Threat Modelling

Risk vs Vulnerability vs Threat Modelling

• Risk assessment is a holistic process that considers all potential risks,
including threats, vulnerabilities, and their impact. It helps organizations
make decisions about risk management at a strategic level.
• Vulnerability assessment is a narrower process that specifically focuses
on identifying and assessing vulnerabilities within a system or
environment. It provides a snapshot of the security posture but doesn't
consider threats or likelihood.
• Threat modeling is a proactive approach that focuses on identifying
threats and vulnerabilities in a systematic way and then designing
security controls to address them. It is more tactical and application-
specific compared to risk assessment.
Risk vs Vulnerability vs Threat Modelling
• In practice, these processes often work together. Organizations may
start with a risk assessment to identify high-level risks, then use
vulnerability assessments to dive deeper into specific systems or
applications, and finally use threat modeling to design and implement
targeted security measures based on the identified threats and
vulnerabilities.
Threat Modelling – Step 1 Decompose the
Application
• The first step in the threat modeling process is concerned with gaining an
understanding of the application and how it interacts with external entities.
This involves:
• Creating use cases to understand how the application is used.
• Identifying entry points to see where a potential attacker could interact with
the application.
• Identifying assets, i.e. items or areas that the attacker would be interested in.
• Identifying trust levels that represent the access rights that the application
will grant to external entities.
• This information is documented in a resulting Threat Model document.
Threat Modelling – Step 2 Determine and
Rank Threats
• Critical to the identification of threats is using a threat categorization
methodology to categorize threats, such as such as Auditing &
Logging, Authentication, Authorization, Configuration Management,
Data Protection in Storage and Transit, Data Validation, and
Exception Management.
• The goal of the threat categorization is to help identify threats both
from the attacker and the defensive perspective.
Threat Modelling – Step 3 Determine
Countermeasures and Mitigation
• A vulnerability may be mitigated with the implementation of a countermeasure.
Such countermeasures can be identified using threat-countermeasure mapping
lists. Once a risk ranking is assigned to the threats in step 2, it is possible to sort
threats from the highest to the lowest risk and prioritize mitigation efforts.
• The risk mitigation strategy might involve evaluating these threats from the
business impact they pose. Once the possible impact is identified, options for
addressing the risk include:
• Accept: decide that the business impact is acceptable
• Eliminate: remove components that make the vulnerability possible
• Mitigate: add checks or controls that reduce the risk impact, or the chances of
its occurrence
Threat Modelling Methodologies
• Common threat modeling methodologies include:
• STRIDE: A framework developed by Microsoft that categorizes threats into six
categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of
Service, and Elevation of Privilege.
• DREAD: A risk assessment model that stands for Damage, Reproducibility,
Exploitability, Affected Users, and Discoverability. It helps assign scores to threats
based on these factors.
• Attack Trees: A graphical representation of potential attack paths and their
associated likelihoods and consequences.
• PASTA (Process for Attack Simulation and Threat Analysis): A risk-centric
methodology that focuses on identifying and analyzing security threats from an
attacker's perspective.
Model for Information Security Planning
• Creating a model for information security planning is crucial for organizations to
ensure the confidentiality, integrity, and availability of their data and systems.
1. Assessment and Analysis
• Identify Assets: Begin by identifying all the critical assets within your
organization. These could include data, hardware, software, personnel, and
facilities.
• Threat Assessment: Analyze potential threats and vulnerabilities that could
affect your assets. This could involve conducting risk assessments and threat
modeling.
• Compliance Requirements: Understand and document legal and regulatory
requirements relevant to your industry.
2. Risk Management
• Risk Assessment: Evaluate the risks associated with each asset and threat.
Assign risk levels based on their impact and likelihood.
• Risk Mitigation: Develop strategies to mitigate identified risks. This may
include implementing technical controls, creating policies and procedures, or
even transferring risk through insurance.
• Risk Monitoring: Continuously monitor and assess the effectiveness of your
risk mitigation efforts.
3. Security Policies and Procedures
• Develop Security Policies: Create clear and comprehensive security policies
that cover areas like data classification, access control, incident response, and
acceptable use of resources.
• Procedures and Guidelines: Define specific procedures and guidelines to
implement and enforce security policies.
4. Access Control
• User Authentication: Implement strong authentication mechanisms for users,
such as multi-factor authentication (MFA).
• Authorization: Define access rights and permissions for users based on their
roles and responsibilities.
• Monitoring and Auditing: Regularly monitor and audit user access to detect
any unauthorized activity.
5. Security Awareness and Training
• Employee Training: Conduct regular security awareness training for
employees to educate them about security best practices.
• Incident Response Training: Ensure that employees know how to respond to
security incidents effectively.
6. Incident Response and Recovery
• Incident Response Plan: Develop a comprehensive incident response plan
outlining the steps to take in the event of a security incident.
• Testing and Drills: Regularly test and update the incident response plan
through tabletop exercises and simulated incident drills.
• Backup and Recovery: Establish backup and recovery procedures to ensure
data can be restored in case of a breach or data loss.
7. Security Monitoring and Detection
• Intrusion Detection: Implement intrusion detection systems to monitor
network and system activity for signs of unauthorized access or malicious
behavior.
• Security Information and Event Management (SIEM): Use SIEM tools to
collect and analyze security-related data for early threat detection.
8. Security Updates and Patch Management
• Software Updates: Establish a process for regularly applying security updates
and patches to operating systems, applications, and devices.
9. Vendor and Third-Party Risk Management
• Vendor Assessment: Assess the security practices of third-party vendors and
service providers who have access to your data or systems.
• Contractual Agreements: Ensure that contracts with vendors include security
requirements and provisions.
10. Continuous Improvement
• Security Audits: Conduct regular security audits and assessments to identify
areas for improvement.
• Incident Post-Mortems: After security incidents, perform post-mortem
analysis to learn from the incident and update security measures accordingly.
11. Documentation and Reporting
• Security Documentation: Maintain detailed records of security policies,
procedures, incidents, and audits.
• Reporting: Regularly report on the state of information security to executive
management and relevant stakeholders.
12. Compliance and Certification
• Compliance Management: Ensure ongoing compliance with relevant
regulations and standards (e.g., GDPR, ISO 27001).
• Certification: Pursue security certifications or accreditations to demonstrate
your commitment to security best practices.