Skip to content Skip to navigation Skip to footer

What Is Threat Modeling?

Threat modeling involves identifying and communicating information about the threats that may impact a particular system or network. Security threat modeling enables an IT team to understand the nature of threats, as well as how they may impact the network. In addition, threat modeling can be used to analyze the dangers threats pose to applications, taking into account their potential vulnerabilities.

Aside from protecting networks and applications, threat modeling can also aid in securing Internet-of-Things (IoT) devices, as well as processes the business depends on. Because of its versatility, threat modeling provides an organization with a veritable cyber navy, protecting the company from a variety of threat vectors

The procedure for threat modeling varies depending on the system being examined. However, virtually any tech-dependent business process can benefit in one way or another. With threat modeling, the scope of threats facing a particular process or system can be narrowed down, then examined. This eliminates confusion about what the threats may be, as well as how to defend against them. Further, it gives IT teams the information they need to defend the system long before a threat impacts it.

The threat modeling process depends on a sequential series of actions. Even though they can be performed individually, they are interdependent, so executing them together provides a more comprehensive view of the threat situation. The steps tend to include:

  1. Outlining the concern you have as it pertains to a specific system, application, or process
  2. Making a list outlining the assumptions regarding the threat, which need to be verified as conditions change
  3. A concrete list of threats
  4. A list of remediation and elimination steps
  5. A way to make sure the methods of dealing with the threats are successful and still valid as the threat landscape changes

Threat Modeling Process

The thinking powering the threat modeling process can be summed up by outlining the following:

  1. The systems that could be impacted
  2. The things that could go wrong
  3. What the organization or IT team is doing to reduce the risk
  4. After steps have been taken, assessing their success or failure

Even though the types of threats being modeled invariably change with each situation, the basic process steps remain consistent. They need to involve:

  1. Building a design, network model, or application defense system that is secure
  2. Making sure resources are efficiently invested to avoid throwing money or people at a problem unnecessarily
  3. Making security a priority—even putting it ahead of short-term profitability, understanding that profits will be enhanced long-term given a safer system
  4. Keeping stakeholders informed as to how the system is developing
  5. Specifying the threats the system faces
  6. Identifying compliance requirements as they pertain to the system or application being addressed
  7. Ensuring that measures taken conform to compliance regulations
  8. Defining the necessary controls to mitigate the threat before, during, and after it has struck
  9. Building these controls and rolling them out in a transparent, clear manner for all stakeholders
  10. Assessing the risks involved with the threat management system
  11. Documenting the threats that impact the system
  12. Documenting the mitigation efforts applied to manage each threat
  13. Making sure that the goals of the business are not impacted by a threat actor or negative event
  14. Ascertaining ways to test the system to make sure it will work given the threats it is designed to protect the organization from

Threat Modeling Techniques

A key step in the threat modeling process involves decomposing an element of infrastructure or an application that may face a threat. Decomposition involves making sure you understand how the application works and how it interfaces with entities within its system, as well as those that could pose a problem. 

To do this, the application or system’s behavior needs to be understood within the context of a variety of different situations. These may include situations where users with different levels of access connect, how the system behaves while connected to different network architectures, or how the system processes different kinds of data. While examining behavior, you need to outline potential entry points and vulnerabilities, and how these change given different interactions.

For example, an IoT device may exhibit safe behavior while connected to a secure wide-area network (WAN) as the DevOps team is designing the software that controls it. However, while threat modeling this device, its behavior may leave it open to vulnerabilities when connected to the general internet. Further, if its traffic has to be managed using cloud-based processing, there may be issues with latency or packet degradation that could present other potential issues and even novel threats the team had not accounted for. 

Therefore, the way the application that controls the IoT device behaves needs to be examined in a variety of network architectures to get a full understanding of the potential threats.

To ensure nothing is missed, teams should use a diagram that outlines the flow of data. This provides them with a visual representation of how data moves in, through, and out of a system or application. It also shows how the data is changed at various stages of its processing or storage. In addition, the flow diagram displays where data is stored as it moves through the system. 

The data flow diagram makes it easier to identify trust boundaries. These show the points at which the data must be validated prior to it being allowed to enter into an entity that will use it. Returning to the IoT device example, data gathered by the device would have to flow to wherever it will be processed, whether in the cloud or on the edge. Regardless, the data will have to enter a network. The data flow diagram will outline the point at which the data will have to cross from the IoT device into the network, allowing the team to set up a trust boundary at this location. This will signal security teams to enact protections that guard the network from malicious code that a hacker could use in conjunction with the IoT device.

Threat Modeling Frameworks and Methodologies

STRIDE

STRIDE stands for spoofing, tampering, repudiation, informative disclosure, denial of service (DoS), and elevation of privilege.

  1. Spoofing is when a computer or person pretends to be something they are not
  2. Tampering refers to violating the integrity of data
  3. Repudiation interferes with the process of linking an action to the person who did it
  4. Information disclosure involves giving away sensitive information
  5. DoS makes it impossible for legitimate users to use a resource
  6. Elevation of privilege provides unauthorized access to a system or application to someone who already has a level of access

DREAD

DREAD stands for damage potential, reproducibility, exploitability, affected users, and discoverability.

  1. Damage potential outlines how much damage can result from a negative event
  2. Reproducibility determines how easy it is to replicate an attack
  3. Exploitability refers to the ease with which an actor can launch an attack
  4. Affected users involve detailing the percentage of users affected by the event
  5. Discoverability examines how easy it is to locate the vulnerability

PASTA

The acronym PASTA stems from Process for Attack Simulation and Threat Analysis. This involves seven steps:

  1. Definition of your objectives
  2. Definition of the technical scope of the project
  3. Decomposition
  4. Analysis of threats
  5. Analysis of weaknesses and vulnerabilities
  6. Attacks modeling
  7. Analysis of the risk and impact on the business

VAST

VAST refers to Visual, Agile, and Simple Threat modeling. VAST is a foundational element of a threat modeling platform called ThreatModeler. VAST integrates within workflows designed using the principles of DevOps.

Trike

Trike is an open-source framework that seeks to defend a system instead of attempting to replicate how an actor may attack it. With the Trike framework, users make a model of the application or system they are defending. You then use the acronym CRUD to see who can:

  1. Create data
  2. Read data
  3. Update data
  4. Delete data

This is studied with the aid of a data flow diagram. The threats examined include either elevations of privileges or denials of service.

OCTAVE

OCTAVE refers to Operationally Critical Threat Asset and Vulnerability Evaluation. It was designed by Carnegie Mellon University. OCTAVE requires three different phases:

  1. Building threat profiles based on specific assets
  2. Identifying vulnerabilities in the infrastructure
  3. Developing security strategies and plans

NIST

NIST refers to the National Institute of Standards and Technology, which has developed its own threat modeling system that focuses on data. NIST requires four phases:

  1. Identifying the system and outlining how it works, including how it manages the data within or dependent on it
  2. Ascertaining the applicable attack vectors the model will address
  3. Figuring out the necessary security controls to mitigate attacks
  4. Analyzing the model created to assess its effectiveness

How Fortinet Can Help

The FortiWeb web application firewall (WAF) solution enables an organization to protect their application programming interfaces (APIs) or a web application from threats. It is a valuable tool to enact security measures designed during the threat modeling procedure, specifically because it protects your company from the OWASP Top 10 list of threats, as well as others, including zero-day threats. It uses machine learning to detect behavior that is out of the ordinary. It can also tell the difference between innocent and malicious activity.

FortiGate, the Fortinet next-generation firewall (NGFW), can mitigate attacks through deep packet filtering, which examines data packets for possible threats before allowing them to enter a network or segment of it. FortiGate uses a vast database of known threats that is updated on a regular basis. Further, it uses machine learning technology to detect novel threats that have not yet been encountered.

FAQs

What is the threat modeling process?

Threat modeling involves identifying and communicating information about the threats that may impact a particular system or network. Security threat modeling enables an IT team to understand the nature of threats, as well as how they may impact the network. In addition, threat modeling can be used to analyze the dangers threats pose to applications, taking into account their potential vulnerabilities.

What are some threat modeling examples?

Some examples of threat models include STRIDE, DREAD, PASTA, VAST, OCTAVE, and NIST.

How do you make a threat model?

The threat modeling process depends on a sequential series of actions. Executing them together provides a comprehensive view of the threat situation. The steps tend to include:

  1. Outlining the concern you have as it pertains to a specific system, application, or process
  2. Making a list outlining the assumptions regarding the threat, which need to be verified as conditions change
  3.  A concrete list of threats
  4. A list of remediation and elimination steps
  5. A way to make sure the methods of dealing with the threats are successful and still valid as the threat landscape changes

What are the 4 steps of making a threat model?

The four steps of making a threat model include:

  1. Examining the systems that could be impacted
  2. Assessing the things that could go wrong
  3. Understanding what the organization or IT team is doing to reduce the risk
  4. After steps have been taken, assessing their success or failure