What Is Threat Modeling, and What Are Its Most Important Advantages?
Threat modeling is the process of defining an organization’s cybersecurity needs, threats, and vulnerabilities, and then suggesting ways to meet these needs and address these vulnerabilities.
In his classic work of military strategy, The Art of War, Sun Tzu wrote that “if you know the enemy and know yourself, you need not fear the result of a hundred battles.” The more information you can gather about your enemies and how they operate, the better prepared you will be to fend off their attacks.
Nowhere is this adage truer than in the field of cybersecurity. There are many countermeasures available for organizations, both proactive and reactive, to protect themselves against and recover from cyberattacks.
In particular, the threat modeling process seeks to identify and better understand the possible threats an IT ecosystem faces. Below, we’ll go over what threat modeling is, the various ways to perform threat modeling, and the benefits of threat modeling for industries and businesses of all sizes.
What Is Threat Modeling?
As the name suggests, threat modeling involves creating a model of the various attackers and vulnerabilities that potentially threaten an organization’s cybersecurity posture. Threat models typically include components such as:
- A description of the various assets and resources in your IT environment (endpoints, software, networks, servers, databases, etc.)
- A list of the potential threats to the system and their severities
- A list of the potential actions and recommendations for addressing each threat
- Suggestions for validating the model’s correctness and verifying that the fixes and patches are successful
- Any underlying assumptions and conditions that the threat model requires
Threat models can take many forms and include various documents and visualizations, depending on the most effective way to communicate information. For example:
What Are the Types of Threat Modeling?
STRIDEFirst developed at Microsoft in the 1990s, the STRIDE threat model is still in use today. The STRIDE acronym represents six of the most frequent cybersecurity threats:
- Spoofing: Gaining access to restricted networks or data by impersonating an authorized individual or resource
- Tampering: Maliciously altering data (e.g., encrypting files with ransomware or changing a configuration file to obtain administrator access)
- Repudiation: Denying responsibility for an attack without proof to the contrary
- Information disclosure: Leaks and data breaches of sensitive or confidential files
- Denial of service: Shutting down a resource (e.g., a website or service) by flooding it with superfluous requests
- Elevation of privilege: Accessing files or data in an unauthorized manner based on a user’s level of privilege within the system
PASTAPASTA (Process of Attack Simulation and Threat Analysis) is a threat modeling framework created in 2015 by the consulting firm VerSprite. The PASTA framework outlines the 7 stages of developing a robust cybersecurity threat model:
- Defining the objectives: This includes both internal objectives and any external governance or compliance issues.
- Defining the technical scope: An organization’s attack surface may consist of endpoint systems, networks, servers, mobile devices, applications, databases, containers, websites, and more.
- Decomposing applications: Data flow diagrams help users visualize how applications work with data to prepare for deeper analysis.
- Analyzing threats: Using multiple sources of threat intelligence and the assets defined in step 2, organizations need to identify the most pressing threats to these assets.
- Analyzing vulnerabilities: Applications should be examined for security issues, design flaws, and other weaknesses.
- Analyzing attacks: Attack trees model how a malicious actor could viably infiltrate the IT ecosystem using the vulnerabilities identified in step 5.
- Analyzing risks and impact: Finally, organizations must come up with countermeasures to eliminate or mitigate the above issues and challenges.
TRIKE is an open-source threat modeling methodology for security audits and risk management. The TRIKE website provides a spreadsheet that allows users to define the relationships between the various actors, actions, and assets within an IT environment. Based on these definitions, users can implement the appropriate security controls or preventive measures to ward off any threats.
What Are the Advantages of Threat Modeling?
- Improving collaboration: First and foremost, threat modeling helps get all departments in the organization on the same page. By defining your IT resources and the issues that confront them, threat modeling ensures that everyone—from your IT team to executives and key stakeholders—works based on the same constructs and assumptions.
- Reducing the attack surface: Threat modeling can identify backdoors and other vulnerabilities in your IT ecosystem so that they can be fixed quickly and efficiently. In addition, threat modeling helps reduce IT complexity by identifying unnecessary endpoints, software, or resources that can be eliminated.
- Prioritizing cybersecurity needs: Threat modeling helps organizations understand which threats require the most attention and resources in terms of effort or budget. For example, given multiple vulnerabilities present in an IT environment, which should be resolved first?
- Strengthening compliance: Threat modeling helps companies comply with data privacy and security laws and regulations that require organizations to understand how they may be putting sensitive data at risk. For example, the European Union’s GDPR (General Data Protection Regulation) compels organizations to perform a Data Protection Impact Assessment (DPIA) when they begin new projects that process personal data.
From removing potential attack vectors to boosting regulatory compliance, threat modeling has many different benefits. Every organization seeking to improve its cybersecurity posture should engage in threat modeling regularly.
Businesses of all sizes and industries need to formulate cybersecurity threat models, which makes a career in threat modeling a highly desirable and appealing option. The EC-Council Certified Incident Handler (E|CIH) program prepares cybersecurity professionals to address and respond to cybersecurity incidents. Click here to learn more about the E|CIH curriculum and start down the path of becoming a leading security incident handler.
About the Author
David Tidmarsh is a programmer and writer. He’s worked as a software developer at MIT, has a B.A. in history from Yale, and is currently a graduate student in computer science at UT Austin.