For software and application development teams, data assets represent the culmination of years, even decades, of iterative hard work towards building business value.
If put into the wrong hands, compromised data assets may ruin client relationships, lead to even broader repetition of damage, and soften your organization’s competitive advantage.
However, the combination of fear and misperceptions about security risk leads many organizations down an unproductive path. Instead of feeling empowered, technology development teams view security as a blocker, which inhibits the innovation that is required to support business strategies for growth.
Threat modeling is the process of adopting a strategic, risk-based approach to identifying and resolving your security blind spots. For application developers interested in securing their workflows for the cloud, read on to learn how threat modeling works.
How Threat Modeling Protects Your Data Assets
How does threat modeling work? It’s a collaborative and technical process that takes place in the following two phases:
- Discovery: the process of identifying desirable assets, the threats to the environment surrounding them (attack vectors), and the paths hackers may take to reach such assets.
- Implementation: the information gathered in the discovery phase is analyzed for potential organizational and repetitional impact, the prioritization of the most damaging attacks, and the discovery of the steps needed to take to resolve the vulnerabilities associated with the prioritized threat routes.
Discovery: Identify Your Assets, Examine the Surrounding Environment for Vulnerabilities, and Trace the Path Hackers May Take to Reach Your Assets
Conducted in three steps, the discovery phase of threat modeling is all about locating, then prioritizing your most important data assets, gaining a holistic understanding of the risks to the environment surrounding those assets.
Step 1: Asset Identification
Your first task is to catalog your assets, including data, applications, network components, and many others. Assets can be broken down into the following two buckets:
- Business Assets: Data, various components, and functions (applications) that are necessary for the continued operations of your business. Those targeting business assets can be better seen as malicious actors committing sabotage intended to disrupt continued activity.
- Data Assets: These are data, components, and functions of particular use to the hacker, who can gain access to certain functions to perform further reprehensible deeds. For example, cybercriminals may exploit data assets to help their crypto-mining operations, or look for customer data they can sell on dark web exchanges.
Note that there may be assets that live somewhere between business assets and data assets. It’s more important that these are cataloged comprehensively than strictly defined.
Step 2: Attack Surface Analysis
It’s a myth that today’s hackers perform custom attacks on their victims. Rather than the ultra-competent cyber sleuths we see in the media, they’re instead opportunists who look for the most direct entry points and exploit already-known vulnerabilities.
Since many organizations are often unaware that they may have compromised hardware, software and/or unprotected admin accounts (those set with default passwords), hackers have to find the right target and apply the tried-and-true exploit.
Step 2 involves mapping out the components of the environment surrounding the above assets. That includes all components that communicate with the asset, contain it, or otherwise provide access to it.
This makes up your attack surface – essentially the totality of your exposed components that may connect a bad actor to one to your assets. Within threat modeling, teams outline all elements of the attack surface, and demonstrates how data flows to and from these components.
Read our blog post on the difference between DFD- vs. PFD-based threat modeling.
Step 3: Attack Vectors
If an attack surface is your exposed asset-related components, attack vectors are the paths intruders may take to arrive there – all the way from system penetrating to asset exfiltration.
Map your components and the functionality that’s available to these components – this should include security applications and controls. Note as well that there may be multiple ways hackers can exploit a particular path.
You’ll also need to collect all relevant information about known exploits and vulnerabilities associated with each component in all attack vectors.
It’s time to think like a hacker. Using the collected information on vulnerable components and attack vectors, figure out the approaches a cybercriminal can take to launch an attack. Consider their potential objectives, motivations, and their hacking skill level. From there, assess how potential hackers may get to your assets.
Implementation: Analyzing the Impact of Potential Attacks, Prioritization, and the Application of Relevant Security Controls
The second and final phase of threat modeling begins with a comprehensive analysis of all information gathered in the discovery phase. The three-step process involves a breakdown of each attack vector’s impact, prioritized by their potential impact on the entire organization, and the collection of instructions for how each vulnerability may be mitigated.
Step 4: Analysis
Since we don’t live in a world of perfect security, risk management is essential to make sure you’re making the best possible security decisions based on your risks and resources.
Information collected in the prior phase should be used to assess each attack type’s potential impact. Look at the assumptions made during the discovery phase, and include any threat intelligence or indicators.
Cyberattacks have been known to set off complex chains of events, so it’s crucial to think broadly about various ways damage may be done. Consider the following occurrences and their impact:
- Damage to reputation among organizations and consumers
- Leaked data (on all parties involved)
- Any legal action taken in response
- Costs to replace compromised equipment
- Application downtime should attackers effectively sabotage crucial components
Step 5: Prioritization
The penultimate step of the threat modeling process revolves around prioritizing the previously-discovered vulnerabilities. The goal here is not to stop every possible attack; rather, it’s to protect against the most dangerous, high-impact attacks. The likelihood of such attacks occurring is an essential part of the risk prioritization process, but greater weight should still be given to impact. Ideally, once the most critical threats are addressed, you will mitigate as many additional threats as possible in a hierarchical fashion.
Step 6: Security Controls
The sixth and final step in the threat modeling process is the discovery of security controls that effectively remove, counter, or mitigate all relevant vulnerabilities. Also critical is the analysis of existing security controls for iterative improvements. This process is additionally useful in identifying security gaps not discovered in the initial discovery phase.
Security validation through drift is a part of an ongoing security practice as the threat model becomes a living, breathing document that evolves with your infrastructure.
Automated Vs. Manual Threat Modeling
Threat modeling is a useful and essential security process for all organizations interested in protecting their most valuable assets. Conducting threat modeling manually, though, is a resource-intensive task that requires a great deal of security and engineering expertise. It also leaves teams open to human error.
Automated threat modeling tools are available, providing the same insights (if not better) through systems and network analysis and can be easily performed by developers and other personnel without cybersecurity expertise.
With ThreatModeler, Remove Security as a Blocker
Threat modeling with our automated platform enables organizations of all sizes to prevent irregularities or mistakes in data security management, and prevent liabilities that may occur in the processing of personally identifiable information (PII). ThreatModeler helps organizations to gain a comprehensive understanding of their attack surface, and secure applications and infrastructure at scale. Security controls are communicated effortlessly to collaborative teams so they can code applications with security built-in.
ThreatModeler emboldens teams with the confidence and assurance to accelerate secure product delivery, supporting the innovation that fuels exponential growth. To learn how ThreatModeler can help your organization to manage risk and increase Agile sprint velocity, Contact Us to schedule a live demo.