Threat modeling is a systematic framework by which IT professionals can classify possible security threats and vulnerabilities, measure the magnitude of each one, and prioritize attack prevention and IT resource protection techniques.
A security expert’s ultimate goal is to protect confidential information from unauthorized access. Regulations and administration also enabled companies to meet such requirements in the new digital world to prevent violations that cause economic losses. We handle different threats to information security. The danger is defined as a potential hazard that could exploit security breach vulnerability and cause damage. Threat modeling is designed to identify all potential threats in the early phase of software systems as an aligned and systematic approach and is used to defend systems from vulnerabilities. Threat modeling gathers the context information that is used in the form of external dependencies.
Threat Modeling Approaches
Threat modeling approaches can be widely divided into three groups on the basis of various contexts. The first is modeling for software-centered risks. Data flow diagrams or use case diagrams are used in this approach to draw software architecture diagrams specifically used for the design of the network and systems threat model. An example of software-centric threat modeling is Microsoft Secure Development Life-Cycle(SDL).We can define threats to each part using this approach and can mitigate the threat in the design process itself. Next is the asset-centered approach, which describes the properties of a software-assigned entity. Asset classification is based on the sensitivity of the data and its critical value to an intruder. By using the asset-centric approach, various multi-step attacks and routes can be defined.
A security expert may create attack trees, attack graphs that use an asset-centered strategy to help define which asset can be targeted. Trike, Amenazas, and Securi Tree are examples of the asset-centered technique used to build attack graphs and attack trees. There is one more tactic called the Attacker-Centric approach, which focuses on an attacker’s particular objectives.
By using this form, one determines how the attack could occur and how the attack could be prevented. An analyst can list attack trends in an organization to assist in decision-making.
Top threat modeling methodologies
STRIDE is a well-known and most widely used approach to threat modeling. This model consists of six distinct threat categories.
- Spoofing-malicious user or program pretends to be another
- Tampering-attackers modify components or code
- Repudiation- Threat incidents are not logged or recorded
- Information Disclosure-data leak
- Denial of Service -cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet
- Elevation of Privileges-the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user
The STRIDE method is implemented by the Microsoft SDL risk modeling tool and it is called STRIDE-per interaction.
The Microsoft DREAD model is a commonly used technique that classifies security threats into five groups.
- Damage Potential: If the attack is successful, then the magnitude of the damage is used to rate it.
- Reproducibility: This classifies how much an attempt to replicate an attack succeeds.
- Exploitability: It ranks how easily the threat exploit can be reproduced.
- Affected users: If an exploit is generally available, it is used to estimate the fraction of affected installations.
- Discoverability: Used by an attacker to identify a vulnerability
PASTA, which stands for Attack Simulation and Threat Analysis Process, is a seven-step process focused on aligning the criteria of technological security with business goals. Each step, consisting of several sub-steps, is very complex, but the overall sequence is as follows.
- Define objectives
- Define technical scope
- Application decomposition
- Threat analysis
- Vulnerability and weaknesses analysis
- Attack modeling
- Risk and impact analysis
Trike is a common methodology with separate implementation, threats, and risk models . A specified conceptual framework for security auditing from a risk management perspective that allows members of the security team and stakeholders to interact. Compared to other threat strategies, the principal characteristics of TRIKE are the degree of formality and the high level of automation that is possible inside the system.
E.NIST threat modeling
The U.S. National Standards and Technology Institute have its own framework for data-centric threat modeling, which consists of four steps:
- Identify and characterize the system and data of interest
- Identify and select the attack vectors to be included in the model
- Characterize the security controls for mitigating the attack vectors
- Analyze the threat model
For fuzzy logic threat modeling methodology, Fuzzy set theory is the fundamental concept. To detect security risks, an automated support tool called the MATLAB Fuzzy tool is used. The input variables are transferred to the fuzzy inference engine by the use of the STRIDE model. A list of threats is then created by the engine as a result.
LINDDUN (likability, identification, non-repudiation, detectability, information disclosure, noncompliance, non-compliance) focuses on privacy issues and can be used for data protection purposes. Consisting of six steps , a systematic approach to privacy assessment is given by LINDDUN.
The modeling system for Visual, Agile, and Simple Threat (VAST) is based on an integrated threat modeling tool. Its scalability and usability enable it to be applied across the entire infrastructure in large organizations to deliver actionable and consistent outcomes for various stakeholders.
VAST involves developing two types of models to identify variations in operations and issues between development and infrastructure teams: application threat models and operational threat models. Process-flow diagrams are used by application threat models, reflecting the architectural point of view. From an attacker’s point of view, operational threat models are built based on DFDs. This approach enables VAST to be incorporated into the growth and DevOps lifecycles of the company.
Threat modeling can help security teams prioritize risks, ensuring the efficient allocation of resources and attention. Some are traditionally used alone, some are usually used in combination with others, and some are examples of how different approaches can be mixed. This prioritization can be implemented to ensure that solutions are as successful as possible during security preparation, design, and implementation. Threat modeling should also be linked tightly with threat intelligence. While good threat intelligence can give information about the precise actions attackers are currently using, threat modeling focuses on reducing the attack surface in a proactive way. Multiple sources of threat intelligence should be used and each varying source should be correlated to other sources.
You need to think about any particular areas you want to target (risk, protection, privacy), how long you have to conduct threat modeling, how much experience you have with threat modeling, to choose what approach is best for your project.
Threat modeling can also help security teams ensure their defenses are in line with emerging threats when performed regularly. If not, new threats could remain undefended, leaving vulnerable systems and data