Threat modeling can be viewed in two different, but related contexts. One is the implementation of security controls by architects that map to security requirements and policy. The other is to reflect all possible known attacks to components or assets, with the goal of implementing countermeasures against those threats. From these two contexts, four approaches to threat modeling arise.
Four Approaches to Threat Modeling:
1. Software-Centric Approach
This approach involves the design of the system and can be illustrated using software architecture diagrams such as data flow diagrams (DFD), use case diagrams, or component diagrams.
This method is commonly used to analyze networks and systems and has been adopted as the de-facto standard among manual approaches to software threat modeling. A good example of a software-centric approach is Microsoft’s Secure Development Lifecycle (SDL) framework. Both the Microsoft SDL and Threat Analysis & Modeling (TAM) tools visualize the system being analyzed through the use of DFDs.
2. Asset-Centric Approach
Asset-centric approaches to threat modeling involve identifying the assets of an organization entrusted to a system or software data processed by the software. Data assets are usually classified according to data sensitivity and their intrinsic value to a potential attacker, in order to prioritize risk levels.
Asset-centric approaches to threat modeling utilize attack trees, attack graphs, or through visually illustrating patterns by which an asset can be attacked. Security professionals often argue that such approaches to threat modeling should be classified as the inevitable result of a software-centric design approach.
3. The Attacker-Centric Approach
Attacker-centric approaches to threat modeling require profiling an attacker’s characteristics, skill-set, and motivation to exploit vulnerabilities. The profiles are then used to develop an understanding of potential attackers who would be most likely to execute specific types of exploits. Based on the understanding of potential attackers, organizations can implement an appropriate mitigation strategy.
The attacker-centric approach also uses tree diagrams. Key elements of this approach include focusing on the specific goals of an attacker, the various considerations related to the system upon which the attack could be perpetrated along with its software and assets, how the attack could be carried out, and finally, a means to detect or mitigate such an attack. An analyst may also list related attack patterns or approaches to make these same determinations.
An example would be an attack to obtain information from a backend database. The considerations would be to ensure that a database is being used at the backend, along with the means to enter database queries as input, and finally avoiding detection and prevention mechanisms. The approach would be specific SQL Injection commands for the database identified, or the potential use of tools by which the exploitation process could be automated.
4. Threat-Centric Approach
The traditional three approaches to threat modeling each have their merit. However, they yield an incomplete threat picture, from which CISOs and other stakeholders would be challenged to develop an end-to-end security policy in today’s highly interconnected cyber ecosystem.
A more comprehensive approach is Threat-Centric. The threat-centric approach begins with three basic points of reference:
- If an IT environment is to be useful, it must have, store, manipulate, control, or otherwise utilize assets and allow users to interact with those assets. In a threat-centric approach, however, assets are no limited simply to data. Cyber assets can also include the system’s capabilities – such as the ability to transfer funds from one account to another, and physical systems controlled by the IT system – such as comprise an industrial control or other cyber-physical systems. It is the cyber assets – whatever they are or wherever they are located – that make an IT system useful.
- If an IT environment has assets, there will inevitably be attackers – whether deemed “insiders” or “outsiders” – who will try to get at the assets. Note, threat-centric approaches to threat modeling do not pre-define the attackers, their motives, or any other qualities. From a defender’s perspective, it is assumed that those unknown attackers exist and will actively seek to access, use, harm, infiltrate, or otherwise jeopardize digital assets.
- Finally, the threat-centric approach recognizes that attackers need a point of origin from which to initiate their attack. The so-called “attack surface” is the collection of all the means by which an unknown threat agent could initiate an attack path leading to one or more targeted assets. As the only primary element that can be operationally addressed with positive outcomes, the attack surface is the primary interest for analysis, quantifying risk, and developing an end-to-end comprehensive security policy.
The threat-centric approach incorporates and steps past the traditional approaches to threat modeling. Its outputs are objective and can be used to clearly quantify the organization’s cyber ecosystem risk without the heavy lifting or mathematical gymnastics of the traditional approaches. Furthermore, the threat-centric approach is easily scalable across the organization’s full application portfolio and other elements of the IT environment.
Automated threat modeling platforms that encompass and automate the threat-centric approach, like ThreatModeler™, work from a threat framework that provides an easy-to-use interface. Users start by creating a Visio-like diagram and ThreatModeler™ does the rest, automatically identifying more threats than other approaches to threat modeling, plus the required security controls. This makes the security process easily accessible to security and non-security experts alike.
Contact us to learn more about the benefits of the threat-centric approach with ThreatModeler™