Security Modeling and Threat Modeling Resources

Threat modeling is a process for thinking through, identifying, and documenting known threats and mitigations to a system before that system is deployed. Threat modeling acknowledges that all systems face various threats before, during, and after deployment, and it helps security experts identify and mitigate those threats before they occur.

This post is used to collect some Internet resources regarding security modeling and threat modeling.

Security Modeling

A security model precisely describes important aspects of security and their relationship to system behavior. The primary purpose of a security model is to provide the necessary level of understanding for a successful implementation of key security requirements. The security policy plays a primary role in determining the content of the security model. Therefore, the successful development of a good security model requires a clear, well-rounded security policy. In the case of a formal model, the development of the model also must rely on appropriate mathematical techniques of description and analysis for its form.

A security model specifically defines essential aspects of security and their relationship with the operating system performance. No organization can secure their sensitive information or data without having effective and efficient security models. We can say that the primary aim of a security model is to provide the required level of understanding for a successful and effectual implementation of key protection requirements. Information security models are the procedures used to validate security policies as they are projected to deliver a precise set of directions that a computer can follow to implement the vital security processes, procedures and, concepts contained in a security program. These models can be intuitive or abstractive. Security models run the directions of the road for security in operating systems.

There are some security models that are most currently using for to explain the guidelines and rules that direct confidentiality, protection, and integrity of the information. The key reason and focus on the security model implementation are confidentiality over and done with access controls and Information integrity. With the help of these security models that are the main components that should be given attention to when developing information security policies and systems. These models talk about the access rules required to instantiate the defined policy and highlight the objects that are directed by the company’s policy.

Here some of the important models we are discussing below to understand the functions and importance of Information Security models in the current business world. Five popular and valuable models are as follows;

• Bell-LaPadula Model
• Biba Model
• Clark Wilson Model
• Brewer and Nash Model
• Harrison Ruzzo Ullman Model

These models are used for maintaining goals of security, i.e. Confidentiality, Integrity, and Availability. In simple words, it deals with CIA Triad maintenance.

Security Modeling Process

Step 1: Identify Requirements on the External Interface
Step 2: Identify Internal Requirements
Step 3: Design Rules of Operation for Policy Enforcement
Step 4: Determine What is Already Known
Step 5: Demonstrate Consistency and Correctness
Step 6: Demonstrate Relevance

Threat Modeling Methodologies

Conceptually a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Based on volume of published online content, the four methodologies discussed below are the most well known.

From Wikiedia:

STRIDE Methodology

The STRIDE approach to threat modeling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products' . STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to "the" Microsoft methodology commonly mean STRIDE.

P.A.S.T.A.

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.^[10] It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

Trike

The focus of the Trike methodology^[11] is using threat models as a risk-management tool. Within this framework, threat models are used to satisfy the security auditing process. Threat models are based on a “requirements model.” The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.

VAST

VAST is an acronym for Visual, Agile, and Simple Threat modeling.^[12] The underlying principle of this methodology is the necessity of scaling the threat modeling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.

More threat modeling methods can be found from: Threat Modeling: 12 Available Methods

Linddun

CVSS

Attack Trees

Persona non Grata

Security Cards

hTMM

Quantitative Threat Modeling Method: This hybrid method consists of attack trees, STRIDE, and CVSS methods applied in synergy.

Summarize for 10 threat modeling methedologies: 

no	Model	Focus/perspective and implementation postability points
1	STRIDE	is specifically designed to focus on IT related threat
2	PASTA	is a widely used & adaptable applicable model, with threat simulation, focusing on Risks Centric methodology. Reference: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
3	LINDDUN	is focused more on Data and Privacy related model
4	OCTAVE	is focused on Risk Management and organization related impact
5	VAST	scales threat modeling process across infrastructure & is focused on attacker
6	TRIKE	is a unified conceptual framework for security auditing from a risk management perspective, required a steady repeatable assessment model, is focused on Risks Measurement on calculating its stakeholders components (assets, roles, actions, risk exposure) Reference: 8) Trike v.1 Methodology Document [Draft]
7	hTMM	A hybrid type threat model which is focused on Attacker/Defender models, melds features of: Security Cards, Persona non Grata, and STRIDE
8	qTMM	A quantitative type threat model which is focused on Attacker/Defender models, melds features of Attack Trees, STRIDE, and CVSS
9	(Attack) Trees	is focused on Attacker’s scheme, works in any steady implemented production/business/process scheme, that is developed further to become the killchain nowadays
10	PnG	(Persona non Grata) has focused on attacks that represent archetypal personnels who behave in unwanted behaviors. Works perfectly to measure insider threat assessments

Threat Modeling Process Steps

Typically, organizations conduct threat modeling during the design stage (but it can occur at other stages) of a new application to help developers find vulnerabilities and become aware of the security implications of their design, code, and configuration decisions. Generally, developers perform threat modeling in major four steps:

• Diagram. What are we building/Working on?
• Identify threats. What could go wrong?
• Mitigate. What are we doing to defend against threats?
• Validate. Have we acted on each of the previous steps?

The following four question framework can help to organize threat modeling:

• What are we working on?  -Assess Scope
• What can go wrong? - This can be as simple as a brainstorm, or as structured as using STRIDE, Kill Chains, or Attack Trees.
• What are we going to do about it? - Decide what you’re going to do about each threat. That might be to implement a mitigation, or to apply the accept/transfer/eliminate approaches of risk management.
• Did we do a good job? - Did you do a good enough job for the system at hand?

A threat modeling session typically consists of the following steps:

• Pick a use case of your application
• Draw a Data Flow Diagram of this use case, which shows how data flows through your system and which applications or databases are involved.
• For each asset passing through your data flow, go through a checklist and discuss potential security risks. Rate each risk (e.g. by likelihood and impact)
• Discuss and decide what you will do about each risk

Threat Modeling Approaches

The process of threat modeling is simple, but it needs to be approached with discipline and care. Since the attack surface of any given system changes as technology changes, and since new threats are constantly emerging, we must understand and acknowledge what we know vs. what we don’t or can’t know about any modern system.

In general, there are three basic approaches to threat modeling: software centric, attacker centric, and asset centric.

Software-Centric Approach

A risk mitigation focusing on software:

• Evaluates the application being modeled
• Determines the risk
• Identifies controls to mitigate
• Requires a good understand of the application and the system it is running on

Attacker-Centric Approach

An approach that highlights the attacker:

• Puts the user into the mindset of an attacker
• Determines what is most at risk
• Needs to understand the concept of hacking
• Must have the skill set of a hacker

Asset-Centric Approach

Focusing on assets, this approach:

• Identifies assets to be protected
• Classifies assets based on data sensitivity and value potential
• Determines an “acceptable risk” level
• Takes a cyber risk–management perspective in satisfying the security auditing process

Note: https://www.windriver.com/solutions/learning/threat-modeling

Threat Modeling Tools

There are currently five tools available for organizational threat modeling:

• Microsoft’s free threat modeling tool – the Threat Modeling Tool (formerly SDL Threat Modeling Tool). This tool also utilizes the Microsoft threat modeling methodology, is DFD-based, and identifies threats based on the STRIDE threat classification scheme. It is intended primarily for general use.
• MyAppSecurity offers the first commercially available threat modeling tool - ThreatModeler It utilizes the VAST methodology, is PFD-based, and identifies threats based on a customizable comprehensive threat library.It is intended for collaborative use across all organizational stakeholders.
• IriusRisk offers both a community and a commercial version of the tool. This tool focus on the creation and maintenance of a live Threat Model through the entire SDLC. It drives the process by using fully customizable questionnaires and Risk Pattern Libraries, and connects with other several different tools (OWASP ZAP, BDD-Security, Threadfix...) to empower automation.
• securiCAD is a threat modelling and risk management tool by the Scandinavian company foreseeti. It is intended for company cyber security management, from CISO, to security engineer, to technician. securiCAD conducts automated attack simulations to current and future IT architectures, identifies and quantifies risks holistically including structural vulnerabilities, and provides decision support based on the findings. securiCAD is offered in both commercial and community editions. 
• SD Elements by Security Compass is a software security requirements management platform that includes automated threat modeling capabilities. A set of threats is generated by completing a short questionnaire about the technical details and compliance drivers of the application. Countermeasures are included in the form of actionable tasks for developers that can be tracked and managed throughout the entire SDLC.
• OWASP Application Threat Modeling - owasp.org/index.php/OWASP_Threat_Dragon

Several commercial packages and open source products are available.

Open Source

• ADTool from University of Luxembourg
• Ent
• SeaMonster

Commercial

• AttackTree+ from Isograph
• SecurITree from Amenaza Technologies

Threat Modeling vs Others

Threat Modeling vs Risk Modeling:

The terms cyber risk modeling and cyber threat modeling are often used synonymously, but they are different ideas. Cyber risk modeling involves creating multiple risk scenarios and assessing the severity of each.

Risk modeling provides a data-driven approach to understand cyber exposure and to quantify the possible outcome if a risk does indeed strike. This information is documented and disseminated in a language that makes sense to business users and decision-makers. A cyber risk model – particularly one that uses the same tools available to the cyber insurance sector – provides an efficient and repeatable way to quantify the probability of a cyberattack in financial terms.

On the other hand, a threat model helps to identify cyber threats and vulnerabilities. It also informs the company’s response and mitigation efforts.

Threat Modeling vs Threat Intelligence:

A cyber threat intelligence tool helps you collect and analyze threat information from multiple external sources to protect your enterprise from existing vulnerabilities and prepare for future ones. Next-gen cyber threat intelligence tools are essential to improve enterprise resilience and protect against external (in addition to internal) attacks.

Threat intelligence enables organizations to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors. It transforms raw data into useful interpretable intelligence for analysis. 

While ideally, threat modelling can be driven right from the LEFT (DevSecOps), using a framework to identify threats for your application development (Dev) stage, the enterprise might not have such luxury to go into that level of maturity. Having said that, it is better to have Threat Modelling capabilities at least on the Operations (Ops) stage, correlating Cyber Threat Intelligence (external information) of the adversary, with the internal cyber security events from SOC / SIEM.

One of the tools capable of mapping the Threat Model is Anomaly Threat Stream. A threat intelligence platform that could model any threat tailored to your specific organization.

With Anomaly Threat Stream, the analyst can build a Threat Model based on a specific adversary relevant to your organization's industry. For example, a bank would have a specific adversary of a state-sponsored attacker such as Lazarus or Cobalt Strike. By mapping all the IOCs, Tools-Technique-Procedures (TTP) along with MITRE ATT&CK Framework, an organization can have a specifically tailored cybersecurity defence that is much stronger and more impactful for its operations.

Threat Modeling vs Vulnerability Assessment

• Their primary focus: Threats vs vulnerabilities
• Proactive vs reactive processes
• Threat intelligence-driven anaysis - Both threat modeling and vulnerability assessment use threat intelligence-driven data to fuel their processes.
• Threat modeling uses CVSS and MITRE TTPs to identify vulnerabilities and threats and goes a step further to quantify threats and prioritize ways to remediate them.

Threat Modeling vs Pen Test

Differences are between Threat Modeling and penetration testing:

• Timing: Threat Modeling is preferably performed during the design phase of the system (although it is never too late to do it). Penetration testing is done during development or at least just prior to release (please don’t release first and then test on production).
• Objectives: Threat Modeling prevents or manages design flaws from a ‘white box’ perspective. Pentesting tests the actual application’s resilience – usually from a black box perspective
• Outcome: Threat Modeling leads to a list of design changes to consider, pentesting generates a list of bug fixes. Both expose risk which begs for risk management measures.

Design flaws are errors in design. They arise from a lack of security requirements (bad design), a lack of secure design knowledge (bad designer). To understand these flaws, you need contextual knowledge. That’s what you learn during a Threat Modeling workshop. Bugs are coding errors. The design might be good, but accidental errors (bad code) or a lack of secure coding practices (bad coders) can lead to vulnerabilities. 

Threat Modeling won’t expose coding errors. Pentesting won’t show design flaws. We need both tools in our toolbox.

Glossary

Some Other Terms:

• Tactics, Techniques and Procedures (TTPs) : TTPs are the “patterns of activities or methods associated with a specific threat actor or group of threat actors,”
• Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).
• Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models.

The Glossary of the known and agreed Threat Models’ abbreviations:

no	Model	Abbreviation Description
1	STRIDE	Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and Associated Derivations
2	PASTA	The Process for Attack Simulation and Threat Analysis
3	LINDDUN	Linkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information, Unawareness, Noncompliance) method
4	OCTAVE	Operationally Critical Threat, Asset, and Vulnerability Evaluation
5	VAST	Visual, Agile, and Simple Threat Modeling
6	hTMM	Hybrid Threat Modeling Method
7	qTMM	Quantitative Threat Modeling Method
8	TRIKE	Abbreviation is unknown, unified conceptual framework for security auditing automated concept from a risk management perspective
9	Trees	Attack Trees
10	PnG	Persona non Grata

A Complete Guide to Effective Threat Modeling

1. Introduction to Threat Modeling.

Security threats are a constant concern for organizations of all sizes.

From data breaches to cyber attacks, the risks are numerous and can have devastating consequences.

That's where threat modeling comes in.

Threat modeling is a structured approach to identifying potential security threats and vulnerabilities in an organization's systems and applications.

By analyzing these threats, IT staff can develop effective mitigation strategies to protect against them.

In this article, we will explore the importance of threat modeling in security strategy and provide a complete guide to conducting effective threat modeling.

2. Understanding the Importance of Threat Modeling in Security Strategy.

As IT staff, you are well aware of the importance of maintaining a strong security posture to protect your organization's assets.

However, it can be challenging to identify and mitigate all potential threats.

This is where threat modeling comes in.

Threat modeling is a structured approach to identifying and prioritizing potential threats to your organization's systems, applications, and data.

By understanding the potential risks, you can develop effective mitigation strategies to reduce the likelihood and impact of an attack.

Effective threat modeling is critical to a comprehensive security strategy.

It enables you to identify vulnerabilities before they are exploited by attackers, reducing the risk of data breaches, financial losses, and reputational damage.

Moreover, threat modeling helps you prioritize security investments based on the most significant risks to your organization.

This ensures that you are allocating resources effectively and efficiently to address the most pressing threats.

In summary, threat modeling is a crucial component of any security strategy.

It provides a structured approach to identifying and mitigating potential threats, enabling you to maintain a strong security posture and protect your organization's assets.

3. Steps to Conduct Effective Threat Modeling.

Threat modeling is a crucial process in developing a strong security strategy.

It involves identifying potential threats and vulnerabilities that could compromise the security of an organization's assets, such as data, systems, and applications.

To conduct effective threat modeling, there are several steps that IT staff should follow: 1.

Define the scope: The first step in conducting effective threat modeling is to define the scope of the exercise.

This involves identifying the assets that need to be protected and the potential threats that could compromise their security.

2. Create a threat model: Once the scope has been defined, the next step is to create a threat model.

This involves identifying the potential threats and vulnerabilities that could affect the assets being protected.

IT staff should consider both internal and external threats, such as malware, phishing attacks, and physical breaches.

3. Prioritize threats: After creating a threat model, it's important to prioritize the identified threats based on their likelihood and potential impact.

This will help IT staff focus their efforts on addressing the most critical threats first.

4. Develop mitigation strategies: With the prioritized list of threats in hand, IT staff can then develop mitigation strategies to address each threat.

These strategies may include implementing security controls, such as firewalls and intrusion detection systems, or developing policies and procedures to minimize the risk of a breach.

5. Test and refine: Finally, IT staff should test and refine their threat modeling process on an ongoing basis.

This will help ensure that the organization's security strategy remains effective in the face of evolving threats and vulnerabilities.

By following these steps, IT staff can conduct effective threat modeling and develop a strong security strategy that protects the organization's assets from potential threats and vulnerabilities.

4. Common Threats and Vulnerabilities to Consider.

When conducting threat modeling, it's important to consider the most common threats and vulnerabilities that could potentially impact your organization.

One of the most common threats is phishing attacks, which involve tricking users into providing sensitive information or clicking on malicious links.

Other common threats include malware, ransomware, and social engineering attacks.

In addition to these external threats, it's also important to consider internal threats such as insider threats and accidental data leaks.

Insider threats can come from employees who intentionally or unintentionally compromise sensitive data, while accidental data leaks can occur due to misconfigured systems or human error.

Another vulnerability to consider is outdated software and systems.

These can create security gaps that attackers can exploit to gain access to your network or steal sensitive data.

It's important to regularly update and patch all software and systems to minimize these vulnerabilities.

Finally, it's important to consider the potential impact of a data breach or cyber attack on your organization.

This includes not only financial losses but also damage to your reputation and loss of customer trust.

By understanding these common threats and vulnerabilities, you can better prepare your organization to effectively mitigate them through threat modeling.

5. Implementing Mitigation Strategies Based on Threat Modeling.

Once you have identified the potential threats and vulnerabilities through effective threat modeling, it is crucial to implement mitigation strategies to reduce the risk of a security breach.

Mitigation strategies can be technical or non-technical in nature, and they should be tailored to address the specific risks identified during the threat modeling process.

Technical mitigation strategies may include implementing firewalls, intrusion detection systems, access controls, encryption, and other security technologies.

Non-technical mitigation strategies may include employee training programs, security awareness campaigns, and policies and procedures that promote secure behavior.

It is important to prioritize mitigation strategies based on the severity of the identified risks and the potential impact on the organization.

This will help ensure that resources are allocated effectively and efficiently.

Regularly reviewing and updating mitigation strategies is also critical to maintaining a strong security posture.

Threats and vulnerabilities are constantly evolving, and mitigation strategies must adapt accordingly.

By implementing effective mitigation strategies based on threat modeling, organizations can significantly reduce the risk of a security breach and protect their sensitive data and assets.

6. Best Practices for Maintaining a Strong Security Posture Through Threat Modeling.

As an IT staff member, you play a crucial role in maintaining your organization's security posture.

Threat modeling is a powerful tool that can help you stay ahead of potential threats and vulnerabilities.

Here are some best practices for maintaining a strong security posture through threat modeling: 1.

Regularly review and update your threat model: Threats and vulnerabilities are constantly evolving, so it's important to regularly review and update your threat model.

This will ensure that you're always aware of the latest threats and have mitigation strategies in place.

2. Involve stakeholders from across the organization: Threat modeling should involve stakeholders from across the organization, including developers, security professionals, and business leaders.

This will help ensure that everyone is on the same page when it comes to security strategy and that all potential threats are considered.

3. Prioritize threats based on risk: Not all threats are created equal.

It's important to prioritize threats based on their potential impact on the organization.

This will help you focus your resources on the most critical threats and vulnerabilities.

4. Implement mitigation strategies as soon as possible: Once you've identified a threat or vulnerability, it's important to implement mitigation strategies as soon as possible.

This will help minimize the risk to your organization and prevent potential breaches.

5. Continuously monitor your security posture: Threat modeling is an ongoing process, not a one-time event.

It's important to continuously monitor your security posture and make adjustments as needed.

This will help ensure that your organization is always prepared to defend against potential threats.

By following these best practices, you can help maintain a strong security posture and keep your organization safe from potential threats and vulnerabilities.

YouTube

References

• Threat Modeling: What, Why, and How?
• Tactics, Techniques and Procedures (TTPs) Within Cyber Threat Intelligence
• A Guide to Understanding Security Modeling in Trusted Systems
• What are Information Security Models?
• Introduction To Classic Security Models
• OWASP Threat Modeling
• First Curriculum - Threat Modelling