In simplistic terms, threat modeling is a repeatable way of assessing the security of your architecture, quantifying your level/ likelihood of risk and concluding with actionable countermeasures.
How Does Threat Modeling Work?
For those of us not intimately familiar with the subject; threat modeling is a structured process which allows us to identify security requirements, recognize security threats and potential design weaknesses. Ultimately allowing us to quantify threats, determine the criticality of them and prioritize remediation methods.
Why Threat Model in the First Place?
OWASP (Open Web Application Security Project) identified 'Insecure Design' as number 4 in its 2021 Top Ten.
- A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.1
NIST (National Institute of Standards and Technology), released 'Recommended Minimum Standard for Vendor or Developer Verification of Code', during 2021. One of the recommended techniques highlighted is threat modeling: 'Section 2.1. Threat modeling methods create an abstraction of the system, profiles of potential attackers and their goals and methods, and a catalog of potential threats. Threat modeling can identify design-level security issues and help focus verification.2
The Threat Modeling Manifesto is a place to go to for guidance and information, it shares that companies should threat model for the following reasons:3
When you perform threat modeling, you begin to recognize what can go wrong in a system. It also allows you to pinpoint design and implementation issues that require mitigation, whether it is early in or throughout the lifetime of the system. The output of the threat model, which are known as threats, informs decisions that you might make in subsequent design, development, testing, and post-deployment phases.
How to Get Started
Check out this blog Evolving Threat Modeling - Taking Longer Strides - to find out how to get started with Threat Modeling. And if you are not yet familiar, understand how to use the Four Question Framework from Adam Shostack. It also introduces you to some threat modeling methodologies and frameworks.
As mentioned above, there is also the Threat Modeling Manifesto that can give agnostic advice and guidance on how best to start, and gives some resources to try.
At What Stage Should You Threat Model Your Applications?
It is best to threat model your applications before they are built, to get the most secure designs, however you can still implement threat modeling if your applications and security architecture is already in place. Nataliya Shevchenko from the Software Engineering Institute (SEI) states4:
Threat modeling should be performed early in the development cycle when potential issues can be caught early and remedied, preventing a much costlier fix down the line. Using threat modeling to think about security requirements can lead to proactive architectural decisions that help reduce threats from the start.
However, we have worked with many organizations that have introduced threat modeling at a time where new applications are being built, but they also have existing software that they need to include in their threat modeling efforts.
OWASP’s 3 Steps to Threat Modeling
OWASP states 3 steps to your threat modeling as shown below:5
- Step 1: Decompose the Application - The first step in the threat modeling process is concerned with gaining an understanding of the application and how it interacts with external entities.
- Step 2: Determine and Rank Threats - Critical to the identification of threats is using a threat categorization methodology.
- Step 3: Determine Countermeasures and Mitigation - A vulnerability may be mitigated with the implementation of a countermeasure. Such countermeasures can be identified using threat-countermeasure mapping lists.
Top Tips / Best Practice
- Find methodologies, approaches or frameworks that suit your business: Take a look at some available Threat Modeling Methodologies, and other methods that compliment your threat modeling efforts, such as using risk analysis frameworks that you may not have considered yet.
- Try a free threat modeling tool: There are several to choose from such as Microsoft Threat Modeling Tool, although bear in mind Microsoft uses its STRIDE/ STRIDE-per-Element methodology in its tool, so you need to be sure this would suit your company. Alternatively, OWASP Threat Dragon is open source and doesn't follow any particular framework. Both have documentation available to get you started. Of course IriusRisk has a free threat modeling tool too - check out 'Join the IriusRisk Community' at the end.
Things That Look Like Threat Modeling (but aren’t)
Is cyber risk modeling the same as threat modeling? Is an attack tree a different way of saying threat model?
In short, no. Threat modeling methodologies and frameworks help to identify possible flaws in your software or applications, while also assisting you with prioritizing what risks to take actions on first based on the level of risk to the organization. Find out more about what approaches and tools can get confused with threat modeling, read our blog: Things that may look like threat modeling, but aren't.
The IriusRisk Approach
Want to learn how we do things? Take a look at our Threat Modeling Platform where we automate your real-time threat model, associated risks and actionable countermeasures in five steps:
- Define your architecture
- Generate your threat model (in minutes)
- Assess your threats and countermeasures (in real-time and based on security standards)
- Sync with your Issue Trackers (raise tickets)
- Use your living, real-time threat model (with two-way sync and real-time risk ratings)
Join the IriusRisk Threat Modeling Community
Sign up for Community, the free version of IriusRisk to get started and create your first threat model! Or Subscribe to our newsletter to get latest information about events, product developments and the threat modeling industry.
- OWASP, Top Ten 2021 https://owasp.org/www-project-top-ten/
- NIST, Executive Order 14028, https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/recommended-minimum-standard-vendor-or-developer
The Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/
Software Engineering Institute, Threat Modeling: 12 Available Methods, by Natalyia Shevchenko (2018) insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/#
OWASP, Threat Modeling Process owasp.org/www-community/Threat_Modeling_Process#