Setting up a threat model involves identifying security objectives, decomposing the application, determining and ranking threats, and implementing countermeasures. This systematic approach helps mitigate security risks and enhance the overall security posture of applications.
In the first part of this series, we saw an overview of the threat modeling process. In this post we’re going to dig into details of each of the steps to learn how it works.
Security specific objectives are a subset of project objectives, and we should use them to guide our threat modeling efforts. We may find it helpful to think of security objectives in terms of constraints. Consider the question, “What do you not want to happen?” For example, an attacker must not be able to get customer data.
By identifying our key security objectives, we can determine where to focus our efforts. It also helps to understand goals of potential attackers and concentrate on those areas of applications that require closer attention. If we identify customer account details as sensitive data that needs protecting, we can examine how securely data is stored and how access to the data is controlled and audited.
To determine security objectives, consider following questions:
The goal of this step is to gain an understanding of the application and how it interacts with external entities. This is achieved by information gathering and documentation. The information gathering process is carried out using a clearly defined structure, which ensures the correct information is collected.
It has the below components:
Information identifying the threat model typically includes the the following:
Identify your applications roles: Identify who can do what within your application. What can your users do? What higher privileged group of users do you have?
Identify what is supposed to happen and what is not.
What are the important features of an application? What does it do? Start with the application’s use cases to derive this information. Identify dominant application functionality and usage and capture CRUD aspects.
It helps identifying technology specific threats and also helps determine the correct mitigation technique.
External dependencies are items external to the code of the application that may pose a threat to the application. These items are typically still within the control of the organization, but possibly not within the control of the development team.
Entry points define the interfaces through which potential attackers can interact with the application or supply it with data. In order for a potential attacker to attack an application, entry points must exist. Entry points in an application can be layered. For example, each web page in a web application may contain multiple entry points.
Exit points prove useful when attacking the client: for example, cross-site-scripting vulnerabilities and information disclosure vulnerabilities both require an exit point for the attack to complete.
In many cases threats enabled by exit points are related to the threats of the corresponding entry point. In the login example, error messages returned to the user via the exit point (the login page) might allow for entry point attacks, such as account harvesting (e.g. username not found), or SQL injection (e.g. SQL exception errors).
Assets are essentially targets for attackers, i.e. they are the reason threats will exist. Assets can be both physical assets and abstract assets.
Trust levels represent the access rights that the application will grant to external entities. The trust levels are cross-referenced with the entry points and assets. This allows us to define the access rights or privileges required at each entry point, and those required to interact with each asset.
The focus of the DFDs is on how data moves through the application and what happens to the data as it moves. DFDs are hierarchical in structure, so they can be used to decompose the application into subsystems and lower-level subsystems. The high-level DFD will allow us to clarify the scope of the application being modeled. The lower level iterations will allow us to focus on the specific processes involved when processing specific data.
The first step in the determination of threats is adopting a threat categorization. A threat categorization provides a set of categories with corresponding examples so that threats can be systematically identified in the application in a structured and repeatable manner.
A threat categorization such as STRIDE is useful in the identification of threats by classifying attacker goals such as:
A prerequisite in the analysis of threats is the understanding of the generic definition of risk. Risk is a potential for loss determined by two factors: the likelihood, or probability, that an attack will occur; and the potential impact, or cost, of such an attack occurring. Risk is calculated as:
Threats can be ranked from the perspective of risk factors. By determining the risk factor posed by the various identified threats, it is possible to create a prioritized list of threats to support a risk mitigation strategy, such as prioritizing the threats to be mitigated first. Different risk factors can be used to rank threats as High, Medium, or Low risk. In general, threat risk models use different factors to model risks.
In the Microsoft DREAD risk assessment model, risk factorization allows the assignment of values to the different influencing factors of a threat. This provides a subjective process to rank threats. To determine the ranking of a threat, the threat analyst answers questions for each factor of risk, for example:
A generic risk model considers risk as a calculation. Recall that risk is determined by the likelihood of an attack and the impact of that attack:
(Probability that threat occurs) x (Cost to organization)
The likelihood, or probability, can be determined by the ease of exploitation. This depends on the type of threat and the system characteristics, as well as considers any countermeasures that may already be in place.
The following is a set of considerations for determining ease of exploitation:
The impact mainly depends on the damage potential and its extent, such as the number of components that may be affected by a threat.
Questions to help determine the damage potential are:
Questions to help determine the number of components that are affected by a threat:
These examples help in the calculation of the overall risk values by assigning qualitative values such as High, Medium and Low to the likelihood and impact factors. In this case, using qualitative values, rather than numeric ones like in the case of the DREAD model, help avoid the ranking becoming overly subjective.
The purpose of countermeasure identification is to determine if there is some kind of protective measure (e.g. security control, policies) that can prevent a threat from being realized. Vulnerabilities are then those threats that have no countermeasures.Once threats and corresponding countermeasures are identified, it is possible to derive a threat profile with the following criteria:
Creating a report is very undermined but a very important part of any security activity that we carry out, it helps summarize the threat identified in the process, mitigation, affected assets,impact etc to higher management and hence draw attention towards security centric approach.
We've explored the threat modeling process from a high level and from a detailed perspective. By implementing this process you will be able to reduce the overall risk posture of your business. The Harness STO (Security Testing Orchestration) module can also help reduce risk to your business by making application security a policy-driven part of every developers workflow. You can improve the likelihood of hitting your security goals by supporting engineers with the most modern DevSecOps solution.