Threat Modeling: 5 Steps, 7 Techniques, and Tips for Success

Learn how to use threat modeling to improve identification of cybersecurity threats, prioritize them, and perform effective risk mitigation.

What is threat modeling?

Threat modeling is a proactive strategy for evaluating cybersecurity threats. It involves identifying potential threats, and developing tests or procedures to detect and respond to those threats. This involves understanding how threats may impact systems, classifying threats and applying the appropriate countermeasures.

A typical threat modeling process includes five steps: threat intelligence, asset identification, mitigation capabilities, risk assessment, and threat mapping. Each of these provides different insights and visibility into the organization’s security posture.

There are eight main methodologies security teams can use while threat modeling: STRIDE, PASTA, VAST, Trike, CVSS, Attack Trees, Security Cards, and hTMM. Each of these methodologies provides a different way to assess the threats facing the organization’s IT assets.

In this article:

• Why is threat modeling important?
• Advantages of threat modeling
• 5 steps of the threat modeling process
• Top threat modeling methodologies and techniques
• Threat modeling best practices
• Threat modeling with Exabeam’s Next-generation SIEM platform

Why is threat modeling important?

Risk mitigation

Threat modeling plays a crucial role in risk mitigation. By identifying potential threats before they can be exploited, organizations can take proactive measures to eliminate or reduce these risks. This is far more cost-effective than reacting to a breach or attack after it has happened. Moreover, by understanding the potential attack vectors, organizations can develop more secure systems and applications right from the start.

Enhanced security awareness

Threat modeling is not just a technical process. It also involves a significant amount of human analysis and decision-making. By engaging in threat modeling, teams can enhance their security awareness and foster a security-focused culture within the organization. Via threat modeling, they can educate their teams about the potential threats they may encounter and the actions they can take to mitigate these threats.

Easier compliance

Many industries and jurisdictions have strict compliance requirements when it comes to cybersecurity. These requirements often include a comprehensive threat analysis and ongoing risk assessment and process improvement. Threat modeling can help organizations meet these compliance requirements by providing a systematic and documented approach to threat analysis.

Furthermore, a well-documented threat model can serve as evidence of due diligence in the event of a security incident. It can show that organizations have taken reasonable steps to identify and mitigate potential threats to their systems.

Cost-effective security

Threat modeling is a cost-effective approach to security. By identifying threats early on, organizations can avoid the high costs associated with security breaches and data loss. Furthermore, by focusing resources on the most significant risks, organizations can ensure that they get the most security for their investment.

Advantages of threat modeling

Detect problems early in the SDLC

By identifying potential threats and vulnerabilities at the design stage, organizations can avoid costly and time-consuming fixes later in the development process. This proactive approach allows organizations to build security into their systems from the ground up, rather than trying to patch it on as an afterthought.

Identifying potential issues early on also gives developers the opportunity to address them in their code. This can lead to more secure software and can help avoid the need for expensive and disruptive patches or updates later on. In essence, threat modeling can help turn security from a reactive process into a proactive one.

Evaluate new forms of attack

As the cybersecurity landscape evolves, new threats and attack vectors continue to emerge. Threat modeling allows organizations to stay a step ahead of these evolving threats by providing a structured approach to identifying and assessing them.

By regularly updating their threat models, organizations can stay abreast of the latest security threats and vulnerabilities. This can help them adapt their security strategies and defenses in response to the changing threat landscape, ensuring that they are always prepared for the latest attacks.

Identify security requirements

By understanding the potential threats to a system and the impact failures in maintaining a good security posture could have, organizations can determine what security controls they need to put in place to protect their assets.

These security requirements should be incorporated into the system design and development process, ensuring that the system is built with security in mind from the start. This can result in more secure systems and can help organizations avoid costly and disruptive security breaches. However, as security is often an afterthought, creating lines of communication between IT, Security, and Development is a key requirement in business continuity and disaster recovery scenario building.

Map assets, threat agents, and controls

By creating a detailed model of the core elements of the most critical business systems across the organization, security leadership and risk teams can gain a better understanding of what they need to protect, who might want to attack it, and how they can defend it. For instance, if the business is a transactional website, putting controls around the web interface, APIs, and back-end databases must be prioritized. For a business in manufacturing, keeping service accounts and ICS up and running while restricting external access of any kind may be paramount.

This understanding can help organizations prioritize their security efforts and resources, focusing on the most critical assets and threats. It can also provide a clear roadmap for implementing security controls, helping organizations ensure that they are effectively protecting their systems and data.

5 steps of the threat modeling process

When performing threat modeling, several processes and aspects should be included. Failing to include one of these components can lead to incomplete models and can prevent threats from being properly addressed.

1. Apply threat intelligence

This area includes information about types of threats, affected systems, detection mechanisms, tools and processes used to exploit vulnerabilities, and motivations of attackers. Gathering this intelligence is an ongoing process, and wherever possible should be automated by security tools.

Threat intelligence information is often collected by security researchers and made accessible through public databases, proprietary solutions, or security communications outlets. It is used to enrich the understanding of possible threats and to inform responses.

2. Identify assets

Teams need a real-time inventory of components, credentials, and data in use, where those assets are located, and what security measures are in place to maintain a secure posture. This inventory helps security teams track assets with known vulnerabilities and monitor the end state of passwords and permissions.

A real-time inventory enables security teams to gain visibility into asset changes. For example, getting alerts when assets are added with or without authorized permission, which can potentially signal a threat. A stale user or service account that has been suddenly active may also be an indication of threat.

3. Identify mitigation capabilities

Mitigation capabilities generally refer to technology to protect, detect, and respond to a certain type of threat, but can also refer to an organization’s security expertise and abilities, and their processes. Assessing their existing capabilities will help determine whether they need to add additional resources to mitigate a threat.

For example, if an organization has enterprise-grade antivirus or endpoint protection, they have an initial level of protection against traditional malware threats. They can then determine if they should invest further, for example, to correlate existing AV signals with other detection capabilities.

4. Assess risks

Risk assessments correlate threat intelligence with asset inventories and current vulnerability profiles. These tools are necessary for teams to understand the current status of their systems and to develop a plan for addressing vulnerabilities.

Risk assessments can also involve active testing of systems and solutions. For example, penetration testing to verify security measures and patching levels are effective in hardening systems, as is application security testing and software composition analysis to make sure that the applications running on those systems are as secure as current information will allow

5. Perform threat mapping

Threat mapping is a process that follows the potential path of threats through an organization’s systems. It is used to model how attackers might move from resource to resource and helps teams anticipate where defenses can be more effectively layered or applied. Wherever specific security mitigations and logs can be mapped against the most applicable use cases that threaten the business, there is  a more effective model for demonstrating the organization’s current security posture in reports for compliance.

Top threat modeling methodologies and techniques

When performing threat modeling, there are multiple methodologies security teams can use. The right model for the organization’s needs depends on what types of threats they are trying to model and for what purpose.

STRIDE threat modeling

STRIDE is a threat model, created by Microsoft engineers, which is meant to guide the discovery of threats in a system. It is used along with a model of the target system. This makes it most effective for evaluating individual systems.

STRIDE is an acronym for the types of threats it covers, which are:

• Spoofing — a user or program pretends to be another
• Tampering — attackers modify components or code
• Repudiation — threat events are not logged or monitored
• Information disclosure — data is leaked or exposed
• Denial of sService (DoS) — services or components are overloaded with traffic to prevent legitimate use
• Elevation of Privilege — attackers grant themselves additional privileges to gain greater control over a system

Process for Attack Simulation and Threat Analysis (PASTA)

PASTA is an attacker-centric methodology with seven steps. It is designed to correlate business objectives with technical requirements. PASTA’s steps guide teams to dynamically identify, count, and prioritize threats.

The steps of a PASTA threat model are:

1. Define business objectives
2. Define the technical scope of assets and components
3. Application decomposition and identify application controls
4. Threat analysis based on threat intelligence
5. Vulnerability detection
6. Attack enumeration and modeling
7. Risk analysis and development of countermeasures

Common Vulnerability Scoring System (CVSS)

CVSS is a standardized threat scoring system used for known vulnerabilities. It was developed by the National Institute of Standards and Technology (NIST) and maintained by the Forum of Incident Response and Security Teams (FIRST).

CVSS applies security scores to known vulnerabilities as they are released, which helps security teams assess threats, identify impacts, determine priorities for patching, and identify existing countermeasures. It also helps security professionals assess and apply threat intelligence developed by others in a reliable way.

CVSS scores the inherent properties of a threat and the impacts of the risk factor due to time since the vulnerability was first discovered. It also includes measures that allow security teams to specifically modify risk scores based on individual system configurations.

Visual, Agile, and Simple Threat (VAST)

Visual, Agile, and Simple Threat (VAST) is an automated threat modeling method built on the ThreatModeler platform. Large enterprises implement VAST across their entire infrastructure to generate reliable, actionable results and maintain scalability.

VAST can integrate into the DevOps lifecycle and help teams identify various infrastructural and operational concerns. Implementing VAST requires the creation of two types of threat models: 

• Application threat model — uses a process-flow diagram to represent the architectural aspect of the threat
• Operational threat model — uses a data-flow diagram to represent the threat from the attacker’s perspective

Trike

Trike is a security audit framework for managing risk and defense through threat modeling techniques. Trike defines a system, and an analyst enumerates the system’s assets, actors, rules, and actions to build a requirement model. Trike generates a step matrix with columns representing the assets and rows representing the actors. Every matrix cell has four parts to match possible actions (create, read, update, and delete) and a rule tree — the analyst specifies whether an action is allowed, disallowed, or allowed with rules. 

Trike builds a data-flow diagram mapping each element to the appropriate assets and actors with the requirements defined. The analyst uses the diagram to identify denial of service (DoS) and privilege escalation threats.

Trike assesses attack risks using a five-point probability scale for each CRUD action and actor. It also evaluates actors based on their permission level for each action (always, sometimes, or never).

Attack Trees

Attack trees are charts that display the paths that attacks can take in a system. These charts display attack goals as a root with possible paths as branches. When creating trees for threat modeling, multiple trees are created for a single system, one for each attacker goal.

This is one of the oldest and most widely used threat modeling techniques. This kind of approach is often included as part of internal reviews of data flow when examining vendor risk and the interoperability of systems like web, CRM, back-end data, etc. While once used alone, it is now frequently combined with other methodologies, including PASTA, CVSS, and STRIDE.

Security Cards

The Security Cards methodology is based on brainstorming and creative thinking rather than structured threat modeling approaches. It is designed to help security teams account for less common or novel attacks. This methodology is also a good way for security teams to increase knowledge about threats and threat modeling practices.

The methodology uses a set of 42 cards, which help analysts answer questions about future attacks, such as who might attack, what their motivation could be, which systems they might attack, and how they would implement an attack. Analysts can deal the cards in a type of table-top game, to simulate possible attacks and consider how the organization might respond.

Hybrid Threat Modeling Method (hTMM)

hTMM is a methodology developed by Security Equipment Inc. (SEI) that combines two other methodologies:

• Security Quality Requirements Engineering (SQUARE) — a methodology designed to elicit, categorize and prioritize security requirements
• Persona non Grata (PnG) — a methodology that focuses on uncovering ways a system can be abused to meet an attacker’s goals

hTMM is designed to enable threat modeling which accounts for all possible threats, produces zero false positives, provides consistent results, and is cost-effective.

It works by applying Security Cards, eliminating unlikely PnGs, summarizing results, and formally assessing risk using SQUARE.

Threat modeling best practices

Here are a few critical best practices that can help security teams practice threat modeling more effectively.

Understand the system architecture

Threat modeling requires a clear understanding of how the system is structured, how it operates, and how it interacts with other systems.

Understanding the system architecture and data flows can help identify potential points of attack. For instance, if the system communicates with other systems, there may be potential for data leakage or unauthorized access. Similarly, understanding the data flow within the system can help security teams identify where sensitive data might be at risk.

Furthermore, understanding the system architecture can also help identify potential vulnerabilities. For instance, if the system relies on a particular component that has known vulnerabilities, this could be a potential point of attack. Additionally, as information about new attacker tools or vulnerabilities is released on internally-used tools, e.g. like the time SamSam ransomware took advantage of JBossAS or JexBoss, a common debugging/scanning tool used by developers. 

Use an ecosystem of tools

There are many different tools available that can assist with various aspects of threat modeling. Organizations should adopt tools that can:

• Automate threat identification: These tools can scan the system and identify known vulnerabilities that could potentially be exploited by attackers. 
• Help with risk assessment: These tools can analyze the potential impact of a threat and the likelihood of it occurring, helping to prioritize which threats to address first.
• Help with mitigation strategies: These tools can assist with implementing technical solutions, such as encryption or intrusion detection systems, or with developing policies or user education programs.

Document and communicate findings

This involves clearly recording the identified threats, the associated risks, and the proposed mitigation strategies.

Documenting findings provides a record of the threat modeling process, which can be useful for future reference or if questions arise later. It also helps ensure that the identified threats and mitigation strategies are not forgotten or overlooked.

Communicating findings is also critical. This involves sharing the findings with all relevant stakeholders, including developers, management, and even users. This ensures that everyone is aware of the potential threats and understands what needs to be done to mitigate them. Running through a risk exposure exercise may take system and tool owners from many different teams from security to marketing and sales to understand the flow of data and the exposure of potential compromise.

Foster collaboration and knowledge sharing

Threat modeling is not a task that should be carried out in isolation; rather, it should involve collaboration among various stakeholders, including developers, security experts, management, and users.

Fostering collaboration can help ensure that all potential threats are identified and considered. It can also help ensure that the proposed mitigation strategies are practical and effective.

Knowledge sharing can help improve the overall effectiveness of the threat modeling process, by learning from successes and failures of others in the organization.

Threat modeling with Exabeam’s Next-generation SIEM platform

Threat modeling is a complex process that requires real-time data collection and analysis, as well as a quick (if not real-time) response.

New-Scale SIEM^TM platforms, like the Exabeam Security Operations Platform, can help effectively create, manage, maintain, and automate the threat modeling process of choice.

Exabeam offers the following to help security teams perform threat modeling:

• Advanced Analytics — Use behavioral analytics to identify anomalous behavior that might indicate an attack, and correlating with threat analytics data to identify the type and source of the attack. Advanced analytics allows opportunities to hunt for threats, diving down into the datastream of logs to find anomalies and correlate threats.
• Smart forensic analysis — Collect all relevant information about a security incident, across multiple users and their context data, IP addresses, and IT systems, combining it with threat intelligence data, and laying it out on an incident timeline.
• Outcomes Navigator — Outcomes Navigator maps the feeds that come into Exabeam against the most common security use cases and suggests ways to improve coverage. Outcomes Navigator supports measurable, continuous improvement focusing on outcomes by recommending information, event stream, and parsing configuration changes to close any gaps.
• Incident response automation — Incident Responder gathers data from hundreds of tools, automatically identifying incidents, referencing them with threat intelligence data, and can automatically orchestrating containment and mitigation steps. 
• Threat hunting — using threat intelligence data and known indicators of compromise (IoC), combined with free exploration and correlation of internal security data, to identify new and unknown threats that might be affecting the organization

In addition to these tools, Exabeam also offers a Threat Intelligence Service, which provides a cloud-based solution with proprietary threat intelligence technology. This system collects and analyzes threat indicators from multiple feeds.

The Threat Intelligence Service combines threat feeds from commercial and open source sites and is free for Exabeam customers as part of the Exabeam Security Operations Platform.

Learn more about the Exabeam Security Operations Platform.