What Is Threat Modeling?
Threat modeling examines the design of system operations and how data flows across subsystem boundaries. It then identifies all points of attack that hackers could exploit and how they could do so.
Last, it designs solutions to keep the system and its data safe.
According to leading expert Adam Shostack, the threat modeling process asks the following questions:
- What are we building? Assess where data flows in a system, the boundaries it crosses and the technology used for every hand-off.
- What can go wrong? Question every possible means of exploiting the hand-offs.
- What are we going to do about that? Design defences against each exploit.
- Did we do a good job? The final and most crucial question invites us to reflect on the process, review it, and remind us that the work is never really done: There is always room for improvement.
The team then prioritises the threat risks and works them into development.
Threat modeling is a core element of the Microsoft Security Development Lifecycle (SDL). It’s an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application’s design, meet your company’s security objectives, and reduce risk.
There are five major threat modeling steps:
- Defining security requirements.
- Creating an application diagram.
- Identifying threats.
- Mitigating threats.
- Validating that threats have been mitigated.
Threat modeling should be part of your routine development lifecycle, enabling you to progressively refine your threat model and further reduce risk.
What Is a Threat Modeling Tool?
A threat modeling tool enables you to proactively identify and resolve possible security threats to your software, data, or device. It usually begins during the design stage of the product, with regular iterations to keep security up-to-date.
Threat modeling is extremely important in today’s landscape. Hackers thrive on the fact that the world is becoming increasingly online. A 2019 study by Clark School revealed that a hacker attack happens every 39 seconds. If there is a vulnerability in your application, exploitation is just a few seconds away. A sizable attack results in loss of capital, loss of trust for the brand, or worse, both.
Must-Have Features of Threat Modeling Tools
- Ease of system information input: Any good threat modeling tool requires the detailed architecture of your application, the infrastructure that goes with it, and regulatory compliance that needs to be followed. If a new module or requirement is being added, the tool must be able to seamlessly take this input as well.
- Threat intelligence: Threat intelligence is the information collected from various publicly maintained threat libraries such as MITRE’s CAPEC, and maybe some proprietary information collected by the toolmakers.
- Threat dashboard: A threat dashboard is an intuitive display of the data gathered with threat intelligence that makes pre-emptive remedial actions easier. The more sophisticated the threat dashboard is, the easier it is to make decisions about tackling vulnerabilities.
- Mitigation dashboard: A good threat model doesn’t just list the vulnerabilities in a system, it also lets you take action. This can either include making code fixes, putting in extra security controls, adding it to a backlog, or just ignoring it (when it is very low severity or the expense of security control is more than the cost of the actual attack). This is the most crucial part of the threat modeling process.
- Rule engine: A rule engine is a system that collects all the regulations and policies that your organization follows. It can simply connect to existing policies like PCI and GDPR or can also work with custom rules. This is the part of the tool that ensures your business is compliant with regulatory requirements.
- Scalability: The complexity of the threat modeling process increases with the complexity of your application. If your product is a mammoth, then your threat modeling tool should be poised to reduce duplicate efforts. The ability to reuse components and use threat model templates (custom ones or templates packaged with the tools) when you create new modules is a huge advantage.
- Integration with existing workflow: Your threat modeling tool cannot just exist as a stand-alone monolith. It needs to be integrated into your system so that both work in conjunction. Connectors in the tool that integrates with your application’s CI/CD pipeline make the threat modeling process time-effective.
- Reporting: The best outcome of a threat modeling exercise is robust documentation of the threat model, which can be circulated to all the stakeholders. Threat modeling tools should have the ability to generate reports of the threat modeling efforts at any point in time.
Threat Modeling Tools
Cairis Cairis is an open-source threat modeling tool released in 2012. It is one of the most comprehensive open-source tools available.
Platform: Cairns is a web-based tool.
IriusRisk Founded in 2015, IriusRisk has both a community edition and a standard edition.
Platform: IriusRisk is a web-based tool.
Kenna.VM Kenna.VM is a Kenna Security offering that reports an application’s risk posture with empirical metrics.
Platform: Kenna.VM is a cloud-based platform.
Microsoft Threat Modeling Tool Microsoft Threat Modeling Tool is one of the oldest and most tested threat modeling tools in the market. It is an open-source tool that follows the spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE) methodology.
Platform: MTMT is a desktop-based tool that runs on Windows OS
OWASP Threat Dragon The OWASP Threat Dragon is an open-source solution that was released in 2016. It is very similar to MTTM, with less focus on Microsoft-centered services.
Platform: Threat Dragon is a web-based tool, though the older versions are desktop-based.
Data Protection
Data protection and safety are one of the most important things you can do for your company if you regularly process personal data. If it is not already, data protection should be an integral part of your process to ensure compliance with the GDPR as well.
Data Protection Methods
- Risk Assessments
The riskier the data, the more protection it has to be afforded. Sensitive data should be closely guarded, whereas low-risk data can be afforded less protection. The major reason for these assessments is the cost-benefit, as better data security equals greater expense. However, it is a good test to determine what data needs to be guarded more closely and makes the whole data processing system more efficient. - Backups
Backups are a method of preventing data loss that can often occur either due to user error or technical malfunction. Backups should be regularly made and updated. Regular backups will impose an additional cost on your company, but potential interruptions to your normal business operations will cost even more. - Encryption
High-risk data is the prime candidate for encryption every step of the way. This includes during acquisition (online cryptographic protocols), processing (full memory encryption) and subsequent storage (RSA or AES). Well-encrypted data is inherently safe; even in cases of a data breach, the data will be useless and irrecoverable to attackers. - Access Controls
The introduction of access controls to your company’s workflow is a very efficient risk reduction method. The fewer people who have access to the data, the lesser the risk of an (inadvertent) data breach or loss.
You should ensure that you give access to sensitive data only to trustworthy employees who have a valid reason to access it. We recommend you hold regular prior data handling education courses and refreshers, especially after hiring new employees.
Conclusion
Choosing the right tool for threat modeling is half the battle won. So, make sure you consider the resources at hand, your threat modeling goals, and the amount of capital and time you are willing to invest in the threat modeling process.
Authors: Mohit Lalwani, Aditya Wanjari, Nitesh Sonawane, Anushka Wankhade.
References:
