Threat Modelling
Threat modelling is basically a structured proactive process that helps organizations identify(early enough) and understand potential threats that their software faces and also helps them find ways to address the threats. Threat modelling is beneficial to organizations in many ways. Here are a few;
- Finding threats ahead of time.
- Understanding the organization's security needs.
- Making informed decisions as regards the security of the organization.
- Improving the security posture of the organization.
ONE CONCEPT, TWO MODELS
When threat modelling, it's helpful to think through it in two ways/models; The model of the software(being threat modelled) and the model of threats against the software.
- Model of the software This model helps you to really understand the software in question and identify the data flows between different parts of the system. This is especially important because you cannot effectively find threats in a software if you don't really understand the software itself.
- Models of threats: This tells you what your threat model is i.e things that could go wrong with your software. Here, you include anything that can go wrong with your software, it could be attackers, events, or any other thing that poses a threat to the software.
These models supplement each other to achieve the goal of TM. They should both be considered to effectively threat model a software.
THREAT MODELING PROCESS
The threat modelling process comprises of four steps. Each of these steps is important to achieving our final goal of threat modelling and as such they(all the steps) should be effectively completed.
- Model of the software being built.
- Finding threats.
- Addressing the threats found.
- Checking your work for effectiveness and completeness.
MODEL OF THE SOFTWARE
This is the first and a very important stage of the threat modelling process. This step focuses on helping you gain a thorough understanding of the system (how it works, the trust boundaries, the dataflows between different parts of the system, data entry points and data exit points.) by breaking down and evaluating the system with the use of a data flow diagram. This step is especially important because you cannot effectively find threats in a software if you don't really understand the software itself.
FINDING THREATS IN THE SOFTWARE
A thorough understanding of the system/software would help you uncover threats easily. There are various methods to find threats in a software but for the purpose of this article we would only be looking at the STRIDE methodology. STRIDE is an acronym for six common threats(spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege.) created in the 1990s by Praerit Garg and Loren Kohnfelde( engineers at Microsoft) to help provide a guide/baseline of what kind of threats to look out for in a software.
STRIDE THREATS
- Spoofing: Spoofing is a cyber attack in which an attacker impersonates a legitimate or trusted entity in order to trick the victim into divulging/giving out sensitive information. Spoofing violates the security property of authentication. Spoofing can occur through mail, text messages and can be more technical- IP spoofing, ARP spoofing, MITM attacks etc.
- Tampering: Tampering is an attack against the security property of integrity. It refers to any unauthorized alterations or deletion of data. Examples of tampering attacks are Cookies tampering, URL query strings tampering, HTTP Headers tampering etc.
- Repudiation: Repudiation is an attack against non-repudiation. It refers to the denial of the involvement in an activity. It might be true or false, keeping and protecting logging technologies would help verify and validate actions that might have occurred.
- Information disclosure: Information disclosure violates the security property of Confidentiality. It occurs when information and information systems are not well protected thereby giving room for an attacker to cause a breach and steal sensitive information.
- Denial of service: Denial of service is a cyber attack against the security property of availability. It occurs when an attacker sends multiple requests to a host in order to overwhelm and exhaust its resources causing it to become unavailable to legitimate users either temporarily or permanently.
- Elevation of privilege: This involves the unauthorized escalation of rights/ privilege beyond what is intended for a user. The elevation of privilege threat violates the security property of authorization.
ADDRESSING THREATS
This step/stage of the threat modelling process is usually a very delicate one as you have to make careful decisions regarding the best ways to address each threat found and as such at this stage, your thoughts on how attacks work and what mitigations to use should not be fixed.
It is beneficial to employ the risk management approach when addressing threats. The approach takes a deeper dive into reviewing the threats found and helping you really understand the level and impact of the security risks. With this approach, you get to make best/informed decisions about the way to go about addressing threats.
Risk management strategies;
- Avoiding threats: This is done by completely getting rid of the root cause of the threat. E.g If a feature of a software is a threat then you could avoid that threat by removing the feature or by redesigning that feature.
- Accepting threats : Here, the risk is accepted. This approach is best suitable when the probability of the threat occurring is low and its impact is minor regardless of how often it occurs. Accepting risks is a very delicate decision, a wrong decision in this aspect can have catastrophic effects on the organisation's security and so it is helpful/advisable to recheck and be sure that regardless of any circumstance in the future, the probability of the threat occurring remains low and its impact remains minor.
- Transferring threats: This involves passing down the security risk to a third party. For example, security risks transferred to customers/end users are mostly stated in policies, license agreements, or terms and conditions of a product.
- Mitigating threats: This is done by implementing necessary security controls to prevent/lower the possibility of the threat occurring.
Mitigating STRIDE threats;
- Spoofing can be mitigated by the use of cryptographic network protocols(HTTPs, IPSEC etc), the use of authentication technologies(password, PIN, MFA, etc), and by implementing filtering on both inbound and outbound traffic.
- Tampering can be mitigated by implementing permissions on file systems and ACLs across the network. It can also be mitigated by the use of cryptographic mechanisms(hashes and signatures) and the use of secured protocols like SSH, SSL, IPSEC etc.
- Repudiation can be mitigated by implementing the use of logging technologies and protecting its storage.
- Information disclosure can be mitigated by the encryption of data and by implementing ACLs/permissions on the system. The use of technologies like steganography, Virtual Private Network(VPN), etc are also useful to protect the fact of communication.
- Denial of service can be mitigated by filtering traffic, increasing bandwidth, and by rate limiting.
- Elevation of privilege threat can be mitigated by the use of access controls, the use of authentication techniques like Multi-factor authentication(MFA), and implementation of the principle of least privilege.
NOTE: Just because there is a mitigation in place doesn't mean an attacker would stop. Attackers are tricky and the moment they find out that a method is not working for them, they try other ways(so don't think they'd stick to only the methods in your head) and mind you, you'd have more than one attacker trying to infiltrate and cause harm from different parts of your system, so make sure to defend everywhere. Leave no stone unturned! After having mitigated the threats you found during your threat modelling process, also set mitigations to address attacks against your already put mitigations(more like a countermeasure).
CHECKING YOUR WORK FOR COMPLETENESS AND EFFECTIVENESS
After having reviewed and addressed threats, it is important to test your fixes and ensure that everything from your diagram to your mitigations have been successfully and effectively completed. The following can help in validating your work;
- Check your diagrams
- Test your fixes.
- Make use of checklists to track and ensure that all threats have been successfully mitigated.
Tip: If during the development stage of your software, you acquired some part of the code used to develop your software or the entire code of your software from outside then it is advisable to check for standard mitigations that might have been put out there by the original developers or creators of the software. This is reasonably better than adopting new mitigation strategies because, unlike new strategies, the already implemented standard mitigation processes must have been subjected to a high level of testing.
SOME THREAT MODELLING TOOLS
Microsoft SDL threat modelling tool.
Threat modeller (myappsecurity.com)
-Elevation of Priviledge game(EoP), etc.
CONCLUSION
“All models are wrong, some models are useful.”- George Box. This quote by George Box speaks volumes. There is no wrong or right model. Different models work for different cases. The focus should be on finding a useful model that works best for your case and helps you discover security threats against your software.
Threat modelling is packed with lots of benefits. Organizations should strive to implement threat modelling early enough i.e during the development stage of the system/software, this(threat modelling), when done appropriately, not only secures the product but also saves the organization resources and money in the long run.
REFERENCE
Threat modelling, designing for security - Adam Shostack
Subscribe to my newsletter
Read articles from Veronica Peters directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by