Threat Modeling in Cybersecurity

Threat Modeling is a structured approach to identify, assess and mitigate potential security threats to a system, application or network. It is a method of optimizing network security by locating vulnerabilities, identifying objectives and developing counter-measures to either prevent or mitigate the effects of cyber-attacks against the system.

Threat Modelling process involves creating a security profile for the application taking into account the resources or components involved in the application, their role in the entire application lifecycle, identifying potential threats and documenting the detrimental effects along with the mitigating actions required to resolve those.

Threat Modelling plays a crucial role in the entire security landscape of any organization. It allows organizations to proactively identify potential threats and vulnerabilities within their systems, applications or networks, thereby enabling them to take preventive measures and mitigating risks before any security incident and/or breach occurs, thereby improving their overall security posture and reducing the likelihood of a successful attack. Security Threat Modelling enables an IT Team to understand the nature of threats, as well as how they may impact the network.

How does Threat Modelling support Software Development Lifecycle
In software development, Threat Modelling help identify potential vulnerabilities in the early stages of application design, allowing developers to incorporate security measures into the application from the initial design phases. It directs the focus towards areas that require immediate attention and resources promoting a cost-effective and efficient application security strategy. It plays an integral role right from the initial stages of the software development process, where the developers and solution architects start with the design of the application. This phase entails scrutinizing all the potential interaction points within the system to identify potential vulnerabilities. By applying Threat Modelling early in the SDLC process, developers can minimize risks, save valuable time and resources that would otherwise be spent on damage control at a later stage.

Identifying potential threats and vulnerabilities early in the process allows developers to protect higher risk areas, implement stronger authentication mechanisms and improve validation methods. Essentially Threat Modelling helps developers design and build resilient software.

It is noteworthy that, Threat Modelling is not a one-time task and is relevant throughout the SDLC lifecycle. As the software or the product evolves with new features and modifications, the threat landscape may change. So, it is critical to continually re-evaluate the system. However, this is considered a pro-active measure when implemented during design or development stage, or a reactive measure when implemented during deployment stage. The biggest value that Threat modelling as a process brings in, is not the final report at the end, it's going through the entire process.

Key Reasons to use Threat Modelling:

• Early Risk Identification
• Prioritization of Security Controls
• Improved Communication between Security & Development Teams
• Risk Mitigation
• Compliance & Regulations

Types of Threat Modelling Frameworks:
Threat Modelling Frameworks are structured methodologies that guide the process of identifying, assessing and mitigating security threats within a system. Organizations can enhance their security posture and protect their systems efficiently by choosing the right framework.

Some commonly used frameworks are:

STRIDE:
Developed by Praerit Garg and Loren Kohnfelder at Microsoft in 1999, this is a mnemonic-based threat modelling framework used to identify potential security threats in software systems. This is straight-forward and easier to apply, making it suitable for identifying specific threat types in software systems, however, it may not cover all possible threats comprehensively. It is more suitable for smaller projects or initial threat assessments.

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service (DoS)
• Escalation of Privilege

DREAD:

• Damage Potential: How severe would the attack be?
• Reproducibility: How easy is it to reproduce the attack?
• Exploitability: How easy is it to launch the attack?
• Affected Users: How many users would be affected?
• Discoverability: How easy is it to discover the vulnerability?

PASTA (Process for Attack Simulation and threat Analysis):
Pasta is a detailed, risk-centric threat modelling framework, developed by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana in 2015, that focuses on simulating potential attacks and analyzing their impact on business objectives, providing a thorough analysis. However, it can be complex and resource-intensive. Pasta is usually ideal for comprehensive, in-depth threat modelling in large, critical systems. This provides an ability to prioritize based on what is likely to happen in my application model and to substantiate and create a level of credibility with information and posture.

Stages:

• Definition of Objectives: Identify business objectives and security requirements.
• Definition of technical scope: Outline the technical environment.
• Application Decomposition: Break down application into components.
• Threat Analysis: Identify potential threats.
• Vulnerability Analysis: Discover vulnerabilities.
• Attack Modelling: Simulate potential attacks.
• Risk and Impact Analysis: Assess the impact an likelihood of risks.

Trike:

• Risk Modelling: assess risks based on security requirements and stakeholder needs.
• Threat Modelling: Identify threats and vulnerabilities.
• Mitigation and Planning: Plan and implement mitigations.

VAST (Visual, Agile and Simple Threat):

• Application Threat Modelling: Focuses on individual applications.
• Operational Threat Modelling: Focuses on infrastructure.

Attack Trees:

• Tree Structure: Diagram representing potential attacks on a system.
• Nodes: Different steps or actions an attacker can take.
• Root Node: The ultimate goal of the attack.

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)

Phases:

• Build asset-based threat profiles: Identify critical assets and threats
• Identify infrastructure Vulnerabilities: Assess vulnerabilities.
• Develop Security Strategy and Plans: Formulate mitigation strategies.

How Threat Modelling works:
The Threat modelling process can be decomposed into four high level steps with each step being duly documented as it is carried out.

• Scope the work: This is the first step which involves drawing data flow diagrams (DFD) which show what we are working on. This step might include several levels of DFDs based on the complexities being added to the application flow. This shows different paths through the system, highlighting the privilege or trust boundaries. This step also involves identifying entry points to visualize where any attacker can interact with the application. This helps identify the assets involved and trust levels that represent the access rights granted to external entities. Next step is to identify the trust boundaries in the threat modelling diagrams. These are places in the diagrams where trust levels change, meaning where unauthenticated users to authenticated users; or regular users to privileged users.
• Determine Threats: This step involves leveraging a framework to identify threats. The goal is to help identify threats from the actors. It analyses how an attacker might exploit the system. This involves considering each of the trust boundaries and note down the strengths and weaknesses in each category. Strengths are normally the mitigation steps undertaken.
• Address the Threats: This step involves defining counter-measures and mitigation techniques. This also includes prioritization of those counter-measures. This takes into account several factors like likelihood of attack, damage induced from the attack and complexity or cost of the fix applied. the mitigation strategies involve analyzing the threats from a business impact perspective. Options for addressing the risks identified include below options:

1. Accept
2. Eliminate
3. Mitigate
4. Transfer
5. Validate the Model: After the above steps are completed, we get a diagram, the threats' list and a controls list.

Threat Modeling Tools:

• OWASP Threat Dragon
• Microsoft Threat Modeling Tool
• PyTM
• SeaSponge
• IriusRisk
• Threat Composer
• SD Elements
• ThreatModeler
• Arxan Threat Analytics
• Axure RP

Resources:

• https://owasp.org/www-community/Threat_Modeling_Process
• https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/
• https://www.ashbysoft.com/posts/owasp-threat-modelling/
• https://www.youtube.com/watch?v=rEnJYNkUde0
• https://www.youtube.com/watch?v=oIeF3HkdYcU&t=766s
• https://www.hackerone.com/knowledge-center/threat-modeling-process-frameworks-and-tools
• https://www.youtube.com/watch?v=hUOAoc6QGJo&list=PLUKo5k_oSrfOTl27gUmk2o-NBKvkTGw0T&index=11
• https://nordvpn.com/blog/threat-modeling/
• https://aivillage.org/large%20language%20models/threat-modeling-llm/
• https://www.threatdragon.com/#/
• https://www.securitycompass.com/blog/12-essential-threat-modeling-tools-for-enhancing-your-cybersecurity-posture/