implementation of security to ensure that solutions are as effective as possible.
When done routinely, threat modeling can also help security teams ensure that protections are in line with the evolving threats. If not, unknown threats may remain undefended leaving systems and data vulnerable.
Threat modeling is equally significant when adopting modern software or creating software. It assists teams understand how the tools and applications may be vulnerable in comparison to what protections are offered.
When adopting the tools, threat modeling helps teams understand where security is lacking. This allows you to make an informed decision about whether a component is worth adopting.
Threat modeling can also help development teams prioritize fixes to existing software, according to the severity and impact of anticipated threats.
Five Threat Modeling Process Components
When performing threat modeling, several processes (specifically Five Threat Modeling Process Components) and aspects should be included. Failing to include one of these components can lead to incomplete models and can prevent threats from being properly addressed.
Threat Modeling: Threat Intelligence
This area includes information about types of threats, affected systems, detection mechanisms, tools and processes used to exploit vulnerabilities and motivations of attackers.
Threat intelligence information is often collected by security researchers and made accessible through public databases, proprietary solutions, or secure communications outlets. It is used to enrich the understanding of possible threats and to inform responses.
Threat Modeling: Asset Identification
Teams need a real-time inventory of components and data in use, where those assets are located and what security measures are in use. This inventory helps security team’s track assets with known vulnerabilities.
A real-time inventory enables security teams to gain visibility into asset changes. For example, getting alerts when assets are added with or without authorized permission, which can potentially signal a threat.
Threat Modeling: Mitigation Capabilities
Mitigation capabilities broadly refer to technology to protect, detect and respond to a certain type of threat, but can also refer to an organization’s security expertise and abilities, and their processes. Assessing your existing capabilities will serve you determine whether you need to include secondary resources to mitigate a threat.
For example, if you have enterprise-grade antivirus, you enjoy an initial level of protection against traditional malware threats. You can subsequently determine if you should invest more significantly, for example, to correlate your existing AV signals with other detection capabilities.
Threat Modeling: Risk Assessment
Risk assessments correlate threat intelligence with asset inventories. These tools are necessary for teams to acknowledge the current status of their systems and to develop a plan for addressing vulnerabilities.
Risk assessments with threat assessment can equally involve active testing of systems and solutions. For example, penetration testing to verify security measures are effective.
Threat Modeling: Threat Mapping
Threat mapping is a process that follows the potential path of threats through your systems. It is used to model how attackers might move from resource to resource and helps teams anticipate where defenses can be more effectively layered or applied.
Six Threat Modeling Methodologies
When performing threat modeling, there are multiple methodologies you can use. The right model for your needs depends on what types of threats you are trying to model and for what purpose.
STRIDE Threat Modeling
STRIDE is a threat model, created by Microsoft engineers, which is meant to guide the discovery of threats in a system. It is employed along with a model of the target system. This makes it most effective for evaluating individual systems.
STRIDE is an acronym for the types of threats it covers, which are:
- Spoofing — A user or program pretends to be another.
- Tampering — Attackers modify components or code.
- Repudiation — Threat events are not logged or monitored.
- Information disclosure — Data is leaked or expose.
- Denial of service (DoS) — Services or components are overloaded with traffic to prevent legitimate use.
- Privilege escalation — Attackers grant themselves additional privileges to gain greater control over a system.
Process For Attack Simulation And Threat Analysis (PASTA)
PASTA is an attacker-centric methodology with seven steps. It is designed to correlate business objectives with technical requirements. PASTA’s steps guide teams to dynamically identify, count, and prioritize threats.
The steps of a PASTA threat model are:
- Define business objectives
- Define the technical scope of assets and components
- Application decomposition and identify application controls
- Threat analysis based on threat intelligence
- Vulnerability detection
- Attack enumeration and modeling
- Risk analysis and development of countermeasures
Common Vulnerability Scoring System (CVSS)
CVSS is a standardized threat scoring system employed for known vulnerabilities. It was developed by the National Institute of Standards and Technology (NIST) and maintained by the Forum of Incident Response and Security Teams (FIRST).
This system is designed to help secure teams’ access threats, identify impacts, and identify existing countermeasures. It also helps security professionals assess and apply threat intelligence developed by others in a reliable way.
CVSS accounts for the inherent properties of a threat and the impacts of the risk factor due to the time since the vulnerability was first discovered. It additionally includes measures that allow security teams to specifically modify risk scores based on individual system configurations.
Threat Modeling: Attack Trees
Attack trees are charts that display the paths that attacks can take in a system. These charts display attack goals as a root with possible paths as branches. When creating trees for threat modeling, multiple trees are created for a single system, one for each attacker goal.
This is one of the oldest and most widely used threat modeling techniques. While once used alone, it is now frequently combined with other methodologies, including PASTA, CVSS and STRIDE.
Threat Modeling: Security Cards
Security Cards are a methodology based on brainstorming and creative thinking rather than structured threat modeling approaches. It is designed to help security teams account for less common or novel attacks. This methodology is in addition an efficient way for security teams to increase knowledge about threats and threat modeling practices.
The methodology uses a set of 42 cards, which help analysts answer questions about future attacks, such as who might attack, what their motivation could be, which systems they might attack, and how they would implement an attack. Analysts can deal the cards in a type of tabletop game, to simulate possible attacks and consider how the organization might respond.
Hybrid Threat Modeling Method (hTMM)
hTMM is a methodology developed by Security Equipment Inc. (SEI) that combines two other methodologies:
- Security Quality Requirements Engineering (SQUARE) — A methodology designed to elicit, categorize and prioritize security requirements.
- Persona non Grata (PnG) — A methodology that focuses on uncovering ways a system can be abused to accomplish an attacker’s goal.
hTMM is designed to enable threat modeling, which accounts for all possible threats, produces zero false positives, provides consistent results and is cost effectively.
It works by applying Security Cards, eliminating unlikely PnGs, summarizing results, and formally assessing risk using SQUARE.