Threat Modelling: The concept
PS. These are notes from the Threat Modelling: A Practical Guide for Development Teams Book and other articles linked below. Follow the series on; https://vkfrost.com/tag/threat-modelling/
Threat modelling is a concept that many organisations engage in to some extent but may not have fully defined. Before a new product is released, various stakeholders discuss potential security risks that may arise. A team of pre-testers then tests the application to identify possible attack vectors and document necessary remediations. This process is central to threat modeling, which, by definition, includes techniques used to model and analyze technology systems and services to better understand how they could be attacked or fail, and to identify controls to manage these risks (as per NIST's definition).
Threat modelling is intended to align with essential security principles: Confidentiality, Integrity, Availability, Privacy, and Safety. These principles underpin all security controls applied to a system.
The need for threat modelling has grown in the industry due to obstacles that have complicated the implementation of effective security controls. Some of these challenges include:
- Over-reliance on security tools for scans: Many tools generate false positives that do not reflect the application’s true logic.
- Computer-based training: Often focused on phishing and WFH security, but typically marked as "read before proceeding" rather than actively engaging.
- Consulting services: These services may recommend complex fixes without fully understanding organisational processes, which can create vulnerabilities.
- Security as a compliance checkbox: Security is increasingly treated as an audit requirement rather than an engineering discipline, leading to minimal implementations focused more on compliance than on building robust defenses.
System Modeling
For effective threat identification and modeling, system modeling is essential. System models offer a visual representation of the system, allowing us to apply theoretical stress to evaluate potential impacts before actual implementation. They also provide a holistic view, enabling us to focus on specific vulnerabilities as needed.
Types of System Models:
- Data Flow Diagrams: Show how data moves within the system, comprising elements like Data Stores, Trust Boundaries, Interface Elements, and Blocks.
- Sequence Diagrams: Illustrate a time- or event-based sequence of actions, including Entities, Actors, Messages, Conditional Logic, and Time.
- Process Flow Diagrams: Display the sequence and direction of operations within a system, offering a high-level view similar to Sequence Diagrams.
- Attack Trees: Useful for understanding system vulnerabilities by modeling potential attack strategies. Components include defining an attack goal and outlining actions required to achieve that goal. (Note: The MITRE ATT&CK framework is a related tool, and there is a specific version for Kubernetes.)
- Fishbone Diagrams: Help identify the chain of events that lead to a weakness being exploited, with each element tied to a specific security objective.
Building System Models
Creating an effective system model involves several steps to ensure that it’s not only comprehensible to the current team but also valuable for future teams to understand the underlying thought processes and decisions. Key steps include:
- Step 1: Identify the Building Blocks
Define the main components, such as applications, servers, and data stores, which form the core of the system. - Step 2: Establish Connections Between Building Blocks
Identify and map the connections between each major building block to visualize data flow and interdependencies.
General Flow: Threat Modelling
For effective threat modelling during system design, follow these foundational steps to promote clear and productive discussions:
- Identify Objects in the System
Outline all internal and external entities, actors, attributes, and metadata involved. Include the security capabilities and controls each object provides. - Identify Flows Between Objects
Map data flows, including communication pathways, data transfers, classifications, and sensitivity levels. - Identify Assets of Interest
Document assets held by objects or transmitted via flows, including data and application-related functions. - Identify System Weaknesses
Recognize parts of the system or assets that could be exploited, and document vulnerabilities linked to each asset. Examples of weaknesses include:- Use of non-secure protocols
- Processes or data stores lacking authentication
- Absence of authorization mechanisms
- Missing logging in processes
- Sensitive data stored in plain text
- Sensitive assets lacking integrity controls
- Communication paths crossing trust boundaries
- Identify Threats
Evaluate the likelihood of each vulnerability being exploited. - Determine Exploitability
Analyse how an attacker could exploit each identified weakness.
Resources