Threat Modeling is the practice of systematically identifying potential threats and their mitigations to protect something of value, and then presenting this information in an easily understandable way. It's a methodology for structuring all information that could affect the security of an application, system, or service, and then using that structure to identify security issues. I like to break down this process into the following main steps:
- Decompose the Application: Identify assets and create various diagrams like DFDs and PFDs.
- Identify Threats (Modeling): Identify and analyze threats.
- Mitigate: Devise and apply mitigation strategies.
- Validate: Confirm and verify the implemented measures.
Decompose the Application
This stage is all about clearly understanding what we need to protect. OWASP documentation recommends defining the following items:
| Attribute | Description |
|---|---|
| Threat Model Information | Define the threat modeling framework to be used (e.g., STRIDE). |
| External Dependencies | Define external dependencies that are outside of our direct control (e.g., external APIs, libraries). |
| Entry Points | Define all entry points where users interact with the system (e.g., web pages, API endpoints). (+Trust Levels) |
| Exit Points | Define exit points where data leaves the system (e.g., response data, log transmissions). |
| Assets | Define the valuable assets that need protection (e.g., personal information, admin sessions, configuration files). (+Trust Levels) |
| Trust Levels | Define the trust levels or trust boundaries for each component or data. |
| Data Flow Diagrams | Create Data Flow Diagrams (DFDs) to visualize the flow of data. |
DFD (Data Flow Diagrams)
As the name suggests, a DFD is a diagram that illustrates the flow of data. While there can be slight differences depending on the modeling method, it generally focuses on representing the overall data flow within an application, system, or service.
PFD (Process Flow Diagrams)
A PFD is a diagram that represents the operational processes of an application. Unlike a DFD, it focuses on the service's operational flow, making it particularly useful for identifying scenarios that exploit business logic.
Other Diagrams
In addition to DFDs and PFDs, you can use various other diagrams that provide a comprehensive view of the system's overall architecture, trust boundaries, and network zones. This can be a great help in understanding the system's complex interactions and security context.
Identify Threats
Once you've analyzed and understood the system, it's time to identify potential threats. Various modeling frameworks are used to systematically identify and classify threats. Each model offers a unique perspective, so it's effective to choose a model that fits the characteristics of the system being analyzed, or to use a combination of models.
STRIDE Model
STRIDE is a threat modeling framework developed by Microsoft, named as an acronym for six types of threats. It works by applying the STRIDE categories to each element (e.g., process, data flow) of a diagram like a DFD or PFD to identify threats and potential mitigations.
| Threat | Description | Desired Property | |
|---|---|---|---|
| S | Spoofing | An attacker impersonates another user or component. | Authenticity |
| T | Tampering | An attacker modifies data exchanged between the system and users without authorization. | Integrity |
| R | Repudiation | An attacker denies having performed a malicious action. | Non-repudiation |
| I | Information Disclosure | An attacker accesses sensitive data that the system transmits or stores without authorization. | Confidentiality |
| D | Denial of Service | An attacker degrades or disables the system's availability. | Availability |
| E | Elevation of Privilege | An attacker gains higher privileges from a lower-privileged position to access unauthorized information. | Authorization |
STRIDE-per-interaction
This approach analyzes threats based on interactions. It is often preferred because it's more efficient in terms of time and resources than analyzing every single element.
STRIDE-per-element
This approach analyzes threats for each individual element (e.g., process, data store). It allows for a more detailed analysis but requires more effort.
DREAD Model
The DREAD model is used for quantitatively assessing the risk of each threat. While it's now often integrated into STRIDE or replaced by other risk assessment models, it still provides a useful perspective for prioritizing risks.
| Risk Category | Description | |
|---|---|---|
| D | Damage | How much damage would an attack cause? |
| R | Reproducibility | How easily can the attack be reproduced? |
| E | Exploitability | How much effort is required to launch the attack? |
| A | Affected users | How many users would be affected? |
| D | Discoverability | How easily can the vulnerability be discovered? |
P.A.S.T.A. (Process for Attack Simulation and Threat Analysis)
PASTA is a 7-step, risk-centric methodology that analyzes threats from an attacker's perspective in alignment with business objectives.
| Step | Description | |
|---|---|---|
| 1 | Define the Objectives | Define business and security objectives. |
| 2 | Define the Technical Scope | Define the technical scope of the analysis. |
| 3 | Decompose the Application | Analyze and break down the service. |
| 4 | Analyze the Threats | Analyze threat intelligence. |
| 5 | Vulnerability Analysis | Analyze existing vulnerabilities. |
| 6 | Attack Analysis | Model attack scenarios using identified threats and vulnerabilities. |
| 7 | Risk and Impact Analysis | Analyze risk and business impact, and develop mitigation strategies. |
VAST (Visual, Agile, and Simple Threat)
VAST is a methodology focused on integration with Agile and DevOps processes. It aims to identify and respond to threats early in the development lifecycle, based on the application's process flows (PFD) and infrastructure configuration (DFD).
Mitigate
Threats and security vulnerabilities discovered through threat modeling must, of course, be mitigated or addressed. Discovered threats can be managed according to the following strategies:
- Fix / Remediate: Resolve the threat directly by modifying code, strengthening security settings, or introducing new security technologies.
- Remove: Eliminate the threat at its source by removing the feature or component causing it, if it is not essential.
- Transfer: Transfer the risk associated with the threat to another party through insurance or third-party services (e.g., WAF, CDN).
- Accept: If the business impact of the threat is low and the cost of mitigation is high, a decision may be made to accept the risk. In this case, the decision must be documented.
It's crucial to find the most appropriate action or mitigation strategy based on the system configuration and business requirements to reduce the threat level to a manageable range.
Validate
This is the final step to verify that the mitigations have been correctly applied and that the original threats have actually been alleviated. The following methods can be used:
- Security Testing: Verify the effectiveness of mitigations from an attacker's perspective through methods like Penetration Testing and Fuzzing.
- Secure Code Review: Review the modified code to ensure it doesn't introduce new vulnerabilities and complies with security standards.
- Configuration Review: Check that the settings of the changed infrastructure or application are configured securely.
- Regression Testing: Ensure that the security measures have not negatively impacted existing functionality.
Tools
- CAPEC - Common Attack Pattern Enumeration and Classification
- diagrams.net (draw.io)
- PlantUML
- OWASP Threat Dragon
- stride-gpt
Draw.io
If your goal is to draw diagrams, draw.io is an excellent choice. It's useful not just for threat modeling but also for creating flow charts, so it's a great tool to get familiar with.
OWASP Threat Dragon
This is an open-source threat modeling tool developed by OWASP. It supports the entire threat modeling process by providing features to draw diagrams like DFDs and to identify and manage threats based on STRIDE.
Resources
- SANS Institute
- NIST SP 800-154, NIST SP 800-53
- OWASP Threat Dragon Project
- CISA Cyber Security Evaluation Tool (CSET)
- Guide to Cyber Threat Modelling (CSA Singapore)
- ThreatHunter-Playbook
- awesome-threat-modelling