September 27, 2022

How to effectively implement the threat modeling process?

What is threat modelling and how to design the process that can be applied to a wide range of infrastructures and business models.

Jacek Grymuza

Senior Security Architect

What is Threat modeling?

Threat Modelling is a view of the application and its environment through the prism of security. This process is designed to improve security by identifying threats and then defining countermeasures to prevent or mitigate the effects of the threats on the system or application. A threat is a potential or actual unwanted event that can be malicious (such as a DoS attack) or accidental (a failure of a storage device).

Threat Modelling is a scheduled activity that identifies and assesses threats and vulnerabilities in an application. Of course, it is part of the Software Development Life Cycle process, as well.

Figure 1 Software Development Life Cycle (SDLC)

Threat modelling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes.

The threat model includes:

• Description of the item to be modelled

• Assumptions that can be tested or questioned as the threat landscape changes

• Potential threats to the system or applications

• Actions that can be taken to mitigate any threat

• Method of model validation and verification of the effectiveness of the actions taken.

Updating threat models is recommended after such events as:

• A new feature has been released

• A security incident has been handled

• There were architectural or infrastructural changes.

There are three key elements in the TM process:

• Data Flows (define how data flows through the system to determine where the system may be attacked)

• Potential Threats (define as many potential threats to the system as possible)

• Security Controls (define security controls that can be introduced to reduce the likelihood or impact of a potential threat).

Threat modeling process

An important concept in threat modelling design is a trust boundary. The trust boundary is a point where the data changes its trust level in the data flow diagram. Typically, this is wherever data is transferred between two processes. In order to identify threats, it is necessary to identify threat actors specific to the sector in which we work. To recognise these groups, you can use the MITRE KB.

Figure 3. ATT&CK MITRE - Threat Actors

In addition, the following are useful in risk assessment and threats identification:

• OWASP TOP 10

• OWASP ASVS

• ENISA Threats Taxonomy

• CIS Controls

• CWE/SANS TOP 25 Most Dangerous Software Errors

Figure 4 shows the data flow for the banking web application.

Figure 4. Data flow diagram-Online Banking Application

Tools supporting the threat modelling process

There are many free and paid tools to support the threat modeling process. Figure 5 shows one of tools supporting the threat modeling process in action. In this tool, after modelling the objects and identifying trust boundaries, we need to click an analysis button. After executing it, the application displays a list of detected threats for the created model.

And clicking on the analysis function, threats to the modelled objects are displayed, which should be prioritised and methods of mitigating them described. So the only thing left to do is to review these threats, set their priorities and describe the ways of mitigating them. Of course, if the system does not automatically detect some threats that we know about, we should add them manually.

Figure 5. The Microsoft Threat Modelling Tool in action

Many of the risk modeling tools available on the market identify the threats to each node using the STRIDE methodology, which means that each node is examined for threats such as spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege.

Figure 6. STRIDE

Summary

Properly performed threat modelling provides a clear line of sight throughout the project that justifies safety efforts. The process allows you to make rational safety decisions by showing you all the necessary information. In addition, assessing potential security threats in the design phase saves resources.

Therefore, if you have looked at the process indulgently so far, I hope that after reading this article you understood the essence and importance of this process.

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.