Threat Modeling: Making the Right MovesExperts Offer Insights on Improving Understanding of Risks
Threat modeling can help give organizations the extra insights needed to secure their on-premises and cloud environments at a time when attackers are using increasingly sophisticated methods to gain entry to networks and maintain persistence.
By using threat modeling, organizations can gain a much better understanding of risks, says Roger Caslow, CISO for the Virginia regional water utility HRSD.
"All organizations can and should do some level of threat modeling; it doesn't have to be a resource-intensive activity," says Caslow, the former chief of risk management and information security programs at the Office of the Director of National Intelligence. "This is just good stewardship of your business and smart business practice in general."
Threat modeling involves helping security teams prioritize threat mitigation, ensuring that security resources are effectively applied, according to a report from the security firm Exabeam.
"Threat modeling can help security teams prioritize threats, ensuring that resources and attention are distributed effectively," Exabeam says. "This prioritization can be applied during planning, design and implementation of security to ensure that solutions are as effective as possible."
Threat modeling consists of identifying what each application in a system does, defining enterprise assets, profiling each application and specifying its security properties, detecting potential threats, prioritizing potential threats and then documenting adverse events and actions taken to mitigate them, the security firm Tripwire says in a recent report.
The Cloud Security Alliance, in a report on setting up threat modeling for the cloud environment, notes the importance of assessing the controls that an organization already has in place, sizing up vulnerabilities particular to its industry and rating the threats.
Selecting a Model
Charles Gillman, head of information security at Moula, recently implemented threat modeling.
"I tried to define what I wanted from my threat model first," he says. So I needed a well-known standard; it needed to be simple to create the threat model and simple to comprehend the threat model and most importantly, it needed to be repeatable. By repeatable, I mean that I would expect the same results if the threat model was created by different users."
The next step for Gillman was selecting one of the several frameworks to help create the proper threat model for the environment.
"I decided to go with a variation of STRIDE being STRIDE-LM, where the LM is lateral movement. We're doing STRIDE per element and creating two threat models per scenario/product," Gillman says.
STRIDE is Microsoft's threat model covering six types of threats: spoofing, tampering, repudiation, information disclosure, denial of service and privilege escalation.
"STRIDE is one of the easier-to-understand models," Gillman says. "STRIDE per element is easier to implement over STRIDE per interaction. Also, penetration testers are good to assist with threat models as they are used to thinking like that."
In addition to STRIDE, other threat modeling frameworks, according to Tripwire, are:
- PASTA - A seven-step model designed to correlate business objectives with technical requirements;
- CVSS - The standardized scoring system used globally to communicate information about known vulnerabilities;
- Hybrid Threat Modeling Method, or hTMM - This is focused on extracting security requirements and uncovering ways systems can be abused by attackers.
HRSD's Caslow offers insights on getting started with threat modeling.
"Processes and procedures require more back-end documentation and people-learning time; you should not move to any automation until you have the base established," he says. "This is where some technical issues could arise, but not if you have properly thought through the processes and technical solutions required."
Regarding staff requirements, Caslow notes: "Threat modeling is a subset of risk management. So typically, a risk analyst should have the ability to do this, if they are truly a professional."
Some of those involved in modeling will need to pull many streams of data in from multiple sources. These "all-source analysts" require basic critical thinking skills, he adds.
Cloud Threat Modeling
The Cloud Security Association notes in a report that the basics of threat modeling are the same for cloud and noncloud environments - but there are a few twists for securing the cloud.
When it comes to assets being protected, the association notes, data, key system components, monetary instruments and identities must be covered. And these must be expanded to new assets, such as cloud accounts, SaaS subscriptions and services, as they are introduced.
Threats to cloud systems, applications and environments are different than those facing other environments, the association points out.
"Different technologies, such as instance metadata service and cross-account IAM access federation, come into play. Different technologies and consumption models describe cloud systems.
An accurate threat model for the cloud "requires an understanding of the overall architecture, components/services, infrastructure, and business context of the system and a relevant adversarial perspective on the system in question or design. Individuals and roles such as application architect/analyst, cloud architect/analyst, security architect/analyst and other technical positions should be consulted and are usually well-enough informed and expertise-equipped to lead cloud threat modeling," the Cloud Security Association says.