What Is Threat Modeling

Threat Modeling is a step-by-step approach to proactively identify a system’s potential threats, vulnerabilities, and attack vectors. To make it simpler; the security team thinks like an attacker and anticipates how attackers might try to exploit the weaknesses in their system.

In one of our ScaletoZero podcasts, Jeevan Singh explained the threat modeling concept in a very unique way. Let us help you understand what he says.
“Threat Modeling is Asset Centric” - Jeevan Singh, Director of Product Security

There are various approaches to threat modeling. However, an asset-centric approach is favorable. It means when an organization is analyzing a design or a feature, it should focus on identifying the valuable assets within that feature and then determining the potential risks to those assets. Below are some thoughts on how threat modeling should be;

• Simple: Not be an overly complex process.
• Transparent: Everyone involved in the process should understand the process and the goals.
• Democratized: Everyone in the threat modeling session should have a voice and be able to contribute their unique perspective based on their experience and expertise.

Why should organizations prioritize Threat Modeling?

“Threat Modeling should be introduced to an organization’s SDLC right from the start, it should be fundamental”. - Brook Shoenfield, ScaletoZero Podcast

Threat modeling is a strategic security practice that every organization should follow, because “Benefits outweigh the efforts”. Organizations should prioritize threat modeling for several compelling reasons beyond identifying security vulnerabilities. Below are the 6 basic yet important reasons for prioritizing threat modeling.

Proactive Security

Unlike reactive security measures that involve addressing issues after an attack, threat modeling takes a proactive approach. Organizations can address security weaknesses before they get exploited by identifying potential threats and attack vectors early in the development lifecycle (ideally during the design phase). This prevents costly security breaches and safeguards sensitive data.

Improved System Design

Threat modeling is not just limited to identifying problems; it informs secure system design. By identifying and analyzing potential threats and attack vectors, organizations can make sound decisions about system architecture, data flow, and access controls. This also develops more secure, robust, and resilient systems from the ground up.

Enhanced communication and collaboration

Various entities like developers, security engineers, and stakeholders are involved in a typical threat modeling process. This makes it a collaborative process and fosters communication and a shared understanding of security considerations across different teams. The involved teams clearly understand the system’s security posture and how individual roles contribute to overall security.

Prioritization of security efforts

As explained earlier, the threat modeling process helps identify a wide range of possible threats and vulnerabilities. Keeping in mind that “Not all threats are created equal” threat modeling will help you as an organization to prioritize security efforts by focusing on the most critical threats based on factors like the possibility of occurrence, potential impact, and ease of exploitation.

Democratized Security

We emphasize that threat modeling should be inclusive, with everyone in the session having the right to emphasize their thoughts. This particularly allows valuable insights from diverse backgrounds and experiences to contribute to the threat model. Democratized security can identify threats that might be missed by a single perspective, ultimately leading to a more comprehensive security posture.

Cost Effectiveness

Addressing security vulnerabilities after being attacked or after getting exploited can be incredibly expensive. It not only includes identifying security breaches but also data recovery, forensic analysis, and potential regulatory fines. Practicing threat modeling helps organizations mitigate these risks upfront and save significant resources in the long run.

What is the right time to start Threat Modeling?

When we asked Brook in our ScaletoZero podcast for recommendations, when is the right time to start threat modeling? Brook exclaimed - “As you build software from idea and actually through testing, there is a play for the threat model”.

Threat modeling is most effective when prioritized early in the development cycle. The technical term for this terminology is called “Shifting Left”. It means that “It is much easier to fix something that you have discovered than fixing it later in the development process. This also provides cost benefits as fixing vulnerabilities is easier and affordable compared to addressing them after deployment.

Organizations should be aware that securing a large system design in one shot can be overwhelming. The threat modeling process is carried out in focused stages like gathering requirements, design, development, testing, deployment, and maintenance. Where specific approach to threat modeling may vary depending on the software complexity and risk profile. Some organizations may choose to follow a high-level threat modeling exercise, followed by more detailed exercises in each stage as explained above.

Kalyani Pawar - AppSec Engineer explains Threat Modeling using Baker’s analogy! She explains “When you are baking a cake, sugar is added in the beginning itself to make the cake taste delightful. Similarly, threat modeling should be integrated early in the development process to make it scalable”.

The sooner, the sweeter (and more secure!) As explained above, Threat Modeling should be implemented as early as possible in the development lifecycle. To make it more consumable, here is a short breakdown;

Cost Saving

Understand this as fixing a typo early in the draft rather than reprinting the entire document. Catching vulnerabilities early is much cheaper than patching them after deployment when the system is already live and potentially being used.

Shift Left

In security terms, this early integration is called “Shift Left.” It means addressing security mishaps with a get-go approach rather than waiting until later stages when it gets challenging and expensive to make changes.

Manageable Scope

As said above, A complex system design can be overwhelming. However, threat modeling can be done in focused stages. For example, you could zoom in on the authentication process of your application to identify potential security weaknesses.

Last but not least, As we always say “Security should not be a set-and-forget practice.” Keeping this in mind, Threat modeling should be iterative throughout the SDLC. This continuous vigilance allows organizations to identify and address vulnerabilities early on before they are exploited by attackers.

What are the steps included in the Threat Modeling process?

“You may need to gain the right expertise in-house. And so that’s a problem. You do, I encourage everyone to do their best, even with limitations. A, the most important thing is to get some security testing and tooling going. That’s very important”. - Brook Shoenfield, ScaletoZero Podcast

Several steps should be included in your threat modeling process such as Scope and Objectives, Identifying assets and Data Flows, Threat Identification, Risk Assessment, Controls, and Documentation. Do you remember that threat modeling is an iterative process? Thus, as the system evolves and new features are added, it is crucial to revisit the threat model and ensure it continues to reflect the current security posture. Now let us understand each step in detail.

Define Scope and Objectives

You should be able to clearly define “What to model?” (System or a feature) you will be analyzing for threats. Organizations should be able to establish the objectives of the threat modeling session.

Identify Assets and Data Flow

In this step, list all the critical assets within the system such as user data, financial information, or intellectual property. Now you can map how data flows throughout the system including storage locations, access points, and communication channels.

Threat Identification

This step is more of using brainstorming methods. Techniques like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-Service, Elevation of Privilege) to identify potential threats for each asset and data flow can be helpful. Easy tip; Think like an attacker and consider different scenarios they could exploit vulnerabilities in your system.

Risk Assessment

In this step, organizations should evaluate the potential severity based on the impact of each threat on the identified assets. Also, consider the likelihood of each threat occurring based on factors like attacker motivation and exploitability. Now based on this data, prioritize the threats that pose the biggest risk to the system. This helps focus resources on mitigating the most critical vulnerabilities first.

Develop Countermeasures and Mitigations

In this step, you primarily work on implementing security controls. Once threats are prioritized, identify and implement required security controls to mitigate threats. Common security controls involve access controls, encryption, input validation, or security awareness training. Also, understand that few risks may remain even after applying countermeasures. Thus, we recommend to regularly review and update the threat model as needed.

Document and Communicate

You may think that the documentation and communication step may be less important compared to others, but it is not. It is also one of the most crucial steps. The identified threats, associated risks, and chosen countermeasures are documented for reference and auditing purposes. Once documented, these findings and mitigation strategies need to be communicated to all stakeholders within the organization, including developers, security engineers, and system administrators.
We know that security cannot be a set-and-forget practice. Although, following these steps will help you get started with a strong Threat Modeling process.

What are the three common Threat Modeling techniques?

The simple process of threat modeling needs to be approached with discipline and care. You should be aware that as the technology changes, the attack surface of any given system changes. Thus adapting to changes and acknowledging what we know and what we do not know is crucial. In general, there are three threat modeling techniques (Software Centric, Attacker Centric, and Asset Centric) that are commonly practiced. Let us understand them one by one.

Software Centric Approach

• Focus: Analyzing the application or software itself.
• Process: Examining the system’s architecture, code, and functionalities to identify vulnerabilities that could be exploited by attackers. Tools like static code analysis and code reviews are often used in this approach.
• Strength: Identify vulnerabilities within the code itself, such as buffer overflows, SQL injection flaws, or insecure coding practices.
• Limitations: Possibility to overlook broader system security considerations like data flows, user interactions, and external dependencies.

Attack Centric Approach

• Focus: This approach flips the script and focuses on the attacker’s perspective.
• Process: Thinking like an attacker to identify potential attack vectors, exploit techniques, and tools that could be used to compromise the system. Techniques like attack trees and penetration testing are commonly used.
• Strength: Identify potential attack scenarios and weaknesses that might be missed by a purely code-focused analysis.
• Limitations: Attacker-centric threat modeling approach can be complex and requires a deep understanding of attacker motivations and techniques.

Asset Centric Approach

• Focus: Prioritizes the valuable assets within a system.
• Process: Identifying critical assets like user data, financial information, or intellectual property, and then analyzing the threats and risks associated with those assets. Data flow diagrams and risk assessment are key elements of this approach.
• Strength: ensures that security measures are focused on protecting what matters most – the most valuable assets of the organization.
• Limitations: Potential vulnerabilities within the system might get overlooked if they aren’t directly tied to a specific asset.

The best approach to threat modeling often involves a combination of all three techniques. The specific approach chosen will depend on the nature of the system being modeled, the available resources, and the security goals of the organization.

Additional Resources

• The Art of Threat Modeling and Taming the Vulnerability Monster
• Threat Modeling And Secure By Design Concept
• Comprehensive Guide to Threat Modeling: Enhancing Security in the Digital Age

Uncovering the secrets of Threat Modeling with Brook Schoenfield

Subscribe to our Youtube channel!