Threat modeling
- What is threat modeling?
- What are the business values?
- Who does Threat Modeling and when?
- Typical challenges with Threat Modeling
- Threat Modeling with securiCAD
Mathias Ekstedt
Co-founder of Foreseeti and Professor in cyber security at KTH Royal Institute of Technology
What is Threat Modeling?
While there is not one exact industry wide definition, Threat Modeling can be summarized as a practice to proactively analyze the cyber security posture of a system or system of systems. Threat Modeling can be conducted both in the design/development phases and for live system environments. It is often referred to as Designing for Security. In short, Threat Modeling answers questions as “Where am I most vulnerable to attacks?”, “What are the key risks?”, and “What should I do to reduce these risks?”.
More specifically, Threat Modeling identifies cyber security threats and vulnerabilities and provides insights into the security posture, and what controls or defences should be in place given the nature of the system, the high value assets to be protected, the potential attackers’ profiles, the potential attack vectors, and the potential attack paths to the high value assets.
Threat Modeling can consist of the following steps:
1.Create a representation of the environment to be analyzed
2.Identify the high value assets, the threat actors, and articulate risk tolerance
3.Analyze the system environment from potential attackers’ perspective:
- How can attackers reach and compromise my high value assets. I.e. what are the possible attack paths for how attackers can reach and compromise my high value assets?
- What of these paths are easier and harder for attackers?
- What is my cyber posture – how hard is it for attackers to reach and compromise my high value assets?
4.Identify potential measures to improve security to acceptable/target levels
5.Identify the potential measures that should be implemented – the most efficient ways for your organization to reach acceptable/target risk levels
Why Threat Model – The Business Values
- Identify and manage vulnerabilities and risks before they are implemented and exploited
- Before implemented: Threat Modeling enable companies to “shift left” and identify and mitigate security risks already in planning/ design/ development phases, which is multiples – often 10x, 100x or even more – times more cost effective than fixing them in production phase.
- Before exploited: As rational and effective cyber defenders we need both proactive and reactive cyber capabilities. Strengthening security proactively, before attacks happen, has clear advantages. However, it also comes with a cost. An effective Threat Modeling enables the user to make risk-based decisions on what measures to implement proactively.
- Prioritize security resources to where they create the best value
- One of the very key challenges managing cyber security is to determine how to prioritize and allocate scarce resources to manage risks with the best effect per dollar spent. The process for Threat Modeling, presented in the first section of this text, is a process for determining exactly this. When done effectively, it takes into consideration all the key parts guiding a rational decision making.
Who does Threat Modeling and When?
On the question “Who should threat model?” the Threat Modeling Manifesto say “You. Everyone. Anyone who is concerned about the privacy, safety, and security of their system.” While we do agree with this principle in the long term, we want to nuance the view and highlight the need for automation.
Threat Modeling in development:
This is the ”base case” for Threat Modeling. Threat modeling is typically conducted from the design phase and onward in the development process. It is rational and common to do it more thorough for high criticality systems and less thorough for low criticality systems. Threat modeling work is typically done by a combination of development/DevOps teams and the security organization.
More mature organizations typically have more of the work done by the development/DevOps teams and the less mature organizations have more work support from the security organization.
Threat Modeling of live environments:
Many organizations also do threat modeling on their live environments. Especially for high criticality systems. As with the Threat Modeling in development, organizations have organized the work in different ways. Here, the work is typically done by a combination of operations/DevOps teams and security organization. Naturally, it is advantageous when Threat Models fit together and evolves over time from development through operations and DevOps cycles.
Typical Challenges with Threat Modeling
Threat Modeling can create all these truly great values. So how come it is today typically conducted by the most security aware companies only? Why doesn’t everyone threat model? One part of the answer is that threat modeling is complex. Conducting Threat Modeling analyses at a valuable level of detail require a high level of expertise – security and IT – as well as very strong computational capacity in conducting highly complex attack path analyses.
The other part of the answer is that Threat Modeling until today typically is conducted manually. Conducting Threat Modeling manually require significant skills, is subject to analysis personal bias, and require significant time if doing anything more than just a very high-level analysis.
Another way of putting this is that users can benefit hugely by improved tooling. We today have a number of different frameworks available that guides the modeler. These serve as good checklists. But, what in our view is the core work – the attack path analyses, the risk analyses, and the risk mitigation effectiveness analyses – still need to be conducted manually, which is a huge task in all systems of any significant size. Hence, it is to date only the most security aware companies that conduct threat modeling. And many companies conducting threat modeling do it at a high level only, which create just a very small part of the value.
Threat Modeling with securiCAD
securiCAD is the leading tool for Automated Threat Modeling and Attack Simulations. securiCAD does the “heavy lifting” in Threat Modeling for you, conducts the advanced attack path analyses, the risk analyses, and the risk mitigation effectiveness analyses and provides you and your organization with the key insights to take pin-pointed, highly effective risk mitigation actions when needed.
Automated Model Generation.
Generate a digital twin model of your environment by importing data from your available data sources – configs, vulnerability scans, firewall rules etc. Or create an infrastructure model of the system environment you are planning to build. securiCAD then automatically creates the attack graph threat model based on your infrastructure model.
Automated Attack Simulations!
This is the very core strength of securiCAD. When the model has been created, securiCAD conducts attack simulations on the model. The virtual attacker try all potential means to reach and compromise the high value assets in the model. It identifies the potential paths that an attacker can use to reach the high value assets. It provides insights into your cyber posture – how hard it is for attackers to reach your high value assets, and what paths are the easiest and harder for the attacker to pursue. And based on the simulations, the tool suggests risk mitigation actions, and enables the user to identify the most effective measures to improve their security levels when needed
Actionable Insights.
The results from the attack simulations are provided in a report with actionable insights. In essence answering the key questions: “Where am I most vulnerable to attacks?”, “What are the key risks?”, and “What should I do to reduce these risks?”. This highly innovative approach, that is solidly founded upon +100 person years of advanced R&D, creates a step change improvement for companies.
The level of automation is a game changer
Threat Modeling, the practice can be the most efficient way of managing your cyber security posture and reducing cyber risk, is now available to more or less everyone! And it ties together Threat Modeling which is often connected to development with Attack Simulations which is conducted in operations phases, providing a unified approach for DevOps, integrated in CI/CD pipelines.
The attack-graph-based simulations is another game changer.
It provides the context and insights needed to prioritizing vulnerabilities, risks and mitigations in a truly meaningful way. As an illustrative example: A specific vulnerability might have the highest CVE-score but not be rational to address. Instead, it might be a combination of access rights and some lower scored vulnerabilities that have the highest priority. Attack graph simulations enable you to identify the critical paths and to find the pin-pointed actions that create the highest risk mitigation effect in your specific environment.
Lists of cyber security “best practices” with more generic and blunt guidelines is no longer good enough. They cause overspending at lower risk areas and underspending at high-risk areas. Attack graph-based simulations enables the insights needed for pin-pointed risk mitigation actions where they create the best effect. Whether that may be identifying a and pin-pointing misconfiguration of access rights in a cloud environment or an advanced combination of zero-days in a fighter jet.
Selection of useful Threat Modeling references:
Initiative: Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org
Wikipedia: https://en.wikipedia.org/wiki/Threat_model
OWASP: https://owasp.org/www-community/Application_Threat_Modeling
Microsoft: https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
CSO Online: https://www.csoonline.com/article/3537370/threat-modeling-explained-a-process-for-anticipating-cyber-attacks.html
About Foreseeti
Foreseeti is a leading provider of Automated Cyber Threat Modeling and Attack Simulation Solutions.
Our flagship products, the securiCAD solutions, empower IT decision makers with insight to the cyber risk exposure and resilience of their IT architectures, uncovering critical paths to high value assets and weak spots in the architecture so that proactive actions can be taken where they really matter.
Our solutions are used around the globe by a broad audience, including national and multi-national companies and organizations, critical infrastructure operators, leading consulting firms, and other companies for whom cyber security is truly important. We have certified partners around the globe and are proud to be an AWS Select Partner.
Let Foreseeti show you how the Security Organization can lead transformation.
