3 Approaches to Threat Modeling
Threat Modeling can be viewed in two different, but related contexts. One is the implementation of security controls by architects that map to security requirements and policy and the other is to reflect all possible known attacks to components or assets in a threat model, with the goal of implementing countermeasures against those threats.
The three general approaches to threat modeling are:
The Figure below illustrates the components that provide the basis for different approaches to threat modeling:
Below is a brief description of each of the different approaches:
Software-Centric Threat Modeling:
This approach involves the design of the system and can be illustrated using software architecture diagrams such as data-flow diagrams (DFD), use case diagrams, or component diagrams.
This method is commonly used to threat model networks and systems and has been adopted as the de-facto standard for threat modeling. A good example of a software-centric approach is Microsoft’s Secure Development Lifecycle (SDL) framework. Both the Microsoft SDL and Threat Analysis & Modeling (TAM) tools illustrate threat modeling by means of DFDs.
With its product ThreatModeler, MyAppSecurity provides a threat-modeling framework that encompasses a high level component-based design, combined with a software-centric approach. From the threat model, threats to each component are displayed and specific security controls are identified that will mitigate the threats, along with secure coding standards that should be applied during the application design phase.
Asset-Centric Threat Modeling:
An asset-centric approach involves identifying the assets of an organization entrusted to a system or software, (i.e.), data processed by the software. Assets are classified according to data sensitivity and their intrinsic value to a potential attacker, in order to prioritize risk levels.
Using this approach to threat modeling, attack trees, attack graphs, or displaying patterns by which an asset can be attacked are generated. Security professionals often argue that this approach should not be classified as threat-modeling, but is simply the inevitable result of a software-centric design approach.
This approach helps identify multi-step attacks and paths by which an attacker can reach an asset. Based on risk analysis, these paths can then be weighted and prioritized accordingly. Trike and Amenaza’s Securitree, both support the creation of attack trees, while ThreatModeler automatically generates attack trees from the data provided in the software component threat model.
Attacker-Centric Threat Modeling:
An attacker-centric approach to threat modeling requires profiling an attacker’s characteristics, skill-set, and motivation to exploit vulnerabilities, and then using those profiles to understand the type of attacker who would be most likely to execute specific types of exploits, and implement a mitigation strategy accordingly.
The attacker-centric approach also uses tree diagrams. Key elements of this approach include focusing on the specific goals of an attacker, the various considerations related to the system upon which the attack could be perpetrated, along with its software and assets, how the attack could be carried out, and finally, a means to detect or mitigate such an attack. An analyst may also list and analyze related attack patterns or approaches to make these same determinations.
An example would be an attack to obtain information from a backend database. The considerations would be to ensure that a database is being used at the backend, along with the means to enter database queries as input, and finally avoiding detection and prevention mechanisms. The approach would be specific SQL Injection commands for the database identified, or the potential use of tools by which the exploitation process could be automated.