Threat Modeling: Benefits, Frameworks, and Methodologies

Security functions aim to create tooling and processes that allow development teams to build and deploy applications at scale, without incurring undue security risk. The product development process begins with the identification of a customer problem. Once the feature requirements to the solution have been identified by product teams, software engineers and architects begin to propose solutions that meet the product team’s functional and non-functional requirements. During this phase, engineers identify application components that require addition, modification, or removal alongside any infrastructure required to deploy the product. It is during the design stage that engineers evaluate new ingress and egress routes, data stores, authentication and authorization flows, and user identities. All of these elements can significantly impact your product’s security posture and must therefore attain careful consideration from a security perspective. This is where threat modeling comes in.

Threat modeling is the process of taking software architecture and identifying business-relevant threats, security controls, and risks. Security teams use it to identify systemic risks and recommend preventive and detective measures, thereby ensuring that any changes to your organization's attack surface are aligned with your business's risk appetite. Threat modeling is generally done early in the software development lifecycle (SDLC), making it one of the most cost-effective controls for the identification and mitigation of security risk.

This article will discuss the process alongside threat modeling frameworks and methodologies you can use to conduct these exercises within your organization.

Threat modeling is an iterative process that focuses on the identification of threats and risks during the software development design stage. It enables security professionals, developers, and product managers to take repeatable, consistent and actionable steps that focus on what can go wrong when threat actors successfully identify and exploit gaps in your product or service.

Before we dive in, we need to cover off some terminology that will enable us to reliably discuss the concepts we will encounter across the various threat modeling frameworks and methodologies.

In the context of cybersecurity, a "threat" signifies any potential action that may result in harm to systems or data. This can range from an unauthorized individual executing commands via an unprotected API to the consequences of a successful phishing attack. In the security space, we refer to entities or individuals that pose a threat as “threat actors”. This term is widely adopted across various security disciplines and encompasses the multifaceted nature of security risks.

A vulnerability is a security gap or weakness on a target, such as a host, application, or network that threat actors can exploit to gain unauthorized access to system functionality or data. They can arise from defects, misconfiguration, or user error, and attackers will seek to exploit any of them, frequently combining several, to accomplish their objectives. Vulnerabilities have quantitative properties, such as the number of days since their discovery, time taken to remediation

Naturally, this raises the question of what a risk is. Risk in cybersecurity is defined as the intersection of two critical components: the probability that a threat will exploit a vulnerability, and the magnitude of the impact that such an exploitation could have. This concept underscores the importance of assessing both the potential for threats to occur and the severity of the damage they could inflict. Risk can be measured using the following formula:

A threat model’s end result is a risk. These risks come in two forms, inherent and residual. Inherent risks reflect the risk posed by a threat if we were to remove all controls that we currently or potentially could implement. They allow us to understand the true raw likelihood and impact outcomes. Residual risks describe what remains, after considering the impact of security controls. We will cover the different types of controls in the next section, but for now, we can think of security controls as an action we can take, a process we can implement, or a tool we can develop to reduce risk. By leveraging inherent risks first, we can identify inherently risky flows, patterns, and processes, making it easy to prioritize control implementation efforts.

To determine a residual risk, security engineers, architects, and analysts have two controls they can take advantage of to mitigate an inherent security risk. Preventive controls are applied to reduce the likelihood of vulnerability creation, identification and/or exploitation. They’re generally the first option for risk mitigation as they’re a reliable method of risk reduction that maintains control in the hands of the implementation team. Detective controls are used to reduce the impact of a risk, by introducing mechanisms for the discovery of an attack, which allows Security Operation Centers (SOC) to respond accordingly. Incident response looks to detect, contain, and eradicate the threat and recover the system. Detecting a breach may occur at various points and its efficacy depends on the SOC’s ability to foresee potential threats.

Security strategy involves understanding risk management, control implementation, and the threat landscape. BlackheathPoint provides expertise in offensive security, engineering, and leadership to develop security solutions that enable your engineering teams to release secure products at scale, with confidence in reliable and resilient security controls.

A threat modeling framework provides structure to the process and can improve your organization’s ability to identify threats and risks, and implement controls. It acts as a guide to support teams in improving overall coverage, threat scenario diversity, and control applicability.

STRIDE is a mnemonic for six threat categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege, and is one of the industry’s most popular threat modeling frameworks. One reason for its popularity is that cyber-attacks often align with at least one of the six threat categories, making it applicable across sectors and industries. Additionally, identifying threats using threat categories can drastically improve threat coverage and can serve as jumping off points for engineers and security professionals that are new to threat modeling. It’s worth noting that the process can be very resource-intensive and can make adoption difficult within large and complex organizations.

The DREAD model offers a quantitative approach to evaluating the severity of cyber threats through a rating system that assigns numerical scores five risk dimensions. This model encompasses the following categories:

• Damage: Assesses the maximum harm a threat could inflict

• Reproducibility: Measures the ease with which an attack can be duplicated

• Exploitability: Evaluate the system's weaknesses to determine its exposure to cyber attacks

• Affected Users: Estimates the number of users at risk from a cyber attack

• Discoverability: Gauges the ease of identifying vulnerabilities within the system's infrastructure

Utilizing the DREAD model, analysts can score, evaluate, and prioritize threats by giving each issue a score ranging from 0 to 10 in the aforementioned categories. The overall threat severity is derived from the average scores of these categories, providing a comprehensive measure of risk.

Attack trees offer a structured and systematic approach for assessment of a system security against various attack scenarios. This methodology visualizes attacks using a tree diagram, where the primary attack objective is the root and the available methods to achieve this objective are the branches and leaves. To construct an attack tree, begin by identifying some attack objectives. Each objective initiates a new tree, which may intersect with others through shared branches and nodes. Continue mapping out attacks aimed at the objective(s) and incorporating them into the respective trees, until you have attained sufficient coverage.

After finalizing the attack tree and evaluating all node values, it can serve as a tool for informed security decision-making. Examining the root node's values allows you to assess the system's susceptibility to various attacks, such as injection, authentication and information disclosure vulnerabilities.

While attack trees are robust tools in their own right, they can also enhance other threat modeling methodologies, like STRIDE, by exposing potential threat and attack scenarios. Attack trees are adaptable across industries and benefit from integrating established attack and vulnerability databases, including the OWASP Top 10 the Common Weakness Enumeration (CWE).

The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology introduced in 2015. This approach has gained widespread adoption across organizations globally, including GitLab, due to its unique risk-centric focus, collaborative nature, evidence-based threat intelligence, and emphasis on the probability of each potential attack.

PASTA facilitates collaboration between developers and business stakeholders, enabling a comprehensive understanding of an application's inherent risks, the likelihood of attacks, and the potential business impact of a successful compromise. Unlike traditional threat modeling frameworks that often concentrate on specific components, such as coding or the actual attack, PASTA takes a holistic approach.

At BlackheathPoint, we leverage the methodology and framework best suited to your product, business, and company culture. There are many factors that affect how you might approach threat modeling a product, such as the size of the team, the compliance and regulatory factors at play, the complexity of the application, and the timeframes you’re working with. We bring a breadth of experience across a variety of industries, teams and products, and aim to provide a bespoke offering that helps you mitigate cybersecurity risk at scale.

A foundational principle of security architecture is defense in depth. Threat modeling is a preventive control that falls within the requirements gathering and design stage of product development. However, it provides two opportunities that other controls lack:

• Helps develop a security culture within your organization

• Creates an opportunity for risk avoidance, the cheapest and most effective risk response

Due to its position in the SDLC, there are no applications or infrastructure to modify based on the threat model’s results. In comparison, penetration testing is often done at the end of the product lifecycle and findings can result in significant costs to the business as part of process, product, and release changes. Threat modeling is scalable and cost-effective as it can be taught to engineers by security teams, it isn’t required on every change and the depth and duration of each exercise can be adjusted based on the complexity and size of the change or feature being proposed.

Threat modeling exercises with engineering teams introduce the concepts of offensive security and the attacker mindset. They demonstrate that by evaluating the threat landscape and leveraging a threat modeling framework, engineers can use an iterative process that reduces the likelihood of vulnerability introduction. Additionally, it creates the opportunity for security teams to demonstrate security principles and best practices that help engineers build more reliable and resilient products.

Threat modeling initiates the conversation around risk vs reward at a stage where decisions are yet to be made. This enables security teams to highlight the risks they foresee with the system and propose changes that avoid them. Retroactively fitting in security controls is often expensive and reverting design decisions can be complex as they often involve deployment platforms, third party vendors, programming languages, and user journeys, all of which can be fundamental to a product’s functionality. Furthermore, risk mitigation strategies tend to incur a continuous maintenance cost.

Threat modeling is an invaluable tool to assess the security of your product by leveraging information about the applicable threat landscape. It enables engineers to make decisions that avoid risks where possible, and take mitigation control cost and implementation efforts into account. Additionally, it creates an opportunity to up-skill developers through discussions on common attack patterns, control bypasses, and security best practices. It’s a cost-effective process that can help avoid incurring unnecessary risk when developing your product.