Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What Is Threat Modeling? Process, Framework & Methodologies

What Is Threat Modeling?

Every day, new threats emerge that put our valuable digital assets at risk of being compromised. Such threats include ransomware, denial-of-service attacks, password attacks, negligent/malicious insiders, and a whole lot more. Addressing all these threats can be overwhelming for security teams, which is where threat modeling comes into play.

What Is a Threat Model?

Threat modeling is a process that identifies risks and prioritizes them. Once risks are identified, a threat model helps prioritize them and assesses the costs and benefits of addressing them.

In the context of information technology, a threat model is used to profile potential attackers, identify likely avenues of attack, and determine which hardware and software is most likely to be targeted. A typical threat modeling process will use the Common Vulnerability Scoring System (CVSS) to quantify the severity of the relevant threats and vulnerabilities. Based on this information, security teams can implement appropriate security controls to protect their systems, taking into account the costs and benefits of each option.

Threat Modeling Goals

There are key benefits to engaging in the process of threat modeling, leading to meeting the goals of managing security risks in an effective way. These include:

  • Gaining clarity around your security requirements. Best practices are only guidelines as they cannot take your specific situation into account. Threat modeling can show you what to prioritize and where to invest resources for your own unique situation.
  • Preventing problems, having faster feedback with reduced cost. Threat modeling can catch issues early in the development process, at times, even eliminating vulnerabilities before they occur. Having to instigate code fixes later will cost more.
  • Having a better quality product will result in increased confidence. Many data breaches emphasize how so many teams ignored security considerations. Threat modeling makes any weaknesses visible, so you can plan to mitigate vulnerabilities and realistically quantify threats.

How should you Implement Threat Modeling?

Once you have analyzed possible attack vectors and understand the impact of these threats, you can tailor your security measures to mitigate risks effectively. Below is a step-by-step process of how to conduct a threat modeling exercise.

1. Understanding the Security Requirements and Vulnerabilities

The first stage in the threat modeling process is to identify security requirements and vulnerabilities and usually the best and most cost-effective way to do this is to engage an outside expert.

The steps involve outlining how data moves through the system, identifying the point at which it enters the system, determining how the data is accessed and establishing who can access it. All software and other applications in the system should be listed and the system architecture specified. The next step is to use threat modeling to identify potential threats to the system.

2. Assessing the Criticality of Threats and Vulnerabilities

Potential threats need to be ranked to decide the priority that they should be given.

The Common Vulnerability Scoring System (CVSS) ranks potential threats from one to 10 according to their severity and whether the vulnerability has been exploited since it was first discovered. A CVSS score of 10 signifies the most severe threat whereas a CVSS score of one indicates the least severe threat.

However, a raw CVSS score does not consider the context of a vulnerability or its place within the IT system. Some vulnerabilities will be more critical to some organizations than to others.

3. Prioritizing Remediation Methods

Once the criticality of each potential threat has been assessed for your organization, you can decide which are the most important and this is a process called threat analysis. Threat analysis identifies the most vulnerable points in the system and the potential threat posed by an attack.

What is the Threat Modeling Process?

The threat modeling process involves determining the systems that may be affected, identifying potential issues, implementing risk reduction measures, and evaluating the effectiveness of those measures. While the specific threats may vary, the following steps should always be included:

    • Build a secure design, model, or application defense system
    • Invest resources efficiently
    • Prioritize security over short-term profitability for long-term gain
    • Keep stakeholders informed about important system changes
    • Specify system threats and compliance requirements
    • Ensure compliance guidelines are adhered to
    • Define controls to mitigate threats before, during, and after an incident
    • Build and implement controls transparently for all stakeholders
    • Assess risks associated with the threat management system used
    • Document system-impacting threats
    • Document mitigation efforts for each threat
    • Ensure business goals are not impacted by threats or negative events
    • Identify ways to test the system’s effectiveness against targeted threats

Threat Modeling Techniques

A key step in threat modeling is to ensure that you have a complete understanding about how the application works and how it interfaces with entities within its system.

To do this, the system’s behavior needs to be understood within the context of a range of different conditions. These may include situations where users with different levels of access connect, how the system behaves while connected to different networks, or how the system processes different kinds of data. While looking at this behavior, it is important to define potential entry points and vulnerabilities, and how these are affected by different interactions.

Using a diagram that defines the flow of data should help to ensure that nothing is missed. This a visual representation of how data moves in, passes through, and moves out of a system or application. It also shows how the data is changed at various stages of its processing or storage and needs to show where data is stored as it moves through the system.

This data flow diagram makes it easier to identify trust boundaries. These show the points at which the data must be validated prior to it being allowed to enter an entity that will use it.

Threat Modeling Methodologies

There are several different threat modeling frameworks used in the field of cybersecurity. Some of the popular ones include:

  • STRIDE: This framework was developed by Microsoft and focuses on six threat categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE).
  • DREAD: This framework uses five criteria to assess threats: Damage, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD). Each criterion is given a score on a scale from 0 to 10, and the scores are combined to prioritize threats.
  • PASTA: The Process for Attack Simulation and Threat Analysis (PASTA) framework provides a structured approach to threat modeling. It emphasizes the use of simulation and combines multiple existing methodologies to identify, analyze, and mitigate threats.
  • OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework that helps organizations assess and manage risks. It focuses on identifying critical assets, determining their vulnerabilities, and evaluating potential threats.
  • Trike: The Trike threat modeling methodology takes a holistic approach to threat modeling by considering business, operational, and technical perspectives. It provides a detailed framework for understanding threats and vulnerabilities and includes various assessment techniques.
  • VAST: Visual, Agile, and Simple Threat (VAST) modeling framework is a visual technique that assists teams in identifying and assessing threats. It emphasizes collaboration and simplicity while providing a structured approach to threat modeling.

These frameworks are used to systematically analyze threats and vulnerabilities to build secure systems and applications. The choice of framework depends on the specific requirements and preferences of the organization.

How Lepide Threat Models Help Protect Sensitive Data

The Lepide Data Security Platform can analyze user and entity behavior patterns and identify any deviations from the expected patterns outlined in the threat model. Examples may include unauthorized access attempts, data exfiltration, or privilege abuse.

By analyzing behavior patterns, the Lepide Solution can provide early detection of potential insider threats that may not be easily recognized through traditional security controls. For example, a user trying to access sensitive data or systems outside of their normal work hours or from an unusual location might indicate a potential threat.

Such analysis helps in identifying threats that might have been missed when developing the threat model. Our solution also adds context to the alerts generated by potentially risky behavior. This helps in prioritizing threats by providing additional information about the risk level and potential impact of each alert.

The Lepide Data Security Platform also comes with several pre-defined threat models, designed to detect the symptoms of a security threat, and execute custom response actions in real time.

If you’d like to see how the Lepide Data Security Platform can play a vital role in threat modeling, schedule a demo with one of our engineers.