What is threat modeling?

October 15, 2020  |  Kim Crawley

This blog was written by an independent guest blogger.

A lot of cybersecurity terminology can sound complex and esoteric. You may hear defensive security specialists, the people who work to secure computers and their networks, talk about threat models and threat modeling a lot. So what is threat modeling? It’s actually pretty simple, and it’s a concept that can not only be applied to computer security, but also to ordinary people in our everyday lives.

Threat modeling in a nutshell

If your organization has a particular amount of resources and a limited cybersecurity budget, prioritizing the allocation of your funds and resources according to how your network is most likely to be cyber attacked is common sense. From there, you can prioritize defending against the most expensive cyber attacks over the least expensive cyber attacks. You need to conduct thorough analysis to model threats effectively.

You must understand that there are vulnerabilities in all software, hardware, and networks. Nothing will ever be 100% secure, your job as a cybersecurity professional is to keep your systems as secure as reasonably possible while understanding that there will always be limits, and no security hardening is ever perfect.

So threat modeling is a way of thinking and planning. Usually your blue team will focus on threat modeling when they’re at the design phase of a computer system or application. Security is a constant, everyday process. But designing a system to be more secure starts with effective threat modeling at the beginning.

What’s a threat model?

Threat models can take many, many different forms. The evolving cyber threat landscape and your imagination are the only limits. But here are a few examples of threat models, to give you an idea of what they can be.

  1. Executable malware can be file binded to email attachments, such as images or documents. If your employee opens a malicious email attachment, malware could execute on their client machine! The malware could be ransomware, spyware, or conduct other malicious actions. This is a very common cyber threat in workplaces. We can mitigate this threat by doing the following:
    • Configure antivirus scanning in our email server. Email attachments must pass a scan in order to open.
    • Configure antivirus software that automatically updates and scans our network’s client machines within their operating systems.
    • Train employees to only open emails from senders they recognize and trust.
    • Limit user permissions to restrict what malware can do if it’s executed on a client machine.
    • Whatever you do, don’t give users administrative privileges!
  2. Our web application runs on a SQL server and it contains forms which allow for user input. But those web forms can be exploited to conduct SQL injection attacks. We can mitigate this threat by doing the following:
    • Avoid dynamic SQL as much as possible.
    • Design our web application with prepared statements, parameterized queries, and stored procedures instead.
    • Limit the privileges we assign to accounts that connect to our SQL database. Those accounts shouldn’t have administrative privileges. This will restrict what SQL injection attacks could possibly do.
    • Connect our web application to a WAF, a web application firewall. Carefully configure rules that can prevent the common sorts of malicious actions that a SQL injection attack can do.
    • Write error messages carefully so they don’t divulge useful information about your database.
  3. If a natural disaster hits our datacenter, our company’s precious data can be destroyed and our business won’t be able to function. The types of natural disasters that can affect our location include floods and hurricanes. We can mitigate this threat by doing the following:
    • Design the building our datacenter is in so that it’s physically better protected from extreme weather conditions. If our windows and doors can be airtight and impact-resistant, this can certainly help! Ventilation should be designed with floods and hurricanes in mind.
    • Automatically backup all of the data in our on-premises network to our cloud network that’s hosted in a building a thousand miles away. So if our datacenter is destroyed, our data is duplicated in a location that’s unlikely to have been impacted by the same storm.

Threat models in everyday life

You may not know it, but ordinary people engage in a type of threat modeling everyday.

For example, if my apartment building is on fire, my building is designed with multiple fireproof stairwells and a robust fire detection system. If I have to escape my apartment because of a fire, I know to exit my building through a stairwell that’s as far away from the fire as possible. The elevators are unsafe to use during a fire, and I know to feel doors for heat before I open them as I evacuate. If I must escape through a smoke filled area, I know I should keep as low as possible, crawl on the floor if I must.

If I want to spray paint a table, I understand that inhaling paint fumes can be harmful, and I also don’t want to get paint on my clothes or on anything else in my apartment. I will wear something that I don’t mind getting paint on. I will wear vinyl gloves to protect my hands. will go outside to do my spray painting, which will limit the risk of inhaling fumes. I will cover the ground with multiple layers of newspaper so I don’t accidentally paint it.

Threat modeling concepts methodologies

There are lots of different concepts for threat modeling in cybersecurity.

Risk analysis can determine what your pertinent cyber threats are, and how they can impact your organization.

Reduction analysis is useful when you’re threat modeling a complex system, so you don’t duplicate your efforts and resources. For example, if a software library has a particular vulnerability, threat model that library rather than the same vulnerability in every application you design which implements the same library. An application sends a variety of different messages over the same TLS connection. Threat model the certificate and TLS connection as a whole instead of threat modeling each type of message over the same TLS connection that uses the same certificate.

There are also different methodologies for conducting threat modeling. Microsoft developed a methodology called STRIDE. The acronym stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Escalation of Privilege. Trike is an open source methodology. It focuses on modeling threats from a defensive perspective, rather than that of an attacker. PASTA is a risk-centric methodology with seven phases including defining objectives, defining scope, application decomposition, threat analysis, vulnerability analysis, attack modeling, and risk analysis. There are many other methodologies, those are some of the most common ones. Your organization may choose one or more methodologies according to what’s most effective for your needs.

If your organization understands effective threat modeling and you design your systems securely from the very beginning, you’ll be better prepared for the rapidly evolving cyber threat landscape!

Share this with others


Get price Free trial