It’s dangerous out there. Cybersecurity threats are rampant and a system that doesn’t have adequate protection is a system that is welcoming attack. This is as true of a banking app as of a cloud PBX system.
Thankfully, there are numerous weapons available to assist in the fight against system dangers. One of the most potent in the cybersecurity armory is threat modeling. One of the reasons it’s so effective is that it is an approach based on methodical prevention rather than reactive rectification. An ounce of prevention….
What is threat modeling?
Threat modeling is the process by which cybersecurity professionals can identify a system’s vulnerabilities and the possible threats that might target them. Threats are ever-growing, with current major examples including phishing and ransomware.
Further, threat modeling involves an assessment of the seriousness of each threat, and an appraisal of how each threat can be countered.
Several different approaches can be brought to bear on the situation. In this way, it’s hoped that all types of threat and all danger scenarios can be covered. Each of the approaches has commonality. We’ll look at this first.
The important factor to bear in mind with all threat modeling is that it is a structured process. The IT professional doing the threat modeling adopts a systematic approach that has several key components.
Generally speaking, these components are:
- Address the issue of what we’re working on. What activity takes place here? Is it general office work or something more specific, like VoIP calls?
- What threats exist that might target this part of the business? This takes a clear understanding of the system’s stress points, as well as the latest threats that have been developed.
- What remedial steps should be taken? A good level of knowledge about the system and the threat landscape will enable effective approaches to combat possible threats.
- There should be an element of self-appraisal. Did the IT team do a good job of protecting against the threat?
Threats are constantly developing so it’s incumbent on security professionals to stay in learning mode to stay on top of the game. This is why commercial security operations and the data analytics government and authorities conduct are always evolving.
There are three possible broad approaches to take from here. Whichever is chosen, there will be an element of decomposition of the system. This means a deconstruction of the organization in order to see how the component parts fit together.
The approach favored by an IT professional will probably be a combination of two or more of these:
- Asset-centric: This will generate an understanding of the assets of the system. I.e., the parts that an attacker will want to acquire. This could be industry-sensitive information, financial record data, security protocols, and more.
- Attacker-centric: This will generate an understanding of who an attacker might be and where an attacker might gain access. I.e, the entry points. There will also be an appreciation of the trust levels granted to specific external bodies.
- Software-centric: This will generate an understanding of the system so that its architecture and data flow are better understood.
Let’s look now at some specific methods that a cybersecurity professional can use to eradicate threats:
This stands for the Common Vulnerability Scoring System. It works by listing all the main characteristics of a system and assigning a score from one to 10 (10 being the worst) regarding its vulnerability to attack. This is carried out using three sets of metrics:
This is a great technique for businesses wanting to triage the threats facing them, as it gives a clear indication of what should be dealt with first.
This stands for Process for Attack Simulation and Threat Analysis. It’s a seven-step procedure, with the aim being to focus on technical security and match it to business objectives. The steps taken are as follows:
- Objective definition
- Technical scope definition
- System decomposition
- Analysis of threat
- Analysis of vulnerability
- Attack simulation
- Assessment of risk
Advantages of the PASTA approach include its thoroughness and the way it prompts cross-departmental collaboration. The seven steps, after all, necessitate this kind of team approach or only partial information will result. Disadvantages include the fact that it’s lengthy, which means it’s expensive.
This one’s been around since Microsoft came up with it in the 1990s. Its acronym refers to the different threats it deals with:
- Spoofing: An attacker gains access by assuming another identity.
- Tampering: Data and data privacy are altered with a malicious objective.
- Repudiation: The ability that an attacker has to deny their culpability.
- Information disclosure: The extent to which data can be revealed to unauthorized bodies.
- Denial of service: The attacker manages to exhaust services so that they are unavailable to legitimate users.
- Elevation of privilege: The attacker succeeds in securing higher privilege for themselves.
A cybersecurity professional using STRIDE will try to create scenarios that test a system as if it were under attack in each of these ways. The result is an extremely thorough picture of system vulnerabilities. The downside is that it is time-consuming and can be a little OTT. It’s great to be thorough. But sometimes it’s unnecessary to cover all bases.
4. Attack tree
This is a diagram that lays out an attack concept. In other words, possible routes of incursion into the system are diagrammatically represented. This is an attacker-centric approach, wherein the attacker is defined in terms of skillset and goals. It works like this:
- There is a root node to begin with. This represents the attacker’s goal.
- Leaf nodes are added. These represent possible ways of reaching that goal.
- Each node is assessed for vulnerability levels and impact potential.
- Based on the node assessments, defenses are installed where needed.
A nice advantage of attack trees is that you can use a series of common attack sequences on them, as well as try out whole new threat vectors. It’s also an easy-to-use technique with good visual comprehensibility.
Disadvantages include the fact that an unskilled user can overlook vulnerabilities. This is because there are no concrete attack tree rules on threat assessment. This area takes a skilled cybersecurity professional to properly assess possible problems.
This approach stands for Visual, Agile, and Simple Threat modeling. It’s best for large organizations that require threat modeling to be in place across varied teams and subsystems. It consists of two models:
- Application threat. This uses an architectural perspective, at design level, to appraise an application to see what threats exist in the user-application interactions, as well as the interactions with outside systems.
- Operational threat: This is a DevOps approach that looks at system infrastructure.
The two models can be inserted into most systems, which means VAST is hugely versatile. Other advantages include the fact that it’s scalable and automation-friendly. It also doesn’t require specialized security expertise. Disadvantages include its freshness. It’s still fairly new so there’s not the volume of documentation common with other approaches.
Trike is an approach that has more in common with standard risk assessment techniques. Acceptable risk levels (defined with input from the stakeholder) are factored in so that the threat modeling becomes less about complete eradication and more about manageability.
Sometimes an organization has to have a certain level of security built in to satisfy audit requirements, but in terms of actual ever-present danger, the risk they carry is quite a small one. In these situations, Trike is ideal.
The main advantage of Trike is that it is very responsive to the nature of the organization. If stakeholders know that a specific area of the business is really not a security issue, Trike can be tailored to only deal with the areas which are a concern. It’s also open source.
Threat modeling best practices
We’ll finish up by listing some best practices that apply no matter which threat modeling approach you adopt.
- Always focus fully on threat modeling. It takes application, which means you have to concentrate resources on it. Make sure that you’re attending to the full data lifecycle.
- Do it at the initiation of a project. This will save you a lot of time and headaches later on when you realize you have vulnerabilities that need sorting out immediately.
- Think connectedly. Remember that some of the most vulnerable points are where systems conjoin. Consequently, don’t think of systems as discrete collections of components. They form part of a whole. So, when you are conceptualizing a system, think of the digital equivalent of a call history to think about where it makes its connections.
- Don’t be distracted by headlines. Your biggest threats are going to be along the lines of users being careless and employing passwords like Password, etc. This should be the main focus of your attention. Don’t disregard completely the threats posed by international top-level hackers, but do remember that such dangers are more likely to secure media attention than the much more real threat posed by employees not logging out.
- If the threat modeling operation concludes and you wish to make sure you have legal separation from anything then ensuing, make sure you’ve got this in writing. Try this PandaDoc release of liability template.
So, there are a number of good threat modeling techniques out there, and no matter which you choose, there are some priorities you should always observe.
A final recommendation is this: Good threat modeling needs input from everyone who has contact with the system. It should never be a project just for IT to get on with in isolation. No man or woman (or system, come to that) is an island.
Tanhaz Kamaly – Partnership Executive, UK, Dialpad UK
Tanhaz Kamaly is a Partnership Executive at Dialpad, a modern cloud-hosted business communications platform that turns conversations into the best opportunities, both for businesses and clients through features like call queuing in Dialpad. He is well-versed and passionate about helping companies work in constantly evolving contexts, anywhere, anytime. Tanhaz has also written for other domains such as Not Going To Uni and Track-POD. Check out his LinkedIn profile.