Things that may look like threat modeling, but aren't

Okay, so what isn't threat modeling?

Attack Trees

An Attack Tree helps to describe the potential security breaches that could happen on IT and security systems, allowing organizations to develop countermeasures to such attacks to prevent a Threat Actor from achieving their goals against a certain asset or target.

Attack Trees are conceptual diagrams showing an attack in ‘tree-form’. The tree root is the goal for the attack, and the leaves are ways to achieve that goal. Each goal is represented as a separate tree. Thus, the system threat analysis produces a set of attack trees.¹ Attack Trees are really easy to use if you have a substantial understanding of your business systems, they are not threat modeling methodologies.

DREAD Analysis

DREAD is a threat modeling program developed by Microsoft and first published in Writing Secure Code 2nd edition in 2002 by David LeBlanc and Michael Howard. It is not a threat modeling methodology, but a risk analysis method. It is broken down into five main categories that can be used to rate each threat:

Damage potential (How much are the assets affected?)
Reproducibility (How easily the attack can be reproduced?)
Exploitability (How easily the attack can be launched?)
Affected users (What’s the number of affected users?)
Discoverability (How easily can the vulnerability be found?)

DREAD focuses on qualitative risk analysis. After you ask the above questions, count the values (1–3) for a given threat. The result can fall in the range of 5–15. Then you can treat threats with overall ratings of 12–15 as High risk, 8–11 as Medium risk, and 5–7 as Low risk.²

Here is an example DREAD rating (Microsoft, Improving Web Application Security: Threats and Countermeasures - June 2003, Chapter 3 - Threat Modeling):

Threat	D	R	E	A	D	Total	Rating
Attacker obtains authentication credentials by monitoring the network	3	3	2	2	2	12	High
SQL commands injected into application	3	3	3	3	2	14	High

Threat Intelligence

A cyber threat intelligence tool helps you collect and analyze threat information from multiple external sources to protect your enterprise from existing vulnerabilities and prepare for future ones. Next-gen cyber threat intelligence tools are essential to improve enterprise resilience and protect against external (in addition to internal) attacks.³

^{Threat intelligence enables organizations to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors. It transforms raw data into useful interpretable intelligence for analysis.}

Common Vulnerability Scoring System (CVSS)

CVSS stands for Common Vulnerability Scoring System, it is a risk calculator which was developed by NIST (National Institute of Standards and Technology) and it is most commonly used alongside threat modeling methods. It is an open framework owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization.⁴It is not a threat modeling methodology but can compliment threat modeling activities.

The CVSS provides a common and standardized scoring system within different cyber and cyber-physical platforms. A CVSS score can be computed by a calculator that is available online. CVSS assigns a severity (low/medium/high) to each vulnerability discovered in the threat assessment stage, based on predefined metrics which are divided into these three groups:

Base metric group: Privileges required, scope, user interaction
Temporal metric group: Code maturity
Environmental metric group: Modified base metrics

What about Architecture Risk Analysis (ARA)?

Okay, that one is essentially a synonym for threat modeling! ARA highlights the flaws in design security, prioritizes risks and mitigates controls. Architectural risk analysis examines the preconditions that must be present for vulnerabilities to be exploited and assesses the states that the system may enter upon exploitation. As with any quality assurance process, risk analysis testing can only prove the presence, not the absence, of flaws. ⁵

Conclusion

Threat Modeling Methodologies can be incredibly useful to guide organizations through their threat modeling journey, however there are additional frameworks and approaches that can compliment other efforts. For example, an attack tree could be used to examine any given type of threat that is being generated or categorized by other threat modeling frameworks, or utilizing CVSS can support risk calculation to assist prioritizing activities.

Information Sources:

1. Software Engineering Institute, Threat Modeling: 12 Available Methods (2018) https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/

2. Microsoft, Chapter 3 - Threat Modeling (2010) https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=pandp.10)

3. Spiceworks, Top 10 Cyber Threat Intelligence Tools (2022) https://www.spiceworks.com/it-security/vulnerability-management/articles/best-cyber-threat-intelligence-tools/ and Crowdstrike, What is Cyber Threat Intelligence? (2022) https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/
4. First, Common Vulnerability Scoring System version 3.1: Specification Document https://www.first.org/cvss/specification-document and Software Engineering Institute, Threat Modeling: 12 Available Methods (2018) https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/ and NIST, Vulnerability Metrics nvd.nist.gov/vuln-metrics/cvss