Threat modeling is a proactive process of identifying the risks and threats that are likely to affect your organization and then planning and implementing countermeasures to prevent those threats from negatively affecting the company. Threat modeling can be done from an attacker’s perspective, where you gather information on what methods hackers are using to attack companies similar to your own and then plan your countermeasures for those methods. Additionally, it can be done from an asset perspective, where you identify what assets are important to your company, look at all the ways you can find for that asset to be compromised and then come up with security controls to prevent that from happening. Neither method is 100% more effective than the other but they are just different means to accomplish the same goal.
Elements of Threat Modeling
Threat Actor: A threat actor is a state, group or individual that has malicious intent. Within cybersecurity this usually means they are looking to target private corporations or governments with a cyber attack for financial, military or political gain. Threat actors can be categorized by their motivations and to some extent their level of sophistication. Here are some of the most common types of threat actors:
Source @Canadian Government
Some threat actors are much more dangerous than others because of their level of resources, planning and coordination.
Nation-state and organized crime groups are generally the most organized and the most capable of carrying out large scale and long lasting cyber attacks, they are generally referred to as advanced persistent threats (APTs). Nation state actors are usually the most sophisticated with huge amounts of resources supplied by their governments and have relationships with private sector companies and leverage organized crime groups to accomplish their goals.
Hacktivist, terrorist groups, thrill-seekers and script kiddies are considered moderate to low level in terms of sophistication. They usually rely on publicly available exploits that require little technical skill for their cyber attacks and don’t usually have a lasting effect on their targets.
Insider Threats are individuals that work inside of a company and are usually disgruntled employees looking for revenge. However, they can also be associated with any of the groups mentioned earlier and work as an insider providing them with information on the company and getting them access to the company’s network from the inside.
Threat Vectors: This a path or means by which threat actors gain access to a computer system by exploiting a vulnerability. There are six mains path or points of entry into a computer system:
Network
Users
Email
Web Applications
Remote access portals
Mobile Devices
The means by which a computer system is compromised is either some type of social engineering such as phishing emails and text messages or a programmatic threat vector such as a virus, unpatched vulnerability or password cracking.
Cyber Threat Surface: Your cyber threat surface is all of the potential endpoints that a threat actor may attempt to exploit in order to hack into your company. This includes every device that is connected to the internet as well as people and processes that may give them important information or provide them with access into the company. It’s important to have at least a general idea of what your cyber threat surface is so you can make the appropriate plans to protect your business.
Countermeasures: Once you have identified who the threat actors are that are relevant to your business, what your threat surface is and the likely threat vectors you can start to plan the appropriate countermeasures. Countermeasures will mean having a variety of redundant security controls to ensure that there is defense in depth. Defense in depth simply means that all important resources should be protected by multiple controls so that if one control fails, the resource will still be protected. Defense in Depth ensures that an attacker will have to bypass multiple layers of security in order to have a successful attack.
Commonly used threat modelling frameworks
STRIDE
STRIDE is a model created by microsoft that aims to help applications meet the security directives of the CIA Triad (Confidentiality, Integrity and Availability) as well as Authentication, Authorization and Non-Repudiation. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of privilege.
Spoofing: This means impersonating another person or computer (eg IP address) without their knowledge. This violates the principle of proper authentication.
Tampering: This involves making unauthorized modifications to memory, disk, network etc and violates the principle of integrity.
Repudiation: Repudiation is the act of claiming that you didn’t do something, when in fact you did. If repudiation is possible people cannot be held accountable for their actions. It’s important that non-repudiation is upheld so that actions can be linked back to the person who did it.
Information Disclosure: Information should only be disclosed to an authorized user, improper information disclosure is anytime information is made available to a user that isn’t authorized to see it.
Denial of Service: This is an attack that exhausts the resources necessary for a business to offer services. For example sending a huge amount of data packets to the google.com web servers to prevent users from being able to access the website. It compromises a company’s availability to customers or employees.
Elevation of Privilege: This is when a user is able to escalate their level of access beyond what is intended. For example, say an error in a website allows a normal user to become an administrator, this would allow someone to perform actions on the website that they are not authorized to do.
MITRE ATT&CK Framework
MITRE ATT&CK is a global knowledge base of adversary tactics and techniques. It is used in the development of threat models and gives you a detailed outline of the common techniques people use to hack into companies. You can find the full information here, but I have snippet of it below:
PASTA
This stands for Process for Attack Simulation and Threat Analysis that focuses on threat modeling from a hacker’s point of view. It’s purpose is to provide a process for simulating attacks on applications, analyze the threats that originate from the simulations and then mitigate the risk that those attacks present. The idea is that by doing this, you will be able to reach an adequate level of security from fixing the issues found during these simulations.
Trike Threat Modeling
This framework focuses on satisfying security audit requirements by focusing on the risk associated with each asset of the company. Trike uses a requirements model, which assigns an acceptable level of risk to each asset in the company. Once the requirement model is created, the team creates data flow diagrams (DFD) to show how each system moves, stores and manipulates data. Once you understand how the systems work and what the desired risk level is, you identify the threats that would potentially pose a risk to each asset and assign it the appropriate risk value. Lastly, you assign the appropriate security controls to each asset until the risk that the threats pose to each asset is within the tolerable range that the requirement model outlines.
VAST
This stands for Visual, Agile, and Simple Threat modeling and focuses on covering the entire software development lifecycle (SDLC) across an organization. It has three key pillars:
DREAD
This methodology focuses on finding and assessing the probability of a risk by looking at 5 factors:
OCTAVE
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is an approach to threat modelling where you identify and assess risk to your IT assets. It starts by identifying the critical components of your IT infrastructure and then assessing how those threats can negatively affect Confidentiality, Integrity and Availability of your IT systems.
