It’s a war out there and the top brass have assembled. Enemy forces are posing a crisis and the generals must strategize their next move based on their intel covering the opposition’s numbers, strengths and weaknesses, and known lines of attack. Most of us will identify with this all-too-familiar scene in war films. Inevitably, the discussion of the ‘war council’ gravitates towards the perceived threat scenarios from the opposing forces, and the global and domestic impact likely in the aftermath of further actions.
In the context of an organization’s cybersecurity posture, threat modelling is very much akin to the parlays of war generals and officials tasked with the security of their country.
What it is
Tech Target (1) calls threat modelling a procedure for optimizing application, system or business process security by identifying objectives and vulnerabilities, then defining countermeasures to prevent or mitigate the effects of threats to the system.
Forbes (2) defines it as an organized approach to documenting components of one’s systems architecture, then assessing the security threats to the assets that warrant protection and the resilience of the systems to these threats. It is a set of methodologies that security experts and software developers use, starting at the design stage, but also refine as newer threats arise.
Threat modelling ensures the security of an organization’s data, answering such critical questions as:
- Where asset and attack surface entry points lie
- The paths attackers have been known to take to compromise these assets
- The controls the organization has in place or is implementing to prevent attacks
Simply put, it is a vulnerability map—an accurate picture of every known and perceived threat to the security controls designed to safeguard an organization’s data assets.
Why it’s important
Implemented initially in the design stage of an organization’s security controls (and modified for newer threats identified along the way), threat modelling is an essential component of building, deploying, and managing secure software, systems and networks.
The benefits that accrue from an effective threat modelling system make it a must-have in the security set up of organizations. These benefits include:
- Safeguarding of the organization’s data assets
- Mitigation of cyber risks
- Economic guarantees arising from the consequential reduction in/elimination of losses arising from data breaches
- Investor confidence growth as a result of the organization deploying best cybersecurity practices
- Informed decision-making concerning any cyberattacks experienced, including providing most viable actionable solutions
- Holistic review of the organization’s security posture, especially with a view to improving long-term security controls
- Reinforcement of security practices, conformity to corporate guidelines, compliance with certifications and industry standards
Threat modeling through the years
The advent of threat modeling can be traced to 1999, when Microsoft gave the cyber world STRIDE, the acronym for its Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege threat modeling methodology. Developed against the backdrop of a siloed-development mindset, known threat actors, and attack known vectors, early versions of threat modelling systems were delivered over longer development cycles.
As threats proliferated and became more complex, attack surfaces and software, too, followed suit. Threat actors became less visible, and delivery cycles shrunk remarkably. Thankfully, threat modelling has evolved significantly to field these new challenges.
Today, there are a number of threat modelling systems that are geared to produce threat analysis in a shorter time frame and with greater frequency. Amongst the better known systems are PASTA, VAST, LINDDUN, OCTAVE (3), and TRIKE.
A high point of these newer threat modelling systems is their cross-functional dexterity, powered by automation and underlying knowledge bases. To achieve this, modern threat modelling systems break down workflows into discrete scope elements—a methodology that is based on the truism that breaking down a complex process into smaller steps and tasks makes it easier to identify grey areas and weaknesses.
Because threat modelling is a proactive methodology for identifying threats, it stands to reason that organizations need to bring teams aboard at the incipient stage of development. Threat modelling experts suggest that organizations adopt the following best practices when embarking on their threat modelling exercise.
- Start early, at the beginning of the project, to ensure that design security is optimal; capturing inputs at an early stage also ensures faster and more economical design
- Maximize input from a variety of stakeholders so the widest coverage of threats and attack surfaces is achieved
- Deploy a variety of tools in the design phase
- Brainstorm as a team so a best approach to all possible scenarios is deployed
- Have stakeholders communicate their risk tolerance levels, so a correct approach to threat mitigation in the event of a breach can be adopted
- Educate and train teams so they are fully on board and feel part of the process
Building the system
The design phase of the threat modelling system is crucial, and can determine the success of the system. There are three common approaches (2) to the design phase, categorized according to their focus areas.
- A software-centric design approach focuses on the software that is being designed to mitigate risks
- An attack-centric design approach centers around attack vectors, and identities, motives, and the resources of threat actors
- An asset-centric design approach identifies and classifies the most sensitive assets with a view to protecting them
Tech Target summarizes the steps organizations can take to implement their threat modelling system. These include:
- Forming a team of all concerned stakeholders each with a clear understanding of their risk-tolerance levels
- Establishing the scope of the threat model that is needed, with a comprehensive description of the focus, resources, components, architecture, data flows etc.
- Creating a virtual map of the known and possible threats and vulnerabilities
- Ranking the threats with a view to prioritizing threat mitigation measures
- Implementing mitigation measures by recording protocols for risk management
- Documenting results that will serve as a guide to the threat landscape and creating a registry of threats experienced
As the threat model progresses toward maturity, organizations need to pay attention to growing their knowledge base of recurrent threats and mitigation patterns. Empirical cases of threats experienced and mitigation methods deployed will save time and expense on repeated threat modelling by having various teams access the shared database.
Putting a threat model in place may seem the end and be all of managing the threat landscape. It is not. Organizations would do well to keep the following in mind:
- Threat modelling is an ongoing process, to be repeated whenever there is a change in an application, infrastructure, or threat environment; updating the threat model ensures its relevance, readiness, and robustness.
- Threat modelling teams needs patience and persistence in view of the overwhelming amount of iterations that may be necessary to keep the threat model fully functional
- Threat remodelling may involve costs and planning for these in the cybersecurity/IT budgets would be in order
- A vigilant approach to observing and acting on design flaws, access rights and permissions, and compliance with security policies is critical
- A sustained approach to employee awareness, education, training, and communication enhances the efficacy of the threat model
Threat modelling has emerged as a critical business capability. For some time now the regulatory bodies have been keeping an eye on this need. The recent CISA regulation (4) directs technology providers to publish “detailed threat models” showing where product protections are needed. Forbes terms it a ‘board-level imperative’ as ignoring, discounting, or compromising on it poses gigantic organizational risks. A mature threat model shores up investor confidence and speaks for the security posture of the organization. It ratifies the approach of the board and the C-suite to managing operational risk.
With the scales seemingly tilted in favor of the former in the ongoing cyber war between threat actors and cybersecurity teams, and losses from data breaches mounting, the ‘generals’ in organizational setups know only too well the importance of a robust threat model. For them, the 2,500 year-old line of the ancient Chinese military strategist Sun Tzu would be worth remembering:
‘Know the enemy and know yourself, then you need not fear the result of a hundred battles’.
Two and a half centuries on, this could apply to threat modelling.