What is Threat Modeling and how does it work?

What is Threat Modeling?

In simplistic terms, threat modeling is a repeatable way of assessing the security of your architecture, quantifying your level/ likelihood of risk, and concluding with actionable countermeasures to mitigate those risks. It is a structured process which allows us to identify security requirements, recognize security threats and potential design weaknesses. Ultimately allowing us to quantify threats, determine the criticality of them, and prioritize remediation methods. It is best carried out before any code has been written, to save the most time, resources, and costs in terms of mitigating vulnerabilities from the start.

Four Reasons to Do Threat Modeling

1. It allows you to identify potential flaws at the start of the SLDC, long before deploying an application and having to carry out costly post-deployment fixes
2. It gives benefits across the whole SDLC, not just at the build/ coding phase. For example speeding up security decisions based upon threat model findings, and providing greater more targeted focus on penetration testing activities 
3. Create software which is secure by design, which is better for DevSecOps teams and the end users of your products 
4. It is a recommended technique by trusted organizations such as OWASP (Open Web Application Security Project) and NIST (National Institute of Standards and Technology). As well as the Threat Modeling Manifesto.

OWASP identified 'Insecure Design' as number 4 in its 2021 Top Ten: A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures^.1

^‍NIST released 'Recommended Minimum Standard for Vendor or Developer Verification of Code', during 2021. One of the recommended techniques highlighted is threat modeling: 'Section 2.1. Threat modeling methods create an abstraction of the system, profiles of potential attackers and their goals and methods, and a catalog of potential threats. Threat modeling can identify design-level security issues and help focus verification.²

^‍The Threat Modeling Manifesto is a place to go to for guidance and information, it shares that companies should threat model for the following reasons:³

^‍When you perform threat modeling, you begin to recognize what can go wrong in a system. It also allows you to pinpoint design and implementation issues that require mitigation, whether it is early in or throughout the lifetime of the system. The output of the threat model, which are known as threats, informs decisions that you might make in subsequent design, development, testing, and post-deployment phases.

What are the 4 stages of threat modeling?

The best place to start is the Four Question Framework from Adam Shostack⁴. It poses as a foundation for carrying out threat modeling activities and ensures crucial steps are carried out:

1. What are we working on? Or What are we building - essentially this is building your diagram of your architecture/ application 
2. What can go wrong? - Identify the possible threats that need prioritization and mitigation 
3. What are we going to do about it? - How you are going to mitigate the risks to keep your application secure
4. Did we do a good enough job? - Validate the process, the design, and the end result to measure if it was successful 

In addition to this commonly referenced framework, you may want to consider a threat modeling methodology. Although many organizations are aware of threat modeling and the benefits of doing so, it can be daunting to know where to begin. Among these methodologies, the most common are STRIDE, OCTAVE, TRIKE AND PASTA. If you would like to learn more, take a look at our Methodologies Page.

At What Stage Should You Threat Model?

It is best to threat model your applications before they are built, to get the most secure designs, however you can still implement threat modeling if your applications and security architecture is already in place. Nataliya Shevchenko from the Software Engineering Institute (SEI) states⁵:

Threat modeling should be performed early in the development cycle when potential issues can be caught early and remedied, preventing a much costlier fix down the line. Using threat modeling to think about security requirements can lead to proactive architectural decisions that help reduce threats from the start.

We have worked with organizations that have introduced threat modeling at a time where new applications are being built, but they also have existing software that they need to include in their threat modeling efforts.

How do you create a threat model?

If you are very new to threat modeling and are unsure if a threat modeling methodology is appropriate for your business, you may find a 3-step approach useful as a starting point, to begin the threat modeling processes. In Particular, OWASP states 3 steps to your threat modeling as shown below:⁶

• Step 1: Decompose the Application - The first step in the threat modeling process is concerned with gaining an understanding of the application and how it interacts with external entities.
• Step 2: Determine and Rank Threats - Critical to the identification of threats is using a threat categorization methodology.
• Step 3: Determine Countermeasures and Mitigation - A vulnerability may be mitigated with the implementation of a countermeasure. Such countermeasures can be identified using threat-countermeasure mapping lists.

Top Tips for your Threat Modeling Journey

1. Find methodologies, approaches or frameworks that suit your business: Take a look at some available Threat Modeling Methodologies, and other methods that compliment your threat modeling efforts, such as using risk analysis frameworks that you may not have considered yet.
2. Try a free threat modeling tool: There are several to choose from such as Microsoft Threat Modeling Tool, although bear in mind Microsoft uses its STRIDE/ STRIDE-per-Element methodology in its tool, so you need to be sure this would suit your company. Alternatively, OWASP Threat Dragon is open source and doesn't follow any particular framework. Both have documentation available to get you started. We have a free threat modeling tool as well, check out IriusRisk Community Edition.‍
3. Join a Community of like minded individuals: in a place like Threat Modeling Connect. This will allow you to share ideas and concerns within forums, attend free webinars and workshops to extend your learning, and hear expertise from many others in the industry.

Things That Look Like Threat Modeling (but aren’t)

Is cyber risk modeling the same as threat modeling? Is an attack tree a different way of saying threat model?

In short, no. Threat modeling methodologies and frameworks help to identify possible flaws in your software or applications, while also assisting you with prioritizing what risks to take actions on first based on the level of risk to the organization. Find out more about what approaches and tools can get confused with threat modeling, read our blog:Things that may look like threat modeling, but aren't.

The IriusRisk Approach

Want to learn how we do things? Take a look at our Threat Modeling Platform where we automate your real-time threat model, associated risks and actionable countermeasures in five steps:

1. Define your architecture (diagramming)
2. Generate your threat model (in minutes)
3. Assess your threats and countermeasures (in real-time and based on security standards)
4. Sync with your Issue Trackers (raise tickets)
5. Use your living, real-time threat model (with two-way sync and real-time risk ratings)

Join the IriusRisk Threat Modeling Community

Sign up for Community, the free version of IriusRisk to get started and create your first threat model! Or Subscribe to our newsletter to get latest information about events, product developments and the threat modeling industry.

References

1. OWASP, Top Ten 2021 https://owasp.org/www-project-top-ten/
2. NIST, Executive Order 14028, https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/recommended-minimum-standard-vendor-or-developer
3. The Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/
4. Four Question Framework https://shostack.org/resources/threat-modeling#4steps 
5. Software Engineering Institute, Threat Modeling: 12 Available Methods, by Natalyia Shevchenko (2018) insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/#‍
6. OWASP, Threat Modeling Processowasp.org/www-community/Threat_Modeling_Process#