Threat Modeling: Process, Frameworks, and Tools
6 Minute Read
What Is Threat Modeling?
Threat modeling is the process of identifying and sharing information about cybersecurity threats that can affect a given network or system. Modeling security threats helps IT teams understand their nature and potential impact on the organization. It also facilitates the analysis of threats to determine their risks to the organization’s apps.
In addition to protecting applications and networks, threat modeling can help protect business-critical processes and assets deployed outside the corporate network, such as cloud systems or Internet of Things (IoT) devices. The versatility of threat modeling gives organizations a cybersecurity arsenal to protect themselves from various attack vectors.
The threat modeling process depends on the system under investigation. Most business processes that rely on IT can benefit in some way. Threat modeling allows security analysts to narrow the scope of threats to a specific system. It removes the confusion about what threats are present and how to mitigate them. It also gives the IT team the insights they need to secure systems before the damage occurs.
This is part of a series of articles about application security.
In this article:
The Threat Modeling Process
Threat modeling involves identifying the threat vectors and actors that may infiltrate or damage computer systems and applications. Threat modelers adopt a hacker's perspective to evaluate the damage they can cause. They thoroughly analyze the software architecture and business context to gain in-depth insights into the system.
Organizations often perform threat modeling while designing applications, but it is also useful at other stages of the development pipeline. Most threat modeling techniques incorporate the following key steps:
- Create a threat modeling team—including architects, developers, security specialists, and other stakeholders (the more diverse the team, the more comprehensive the threat models).
- Define the threat modeling scope—determining what a threat model covers. The team should inventory and map all relevant data and components.
- Identify the likelihood of an exploit—this exercise explores threat scenarios to determine where threats exist and where a compromise is most likely.
- Rank the threats—assessing the risk level of each threat and prioritizing their mitigation.
- Implement mitigation measures—deciding how to address threats (i.e., eradication, minimization, or acceptance).
- Document the results—recording the findings of the threat models to inform future security decisions.
Threat Modeling Frameworks and Methodologies
Threat modeling aims to identify a system's potential threats and attack vectors—this information allows teams to analyze and determine the measures to mitigate risks. A threat modeling framework can structure this process and improve an organization's ability to identify threats.
MITRE ATT&CK Framework
The federally funded R&D group MITRE maintains the MITRE ATT&CK cybersecurity framework (and related Shield framework. This framework supports cybersecurity by helping teams structure security practices like penetration testing and threat modeling.
MITER ATT&CK divides the cyber attack lifecycle into 14 phases called tactics. Each tactic covers a specific sub-goal within the overall attack—for example, account compromise and privilege escalation.
MITRE ATT&CK is not an exhaustive list of all potential attack techniques, but it covers an impressive range of threats and offers clear criteria to identify vulnerabilities.
OWASP Top 10
The Open Web Application Security Project maintains the OWASP Top 10, which focuses on common vulnerabilities in web applications. The group periodically updates the list to reflect the most relevant vulnerabilities and unsafe practices.
The OWASP Top 10 list offers a useful reference for web application development teams to conduct threat modeling exercises. Cybercriminals also use the list as a starting point to identify easy targets.
While OWASP focuses on web app vulnerabilities, it is also relevant for developing other software like blockchain apps.
STRIDE is a Microsoft framework that focuses on the impact of various threats, including spoofing, tampering, repudiation, data leaking, privilege escalation, and denial of service. It helps temps identify potential attack vectors, assess their impact and risk, and establish mitigation measures.
DREAD is an add-on to STRIDE that helps threat modelers rank threats after identifying them. DREAD is an acronym for the considerations for understanding threats:
- Affected users
Each criterion receives a score from one to three.
The Process for Attack Simulation and Threat Analysis (PASTA) describes seven steps to match cybersecurity policies to business objectives. These steps are complex and include substeps
- Defining objectives
- Defining scope
- Decomposing the application
- Analyzing threats
- Analyzing vulnerabilities
- Modeling attacks
- Analyzing risk and impact
Trike is an open source threat modeling and risk evaluation tool and framework. It identifies threats from a defensive perspective by modeling the protected system and identifying who can read, create, edit, or delete each entity. It focuses on two threat types: privilege escalation and denial of service.
Visual, Agile, Simple Threat Modeling (VAST) is the underlying framework of the automated ThreatModeler platform. It integrates into DevOps workflows and focuses on automation and collaboration to support scalable threat modeling solutions.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology focuses on organizational risks (as opposed to technical vulnerabilities). It involves building threat profiles, identifying infrastructural weaknesses, and establishing security measures.
The National Institute of Standards and Technology offers a threat modeling methodology focusing on data security. It includes the following steps:
- Identifying the data assets of interest.
- Identifying attack vectors.
- Characterizing security controls to mitigate the threats.
- Analyzing the model.
What Are Threat Modeling Tools? 4 Key Capabilities
Threat modeling tools help security teams proactively discover and address potential security issues in devices, software, and data. The threat modeling process usually starts at the design phase of the development pipeline and continues to keep security updated.
Organizations should consider the following factors when selecting a threat modeling solution.
1. Threat Intelligence
Threat intelligence encompasses the actionable information gathered from multiple public threat repositories (e.g., MITRE CAPEC). The tool’s vendor may also collect proprietary data. The threat intelligence database should cover as many potential threats to the system as possible based on data from the wild. This intelligence supplements the organization’s information to facilitate vulnerability assessments and threat predictions.
The threat dashboard is a visual representation of data collected by the threat intelligence function. It facilitates proactive remediation—the more comprehensive the dashboard, the better the organization’s decision-making capabilities to address vulnerabilities.
A powerful threat dashboard lets analysts see the severity of each risk. The security team can narrow the focus to investigate specific modules or user flows, providing a more detailed view of the system in its current state.
3. Policy Engine
The policy engine is the system that aggregates and enforces all policies and rules set by the organization. It can use custom policies or incorporate established regulations and industry standards like GDPR and PCI DSS. This feature is critical for any threat modeling tool because it helps ensure regulatory compliance.
Reporting and documentation are key objectives of threat modeling, allowing all stakeholders to view the investigation results. The threat modeling tool should readily generate reports on threat modeling efforts.
These reports include the current status of each threat, model changes in response to technological changes, and other factors. They are important for improving existing security policies and allowing the organization to update its security profile regularly. Robust threat models evolve constantly, and reporting is critical to this evolution.