What is a Threat?
In information security, a threat is any actor or event that can cause potential harm to an
information system asset.
In information security, a threat is any actor or event that can cause potential harm to an
information system asset.
information system asset.
Overview of Threat Modeling
Developing a threat model is the process of mapping the specific, unique threats to your
organization and the methods used to attack any information technology asset or collection of assets.
The two primary goals of threat modeling are:
- Provide a clear perspective of assets, threats, and possible attacks to facilitate discussions regarding risk management decisions and practices
- Discover and evaluate gaps in security controls at the application, system, infrastructure, and enterprise levels
The concept of conducting threat modeling exercises has been around for as long as distributed
information systems have been used to process data. Since the inception of the idea there
have been various methodologies that solve a specific problem, but may not scale to an enterprise level,
are not applicable outside of the Software Development Lifecycle (SDLC), or are not repeatable.
An effective threat modeling process that addresses these issues and can be applied to both
information technology operations and software development. The Threat Model reflects the fact
that different technology teams face different threats. Our model can be tailored to individual
stakeholders throughout an organization to reflect their areas of responsibility. This capability allows for
the entire organization to work in concert to evaluate the threats to the enterprise and develop strategies
to address those risks.
Developing a threat model is the process of mapping the specific, unique threats to your
organization and the methods used to attack any information technology asset or collection of assets.
organization and the methods used to attack any information technology asset or collection of assets.
The two primary goals of threat modeling are:
- Provide a clear perspective of assets, threats, and possible attacks to facilitate discussions regarding risk management decisions and practices
- Discover and evaluate gaps in security controls at the application, system, infrastructure, and enterprise levels
The concept of conducting threat modeling exercises has been around for as long as distributed
information systems have been used to process data. Since the inception of the idea there
have been various methodologies that solve a specific problem, but may not scale to an enterprise level,
are not applicable outside of the Software Development Lifecycle (SDLC), or are not repeatable.
information systems have been used to process data. Since the inception of the idea there
have been various methodologies that solve a specific problem, but may not scale to an enterprise level,
are not applicable outside of the Software Development Lifecycle (SDLC), or are not repeatable.
An effective threat modeling process that addresses these issues and can be applied to both
information technology operations and software development. The Threat Model reflects the fact
that different technology teams face different threats. Our model can be tailored to individual
stakeholders throughout an organization to reflect their areas of responsibility. This capability allows for
the entire organization to work in concert to evaluate the threats to the enterprise and develop strategies
to address those risks.
information technology operations and software development. The Threat Model reflects the fact
that different technology teams face different threats. Our model can be tailored to individual
stakeholders throughout an organization to reflect their areas of responsibility. This capability allows for
the entire organization to work in concert to evaluate the threats to the enterprise and develop strategies
to address those risks.
Asset Analysis
Threat models must begin with the identification of the most critical assets. This is known as the
Crown Jewel Analysis. Your organization's mission is dependent on the confidentiality, integrity,
and availability of these assets. These assets must be protected and have their risk exposure limited.
By understanding what is critical to your organization, we can identify the dependencies and the threats
you face.
Assets include two major elements:
1. Business Assets, which are data, components, or functionality that are essential for the business
mission of the system.
2. Security Assets, or data, components, or functionality that are of special interest to an attacker.
They may not always be the same.
Threat models must begin with the identification of the most critical assets. This is known as the
Crown Jewel Analysis. Your organization's mission is dependent on the confidentiality, integrity,
and availability of these assets. These assets must be protected and have their risk exposure limited.
By understanding what is critical to your organization, we can identify the dependencies and the threats
you face.
Crown Jewel Analysis. Your organization's mission is dependent on the confidentiality, integrity,
and availability of these assets. These assets must be protected and have their risk exposure limited.
By understanding what is critical to your organization, we can identify the dependencies and the threats
you face.
Assets include two major elements:
1. Business Assets, which are data, components, or functionality that are essential for the business
mission of the system.
mission of the system.
2. Security Assets, or data, components, or functionality that are of special interest to an attacker.
They may not always be the same.
They may not always be the same.
Define the Attack Surface
The next step is to create a comprehensive map of the components of the application, system, or
environment that contain, communicate with, or otherwise provide some form of access to the assets.
The communication flows between the assets and the components are integral to determining the
attack surface. The attack surface will help define the boundaries, scope, roles and responsibilities
in the threat model.
Information including devices, interfaces, libraries, protocols, functions, and APIs is collected and
used to complete the picture of the attack surface. Existing security controls and services are captured
to outline their effectiveness.
The next step is to create a comprehensive map of the components of the application, system, or
environment that contain, communicate with, or otherwise provide some form of access to the assets.
The communication flows between the assets and the components are integral to determining the
attack surface. The attack surface will help define the boundaries, scope, roles and responsibilities
in the threat model.
environment that contain, communicate with, or otherwise provide some form of access to the assets.
The communication flows between the assets and the components are integral to determining the
attack surface. The attack surface will help define the boundaries, scope, roles and responsibilities
in the threat model.
Information including devices, interfaces, libraries, protocols, functions, and APIs is collected and
used to complete the picture of the attack surface. Existing security controls and services are captured
to outline their effectiveness.
used to complete the picture of the attack surface. Existing security controls and services are captured
to outline their effectiveness.
Mapping Threats and Attacks
Threat mapping begins with determining the sources of attack and their motivation. Disgruntled
employees, state actors, and random script kiddies are all examples of potential threats to your system.
Each threat actor can have different skillsets, resources, and objectives and must be accounted for when
developing the model.
Documentation of the attack surface provides the source material of the next phase: mapping the paths
of attack. Through our understanding of the system components and functionality, we are able to
envision attacker tools and techniques applied to abuse the system. The attack surface depicts the
pathways of an attacker and allows visualization of multiple attack methods.
Threat and attack mapping is a sophisticated skill. It requires an understanding of an attacker’s
mindset and deep knowledge of attack methodologies.
Threat mapping begins with determining the sources of attack and their motivation. Disgruntled
employees, state actors, and random script kiddies are all examples of potential threats to your system.
Each threat actor can have different skillsets, resources, and objectives and must be accounted for when
developing the model.
employees, state actors, and random script kiddies are all examples of potential threats to your system.
Each threat actor can have different skillsets, resources, and objectives and must be accounted for when
developing the model.
Documentation of the attack surface provides the source material of the next phase: mapping the paths
of attack. Through our understanding of the system components and functionality, we are able to
envision attacker tools and techniques applied to abuse the system. The attack surface depicts the
pathways of an attacker and allows visualization of multiple attack methods.
of attack. Through our understanding of the system components and functionality, we are able to
envision attacker tools and techniques applied to abuse the system. The attack surface depicts the
pathways of an attacker and allows visualization of multiple attack methods.
Threat and attack mapping is a sophisticated skill. It requires an understanding of an attacker’s
mindset and deep knowledge of attack methodologies.
mindset and deep knowledge of attack methodologies.
Threat Analysis
After completing discovery of the system and detailing threat actors, comes the analysis phase, in
which the risk of each attack vector is quantified in a manner that allows stakeholders to understand
the potential for real damage to your organization.
The results of the analysis phase allow your organization to make decisions that maximize the
effectiveness of the security devices (such as firewalls, intrusion detection systems, and spam filters)
and procedures that mitigate threats and attacks. The DREAD Method is a simple, extensible model
that allows for comparing and ranking risks in an easy-to-understand manner.
Damage - How bad would an attack be?
Reproducibility - How easy is it to reproduce the attack?
Exploitability - How much work is it to launch the attack?
Affected Users - How many people will be impacted?
Discoverability - How easy is it to discover the threat?
Each category is assigned a value between 0 and 10, 0 reflecting no risk/damage, while 10 is
maximum risk/damage. The DREAD formula is:
Risk = (D + R + E + A + D) / 5
The values that are derived by DREAD allow your organization to focus its energy on the
most vulnerable portion of your information systems and prioritize your efforts on implementing
controls to reduce risk.
After completing discovery of the system and detailing threat actors, comes the analysis phase, in
which the risk of each attack vector is quantified in a manner that allows stakeholders to understand
the potential for real damage to your organization.
which the risk of each attack vector is quantified in a manner that allows stakeholders to understand
the potential for real damage to your organization.
The results of the analysis phase allow your organization to make decisions that maximize the
effectiveness of the security devices (such as firewalls, intrusion detection systems, and spam filters)
and procedures that mitigate threats and attacks. The DREAD Method is a simple, extensible model
that allows for comparing and ranking risks in an easy-to-understand manner.
effectiveness of the security devices (such as firewalls, intrusion detection systems, and spam filters)
and procedures that mitigate threats and attacks. The DREAD Method is a simple, extensible model
that allows for comparing and ranking risks in an easy-to-understand manner.
Damage - How bad would an attack be?
Reproducibility - How easy is it to reproduce the attack?
Exploitability - How much work is it to launch the attack?
Affected Users - How many people will be impacted?
Discoverability - How easy is it to discover the threat?
Each category is assigned a value between 0 and 10, 0 reflecting no risk/damage, while 10 is
maximum risk/damage. The DREAD formula is:
maximum risk/damage. The DREAD formula is:
Risk = (D + R + E + A + D) / 5
The values that are derived by DREAD allow your organization to focus its energy on the
most vulnerable portion of your information systems and prioritize your efforts on implementing
controls to reduce risk.
most vulnerable portion of your information systems and prioritize your efforts on implementing
controls to reduce risk.
Risk = Probabilty x Impact
Effective Defense
The goal of threat modeling is to select the proper controls to address identified threats.
System and software designers often choose security controls from a well-known best practice list,
such as antivirus software, firewalls, input validation, etc. However, the implementation of controls
without a threat model can lead to security holes since not all threats have been directly addressed.
Even the best practice controls, if configured generically, do not address the unique threats faced by
each organization's unique environment.
Without appropriate threat modeling, security controls and procedures can be ineffective because they
do not address the unique threats facing the organization. This approach to threat modeling uncovers
any technological, process, or organizational gaps in security controls and allows for enhanced risk
management practices that align to the mission of your organization.
The goal of threat modeling is to select the proper controls to address identified threats.
System and software designers often choose security controls from a well-known best practice list,
such as antivirus software, firewalls, input validation, etc. However, the implementation of controls
without a threat model can lead to security holes since not all threats have been directly addressed.
Even the best practice controls, if configured generically, do not address the unique threats faced by
each organization's unique environment.
System and software designers often choose security controls from a well-known best practice list,
such as antivirus software, firewalls, input validation, etc. However, the implementation of controls
without a threat model can lead to security holes since not all threats have been directly addressed.
Even the best practice controls, if configured generically, do not address the unique threats faced by
each organization's unique environment.
Without appropriate threat modeling, security controls and procedures can be ineffective because they
do not address the unique threats facing the organization. This approach to threat modeling uncovers
any technological, process, or organizational gaps in security controls and allows for enhanced risk
management practices that align to the mission of your organization.
do not address the unique threats facing the organization. This approach to threat modeling uncovers
any technological, process, or organizational gaps in security controls and allows for enhanced risk
management practices that align to the mission of your organization.