Introduction
Threat modelling is a systematic approach for identifying and evaluating potential threats against a system or application. It enables organizations to build security into the design and architecture of a system from the outset. As computing environments grow more complex, interconnected, and reliant on software, threat modelling has become an indispensable practice in securing systems against increasingly sophisticated attacks.
Threat Modelling Methodologies
Several established methodologies exist for performing threat modelling assessments. While differing in their specifics, these share the overarching goal of methodically evaluating systems for vulnerabilities that could be potentially exploited by malicious actors.
The STRIDE model provides a simple taxonomy for classifying common threat types – Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. For each component in a system architecture, potential vulnerabilities are enumerated under the STRIDE categories to identify areas for security improvements. This methodology is lightweight, easy to understand and provides a good starting point for threat modelling.
The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric methodology comprised of 7 stages – defining business objectives, defining technical scope, decomposing the application, identifying threats, documenting, and ranking threats, defining countermeasures, and validating results. PASTA provides a flexible framework for correlating threats to business risks and prioritizing security efforts based on impact.
Visual, Agile and Simple Threat modelling (VAST) emphasizes collaborative threat modelling through easy-to-use visual models and diagrams. VAST strives to make threat modelling accessible for agile development teams by promoting active participation across roles, integration with issue tracking systems and continuous threat model updates.
The Trike threat modelling framework adopts a risk-based view of evaluating threats, focusing on defining threat actors, determining exploitable vulnerabilities, and assessing risk levels based on actor skill, motive, and opportunity. Trike provides structured tools for risk assessment, including a threat modelling ontology and risk calculator.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) process is a risk-based strategic assessment and planning method that focuses on assessing organizational risks with little to no focus on technological risks
DREAD is a threat modelling framework that assesses threats based on 5 categories:
- Damage Potential – How much damage could occur if the threat is realized?
- Reproducibility – How easy is it to reproduce the attack?
- Exploitability – How much expertise is needed to exploit this vulnerability?
- Affected Users – How many users could be impacted?
- Discoverability – How easy is it to discover this vulnerability?
Each category is ranked on a scale from 1 (lowest) to 10 (highest) and then multiplied together to get an overall DREAD score. Higher scores indicate more severe threats.
The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations. It consists of tactic categories such as initial access, execution, persistence etc. Each category contains specific techniques that could be used in that stage of an attack. The framework allows organizations to model adversary behaviour and develop defences.
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating vulnerability severity and characteristics. CVSS scoring involves base metrics, temporal metrics, and environmental metrics. The base score represents intrinsic qualities of a vulnerability. Temporal and environmental scores represent threat context. Scores range from 0 to 10, with 10 being the most severe. CVSS helps organizations prioritize remediation.
Threat Modelling Best Practices
For organizations seeking to implement threat modelling, incorporating the following best practices will maximize its effectiveness:
- Start threat modelling early – Threat modelling at design time identifies vulnerabilities early when they are cheaper to remediate.
- Involve multiple stakeholders – Cross-functional input from dev, ops, security, and business roles provides diverse expertise.
- Update continuously – Threat models must be living artifacts, updated through development lifecycles.
- Prioritize threats – Rank threats based on severity and exploitability to focus remediation.
- Validate with red teams – red team exercises validate modelled threats with real-world attacks.
Threat Modelling Tools
Specialized tools can provide automation and consistency in executing threat modelling initiatives. Popular options include:
Microsoft Threat Modelling Tool – Integrates with Microsoft development stacks and provides automated threat analysis using STRIDE methodology.
IriusRisk – multi-faceted tool supporting multiple threat modelling approaches with robust visualization capabilities.
Threat Dragon – Open-source tool for building threat models following various methodologies. Provides integration with popular dev tools.
Conclusion
Threat modelling introduces proactive security early in development lifecycles by systematically analysing and addressing risks. Frameworks like STRIDE, PASTA and Trike provide methodical approaches for identifying threats and ranking their severity. To implement threat modelling successfully, organizations should involve diverse stakeholders, integrate continuously with dev cycles, and validate modelled threats. By following best practices and leveraging purpose-built tools, organizations can mature their threat modelling programs to improve security and meet compliance mandates.
Further Reading:
OWASP Threat Modelling Guide https://owasp.org/www-community/Threat_Modeling
Microsoft Threat Modelling Tool https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
NIST Cybersecurity Practice Guide on Threat Modeling: https://csrc.nist.gov/publications/detail/sp/800-154/draft
Other Tooling & Resources worth checking out:
https://app.threat-modeling.com/
https://eopgame.azurewebsites.net/ https://threats-demo.thenerdgroup.de/
How Can ITM Help You?
IT Minister covers all aspects of Cyber Security including but not limited to Home cyber Security Managed Solutions to automated, Manage Threat Intelligence, Digital Forensic Investigations, Penetration Testing, Mobile Device Management, Cloud Security Best Practice & Secure Architecture by Design and Cyber Security Training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.