A Step-by-Step threat modeling challenge approach
Questions and answers to guide you on how to apply a threat modeling challenge approach.
There is a wealth of information online to aid in threat modeling, and occasionally, we need simpler ways to understand it, akin to following cooking recipes.
Threat modeling helps organizations face challenges, threats, and risks that are growing every day. It is important to implement threat modeling early as a preventive and continuous measure to mitigate cybersecurity risks.
In this article, we’ll look at questions and answers to help us achieve how a threat model guides us. We will understand how a threat model guides us in identifying threats and risks, and how to address them to minimize risk to acceptable levels.
What is Threat Modeling?
Understanding the concept of threat modeling and clarifying the meanings of relevant terminologies are essential steps toward achieving proficiency in it.
The primary focus is on understanding the meanings of key concepts and addressing pertinent questions such as:
- What is a threat?
- What is modeling?
- What is a vulnerability?
- What is a risk?
Understanding these concepts, drawn from the Merriam-Webster dictionary, will provide you with a clearer understanding of how they relate to threat modeling. These terms are described below in simple language, which should help answer any previous questions about them:
- Threat: A Person or thing likely to cause damage or danger.
- Modeling: Use (a system, procedure, etc.) as an example to follow or imitate or follow.
- Vulnerability: The quality or state of being exposed to the possibility of being attacked or harmed.
- Countermeasure: An action or device designed to negate or offset another.
- Risk: Someone or something that creates or suggests a hazard.
Understanding the CIA triad is vital for application security, as it provides a structure for implementing countermeasures and controls that mitigate risks. It restricts access only to authorized users (Confidentiality), that the data they access is accurate and reliable (Integrity), and that they can access it whenever they need to (Availability). This allows the creation of secure applications that protect both users and organizations.
When considering the term threat modeling, what does it mean from a high-level perspective? Threat modeling involves analyzing systems assets to protect against threats with appropriate countermeasures.
It is crucial to understand each concept and its relationship with threats, vulnerabilities, and risks. This understanding helps us effectively model these elements to mitigate potential harm. Prioritizing countermeasures based on identified threats and risks from threat modeling results is essential.
The Threat Modeling Manifesto serves as the foundation for threat modeling, outlining its values, principles, and key characteristics as industry guidance. It provides a published declaration of intentions and motives, defining guidelines, values, and principles to be followed. These serve as guides for all team members involved in the threat modeling process. Let’s explore a couple of important definitions and guidelines outlined in the threat modeling manifesto, which will help refine our methods and techniques:
- Values: “A value in threat modeling is something that has relative worth, merit, or importance. That is, while there is value in the items on the right, we value the items on the left more”.
- Principles: “A principle describes the fundamental truths of threat modeling. There are three types of principles: (i) fundamental, primary, or general truths that enable successful threat modeling, (ii) patterns that are highly recommended, and (iii) anti-patterns that should be avoided”.
Finally, it is time to select a method. We propose to use STRIDE, a model developed by Praerit Garg and Loren Kohnfelder at Microsoft for identifying computer security threats. STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege, with each letter corresponding to a threat category. These terms are taken from the Oxford Dictionary.
This method comprehensively analyzes processes, data stores, data flows, and trust boundaries. It has reached a high level of maturity and has accumulated vast information over the years. It is used to achieve the following objectives:
- Creating a simplified representation of the system.
- Identifying probable attackers, including their procedures, tactics, and techniques.
- Establishing a knowledge base of potential threats and risks.
When, Who, and What Threat Modeling Should be Applied To?
We will address three specific questions crucial for understanding the steps to build threat modeling, as described below:
- When to perform Threat modeling? This question is among the most critical considerations. It is recommended to conduct threat modeling in the early phases of software development, where vulnerabilities can be identified and addressed at a timely and cost-effective stage. Ideally, threat modeling should commence during the software design phase. In agile environments, threat modeling should be integrated into each sprint. Additionally, it is advisable to incorporate threat modeling into the DevSecOps lifecycle and the stage of the running environment.
- By whom? This question involves leveraging human knowledge and experience. Resolving this issue and ensuring the inclusion of all stakeholders are critical steps. Threat modeling is a collaborative and iterative process that requires the involvement and support of all stakeholders. Every team member, based on their roles, capabilities, and experiences, contributes to the development of threat modeling, providing diverse perspectives on business, processes, technical aspects, and human and physical risks. This collaborative approach strengthens the threat modeling process.
3. What are we building? This last question is crucial to consider. It’s recommended to start traditionally, using a whiteboard and a pen for drawing or digitally if needed. Here are the key steps you need to keep in mind to begin with the next step-by-step process described below and draw it:
1. Decompose the application like a Lego building game: Identify assets such as servers, databases, and external dependencies like business partners, such as suppliers, vendors, or any other entity in the supply chain. Consider entry points like customers, agents, and administrators, as well as exit points where data is stored. Define trust boundaries for the system.
2. Build a data flow diagram (DFD), that maps out the flow of information for any process or system. This diagram helps visualize the workflows and understand the inputs, outputs, assets, data, and information involved.
3. What could go wrong? Brainstorm with the team to identify risks and the worst-case scenarios. Rank threats and risks to the system and process, and create a threat listing to ensure all possible threats are covered.
4. What can we do about it? Determine potential countermeasures and solutions to mitigate threats and risks. Consider cost-efficient controls and verify their implementation.
5. How do we know that we did a good job? Evaluate the effectiveness of the threat modeling exercise: Use a checklist to ensure all aspects are covered and verify that the diagram accurately reflects reality. Confirm the implementation status of the security controls.
Conclusion
In conclusion, the challenge approach can be summarized in five key points: decomposition, creating a data flow diagram (DFD), ranking threats and risks, implementing countermeasures, and conducting thorough checks. By implementing comprehensive security measures, businesses and individuals can ensure the integrity, confidentiality, and availability of their services and applications. This fosters trust and safeguards their most valuable assets.
