Why is Threat Modeling important?
As part of implementing due diligence, doing research, and ensuring that our systems are safe, we might need to do some threat modeling. Threat modeling is a structured approach of identifying and prioritizing potential threats to a method and determining the value that possible mitigations would have in reducing or neutralizing those threats. It is essential to make sure that these threats aren't exploited. The actual implementation of solutions to help minimize data loss and personal information is the due care taken during threat modeling. All developers, software system designers, and architects should strive to include threat modeling in their software development life cycle. Threat modeling is used much more in agile environments with the help of machine learning with testing and training a model.
The terminologies used during threat modeling:
Threat Agent: A threat agent is an individual or group capable of carrying out a particular threat. It is fundamental to identify who would want to exploit a company's assets, how they might use them against the company, and if they would be capable of doing so.
Impact: Impact is a measure of the potential damage caused by a particular threat. Impact and injury can take a variety of forms. A danger may result in damage to physical assets or may result in apparent financial loss.
Likelihood: Likelihood is a measure of the possibility of a threat being carried out. A variety of factors can impact the likelihood of a threat being carried out, including how complex the implementation of the threat is and how rewarding it would be to the attacker.
Controls: Controls are safeguards or countermeasures that you put in place in order to avoid, detect, counteract, or minimize potential threats against your information, systems, or other assets.
Preventions: Preventions are controls that may ultimately prevent a particular attack from being possible.
Mitigations: Mitigations are controls put in place to reduce either the likelihood or the impact of a threat while not necessarily wholly preventing it.
Data Flow diagram: A data flow diagram is a depiction of how information flows through your system. It shows each place that data is input into or output from each process or subsystem.
Trust Boundary: A trust boundary is a location on the data flow diagram where data changes its level of trust. Any place where information is passed between two processes is typically a trust boundary.
Let's compare threat modeling to an analogy when a person plays an instrument; he/she develops muscle and listening skills, the same way an attacker plays around a vulnerable ground. Models are used for communication with an ability to enhance understanding and abstraction. The layout of any given system is that the user provides an input to the web browser; the information is checked by the webserver with the equivalent input limited by the database storage and returned with a level of business logic in the middle. Every process in this phase has been assigned a certain level of trust boundaries, exactly where malicious actors try to tamper with the system.
Usually, assets that attackers want are relatively tangible things such as user passwords or keys, social security numbers or other identifiers, credit card numbers, confidential business data, etc. A simple strategy to threat model is ideas which come in from every corner of the room, also known as brainstorming, creating scenarios and mainly focusing on the assets at hand and thinking like an attacker. A beneficial methodology to look for threats is the STRIDE methodology. The goal of STRIDE is to help you find attacks and categorize them against all sorts of technological systems.
Threat modeling today can be compared to Gartner's graph. Gartner's chart helps in understanding the realistic expectations for emerging technologies concerning time. It is divided into sections:
The innovation trigger
The peak of expectations
The trough of disillusionment
The slope of enlightenment
The plateau of productivity
Threat hunting currently lies somewhere between the innovation trigger and the peak of expectation on the graph. And in the next ten years, we expect threat hunting to reach the productive base.
Before starting the threat modeling process, it is essential to identify the business objectives of the applications you are assessing and identify security and compliance requirements that may be necessary due to business or government regulation. Having these objectives and needs in mind before the threat assessment begins can help you to evaluate the impact of any threat you find during the risk analysis process.
Threat modeling processes start with creating a visual representation of the application or infrastructure being analyzed using different TTP's (Tactics, techniques, and procedures). The application/infrastructure is decomposed into various elements to aid in the analysis. Once completed, the visual representation is used to identify and enumerate potential threats. To produce a threat model, it is essential to document how data flows through a system to determine where the system might be attacked. Document as many potential threats to the system as possible and document security controls that may be put in place to reduce the likelihood or impact of a potential threat.
References:
