What is Threat Modeling?
While there is not one exact industry-wide definition, Threat Modeling can be summarized as a practice to proactively analyze the cybersecurity posture of a system or system of systems. Threat Modeling can be conducted both in the design/development phases and for live system
environments.
environments.
It is often referred to as Designing for Security. In short, Threat Modeling answers questions such as “Where am I most vulnerable to attacks?”, “What are the key risks?”, and “What should I do to reduce these risks?”.
More specifically, Threat Modeling identifies cybersecurity threats and
vulnerabilities and provides insights into the security posture, and what controls or defenses should be in place given the nature of the system, the high-value assets to be protected, the potential attackers’ profiles, the potential attack vectors, and the potential attack paths to the high-value assets.
vulnerabilities and provides insights into the security posture, and what controls or defenses should be in place given the nature of the system, the high-value assets to be protected, the potential attackers’ profiles, the potential attack vectors, and the potential attack paths to the high-value assets.
1. Create a representation of the environment to be analyzed
2. Identify the high-value assets, the threat actors, and articulate risk tolerance
3. Analyze the system environment from potential attackers’ perspective:
- How can attackers reach and compromise my high-value assets? I.e. what are the possible attack paths for how attackers can reach and compromise my high-value assets?
- What of these paths are easier and harder for attackers?
- What is my cyber posture — how hard is it for attackers to reach and compromise my high-value assets?
If the security is too weak/risks are too high,
4. Identify potential measures to improve security to acceptable/target levels
5. Identify the potential measures that should be implemented — the most
efficient ways for your organization to reach acceptable/target risk
levels
efficient ways for your organization to reach acceptable/target risk
levels
Why Threat Model — The Business Values
Threat Modeling is a very effective way to make informed decisions when
managing and improving your cybersecurity posture. It can be argued that
Threat Modeling, when done well, can be the very most effective way of
managing and improving your cyber risk posture, as it can enable you to
identify and quantify risks proactively and holistically and steer your
security measures to where they create the best value.
managing and improving your cybersecurity posture. It can be argued that
Threat Modeling, when done well, can be the very most effective way of
managing and improving your cyber risk posture, as it can enable you to
identify and quantify risks proactively and holistically and steer your
security measures to where they create the best value.
Identify and manage vulnerabilities and risks before they are implemented and exploited
Before implementation: Threat Modeling enables companies to “shift left” and identify and mitigate security risks already in the planning/ design/ development phases, which is multiples — often 10x, 100x, or even more — times more cost-effective than fixing them in the production phase.
Before exploited: As rational and effective cyber defenders we need both proactive and reactive cyber capabilities. Strengthening security
proactively, before attacks happen, has clear advantages.
proactively, before attacks happen, has clear advantages.
However, it also comes with a cost. An effective Threat Modeling enables the user to make risk-based decisions on what measures to implement proactively.
Prioritize security resources to where they create the best value
One of the very key challenges in managing cybersecurity is to determine
how to prioritize and allocate scarce resources to manage risks with the best effect per dollar spent. The process for Threat Modeling, presented in the first section of this text, is a process for determining exactly this. When done effectively, it takes into consideration all the key parts guiding rational decision-making.
how to prioritize and allocate scarce resources to manage risks with the best effect per dollar spent. The process for Threat Modeling, presented in the first section of this text, is a process for determining exactly this. When done effectively, it takes into consideration all the key parts guiding rational decision-making.
There are several additional benefits to threat modeling. One is that all the
analyses are conducted on a model representation of your environment,
which creates significant advantages as the analyses are non-intrusive. Also, analyzers can test scenarios before implementations.
analyses are conducted on a model representation of your environment,
which creates significant advantages as the analyses are non-intrusive. Also, analyzers can test scenarios before implementations.
Another set of values are that threat models create a common ground for communication in your organization and increase cybersecurity awareness. To keep this text concise, we here primarily highlight the values above. We also want to state that there are several other excellent
descriptions of the values of threat modeling, and we encourage you to
explore them.
descriptions of the values of threat modeling, and we encourage you to
explore them.
Who does Threat Modeling and When?
On the question “Who should threat model?” the Threat Modeling Manifesto says “You. Everyone. Anyone who is concerned about the privacy, safety, and security of their system.” While we do agree with this principle in the long term, we want to nuance the view and highlight the need for automation.
Threat Modeling in development:
This is the ”base case” for Threat Modeling. Threat modeling is typically
conducted from the design phase and onward in the development process. It is rational and common to do it more thoroughly for high criticality systems and less thoroughly for low criticality systems. Threat modeling work is typically done by a combination of development/DevOps teams and the security organization.
conducted from the design phase and onward in the development process. It is rational and common to do it more thoroughly for high criticality systems and less thoroughly for low criticality systems. Threat modeling work is typically done by a combination of development/DevOps teams and the security organization.
More mature organizations typically have more of the work done by the development/DevOps teams and the less mature organizations have more
work support from the security organization.
work support from the security organization.
Threat Modeling of live environments:
Many organizations also do threat modeling on their live environments.
Especially for high criticality systems. As with the Threat Modeling in
development, organizations have organized the work in different ways.
Here, the work is typically done by a combination of operations/DevOps
teams and security organization.
Especially for high criticality systems. As with the Threat Modeling in
development, organizations have organized the work in different ways.
Here, the work is typically done by a combination of operations/DevOps
teams and security organization.
Naturally, it is advantageous when Threat Models fit together and evolves over time from development through operations and DevOps cycles.
Also published at https://medium.com/faun/threat-modeling-step-by-step-dcbdcd206c6d