threat modelling and its uses

Threat Modelling is a process used to identify and protect against potential threats in cybersecurity. Threat models prioritizes threats that are more at risk and provides solutions to address them.

Threat modelling itself is the process of using practical, visual systems, testing, and planning out the steps to prevent and mitigate cyber threats. As more of our critical infrastructure is dependent on cloud architecture and networks, more resources need to be invested into protecting it.

why is threat modelling important?

Threat modelling helps identify potential risks and assets within information security, which allows organizations to stay proactive and address them before they are exploited. It allows oprganisation to prioritize certain assets based off of the cost of protecting them as well as their value to an organization.

Alignment with compliance frameworks is crucial to building trust with clients. Creating threat models means organisations can be ceritfied via a third party audit or align with international security standards and compliance frameworks such as NIST (National Institute of Standards and Technology), PCI-DSS, ISO/IEC 27001.

methologies

Attack Centric Threat modelling

• Attack-centric threat modeling is a security methodology that focuses on identifying and analyzing potential attack paths within a system. Unlike traditional threat modeling, which primarily focuses on identifying vulnerabilities, attack-centric threat modeling takes an attacker's perspective to understand how they might exploit a system's weaknesses. Attack Centric Threat Modelling focuses on the attackers perspective, assuming the role of a hacker or adversary and prioritises what the impact a threat would have on a system above potential vulnerabilities.

System-centric Threat Modelling

• system centric threat modelling focuses on analysing system architecture before analysing the potential threats and their impact against it. It's a structured approach that helps organizations understand how threats might exploit the system's design and implementation. System-centric threat modelling begins by identifying the critical assets that need to be protected, such as data, systems, and applications. Then identifying potential threats that could compromise the identified assets, such as unauthorized access, data breaches, and denial-of-service attacks.

While both provide a structured approach to identifying and mitigating threats. Attack centric threat modelling focuses on taking the attackers perspective and using it to build a threat model. While system centric threat modelling uses a more holistic view of the entire system focusing more on its architecture.

practical threat modelling

How do we know what threat modelling approach to use? It really depends on the size of the system, impact of a data breach plus the common risks and threats associated with the organisations industry, and the financial resources plus financial impact of damage to the system.

There are several threat modelling frameworks we can implement to design a threat model for our organisation:

Attack trees:

The key point of an attack tree is the root node which represents the overall goal of the attacker. This can include stealing data, and escalating privileges in a system. The nodes represent attack steps and attack sup steps that may be performed in order for the attacker to reach their goal.

The benefit of using attack trees is that it provides a clear visualisation of potential attack paths. We can also prioritize vulnerabilities that are the most critical.

STRIDE

Stride is an acronym developed by Microsoft to identify threats related to its products. It stands for:

• Spoofing- Pretending to be an authorized user to gain unauthorized access.

• Tampering- Data modification in a system without authorization

• Repudiation- Attacker denies responsibility for the action. This can be true or false.

• Information Disclosure- Attacker or user leaks information they are not authorized to disclose

• Denial of Service- Overloads a server or overwhelms a service so that legitimate users cannot access it.

• Elevation of privilege- Attacker gains access to a system with higher (admin) privileges.

By considering these six main vulnerabilities an organization can categorize potential threats and make decisions.

PASTA

Process for Attack simulation and threat analysis s a threat modeling methodology that focuses on simulating attacker behavior to identify vulnerabilities and potential attack paths. PASTA utilises other attack mapping strategies such as attack trees along the process. PASTA follows seven steps:

1. identify assets and objectives. determine which ones are most critical

2. Define potential threats and how they tie in with system architecture

3. Diagram system architecture and how different components depend on each other

4. simulate attack scenarios to understand how an attacker may exploit a system.

5. map the impact of each scenario, what is the potential impact on a system?

6. developed attack trees

7. Analyze risks and develop measures to prevent or mitigate them.

CVSS

CVSS (Common vulnerability scoring system) assigns a score to each vulnerability. This is useful as it assigns a standardized language to different vulnerabilities. CVSS isn’t objectively a threat modelling methodology but it is a tool used within threat modelling. We can use CVSS scores to prioritize threats based on their severity then create strategies to mitigate these threats.

VAST

VAST (visual agile simple threat modelling) is another system-sentric form of threat modelling. It involves focusing on identifying and assessing vulnerabilities in a system's architecture, design, and implementation. It focuses on addressing the most critical vulnerabilities first, based on their potential impact and likelihood of exploitation making it more system centric. VAST has several steps to help enterprise threat modelling including; asset identification, threat identification, vulnerability identification, risk assessment, mitigation planning, testing.

general steps

identify Assets

• This can include customer/client account data, intellectual property, having a functioning system with access to files.

Diagram and visualise system architecture

• This step involves creating and visualising flow charts, attack trees, diagrams, or any visual representation of the system architecture to identify weak points, potential vulnerabilities, potential attacks, and possible origins of attacks.

Analyzing Threats

• Use threat modelling methods mentioned to analyze threats, draw out possible attacks, what would happen?. Quantify threats, is it worth preventing? is it cost effective? In this step we can also simulate threats through penetration testing to find out how the attacker would compromise the system.

Risk Management and Prioritization

• This is the step where we consider stakeholder input. We consider risk verses cost again and figure out if the solutions are really beneficial for an organisation. What potential threats should we prioritize in order to protect the functionality and data.

Identify Fixes

• This is the step where practical actions are taken. What small changes can we make first to protect our system and what big changes are we investing into. This can include staff training, implementing multi-factor authentication, least privileged/ role based access control.