What Is Threat Modeling?
 

Cyber threat modeling is like war gaming. It’s a process of methodically identifying potential threats to a company’s systems, pinning down exactly how — and how badly — an adversary might inflict damage, and then weighing different defenses.

Threat modeling methods vary, depending on these three areas of focus:

• Systems: How is a system built, how does data move across it, and where are the weak spots?
• Adversaries: Who are the potential attackers, such as ransomware rings or state-sponsored actors, and which assets would they want to target?
• Assets: What are the company’s data, financial and other assets that might be targeted and where are the vulnerabilities that could be exploited?

A number of frameworks and methodologies have been developed to guide threat modeling, described later in this article. A variety of technology tools can also assist the process, such as threat feeds — threads of data filled with information about cyber attackers, including their strategies and capabilities. The downside of threat feeds is that they’re massive, so generating actionable insights from them can drain security resources. Technology tools such as Mimecast's can help, by automatically parsing threat feeds and integrating them into analysts’ dashboards to deliver threat intelligence that is contextual, actionable, easily consumable and instructive.

The Threat Modeling Process              

The Threat Modeling Manifesto, drafted by a nonprofit group of cybersecurity professionals, recommends starting any systems analysis with these high-level questions:[1]

• What are we working on?
• What can go wrong?
• What are we going to do about it?
• Did we do a good enough job?

These four questions serve as guideposts for a multi-step threat modeling process: 

• Deconstruct the system and set objectives. Analysts need to break down the structure of a company’s various systems and what they are designed to achieve, using data flow or process flow diagrams to visualize key assets and power users. This step builds an understanding of what the company is working on and how the work gets done. That means IT or information security teams need to collaborate on it with stakeholders across the organization.
• Determine and rank threats. This is the stage where threat modeling asks: “What can possibly go wrong?” The goal is to visualize threats from both the attacker’s viewpoint and the defender’s: Which assets, users, processes or data would an attacker target and how? What is the security risk and potential impact of each threat? 
• Determine countermeasures and mitigation. Once risks are identified and ranked, they can be prioritized by factors such as business impact as the basis for taking actions, which could range from deploying technological safeguards to improving operational practices.
• Evaluate. This instructive step in the threat modeling process is no less important than the rest. It audits how the organization has acted on past threats, whether vulnerabilities have been addressed and how. Clearly documented findings should be distributed to all stakeholders. Additionally, the organization needs to commit to ongoing threat modeling and decide what the next process will look like, based on this evaluation, and when it will take place.

Why Is Threat Modeling Important? 

In an environment where threats are constantly evolving and attackers become more sophisticated by the day, threat modeling gives companies a framework to become more proactive. 

Threat Modeling Best Practices          

• Prioritize the process. Don’t just tack threat modeling on to other projects; it is an intense process. And don’t assume threat modeling is a one-and-done exercise, but make it an ongoing practice.
• Take a holistic view. Don’t look at systems in a vacuum. Just like cybercriminals move laterally across systems when they attack, defenders have to look at the whole of their systems, rather than focus on the security of individual assets. 
• Don’t chase shiny objects. The latest high-profile threat may not be the one that targets your organization. Threats will vary depending on the industry, functions and infrastructure of each company; threat modeling should factor in these aspects. 
• Don’t be a hero. Don’t take on all the responsibility for this exercise. Create a document that is easily shared with other members of the organization, so they can participate and iterate on the work of the security staff. 
• Don’t take on too much. Make mitigation and remediation a continuous exercise, rather than trying to fix everything at once. Prioritize, factoring in the risks and costs of various potential threats and mitigations. 

Threat Modeling Methods     

Choosing the right threat modeling framework depends on a variety of factors, including:

• What industry is the company in?
• How is it structured?
• Who are its stakeholders?
• What is the company’s appetite for risk?
• What are the potential threats?
• What coverage is needed, in terms of employees, devices, vendors and other third parties?
• How big is the security team and its budget?

Threat modeling frameworks include: 

• STRIDE: This framework focuses on six top categories of threat: spoofing another’s identity, tampering with data, repudiation of an action, information disclosure, denial of service and elevation of privilege. 
• DREAD: This one takes STRIDE a step further by adding these five dimensions: damage potential, reproducibility, exploitability, affected users and discoverability.
• PASTA: This “process for attack simulation and threat analysis” focuses on threat analysis and attack modeling to align security requirements with business objectives.  
• VAST: This model, whose acronym stands for “visual, agile and simple threat,” is built for automation and focused on integrating multiple teams into the process. 
• NIST: The National Institute of Standards and Technology’s framework identifies data of interest and attack vectors, then ranks the controls for mitigating those vectors and analyzes overall effectiveness. 
• OCTAVE: This methodology (“operationally critical threat, asset and vulnerability evaluation”) emphasizes operational over technological risks, across the organization.[2]
• Trike: This open source methodology has a more compliance-based approach that focuses on which privileges users have, and it often narrows its analysis to elevation of privilege breaches. 

There are other, more or less similar frameworks, such as LINDDUN (“linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness, noncompliance”) and CVSS (“common vulnerability scoring system”). A company’s choice would depend on its risk, resources and other factors.  

The Bottom Line

Threat modeling means getting into potential attackers’ heads, anticipating their moves and planning more effective defenses. As such, it provides a framework for applying a continuous flow of threat intelligence to protect your organization. Read on, to learn how Mimecast’s Threat Feed can be an important addition to a company’s sources of threat intelligence.

[1] “Threat Modeling Manifesto,” Threat Modeling Manifesto working group

[2] “SEI Releases OCTAVE FORTE Model for Enterprise Risk Management,” Carnegie Mellon University Software Engineering Institute