As we continue to integrate technology into all aspects of our lives, it’s imperative that product creators think about the safety of their products from day one.
In this article, we will provide you with a step-by-step guide on creating a threat model, explaining the importance of each step along the way. You can follow along with your own Threat Modeling Excel Template here.
What is Threat Modeling?
Threat modeling is an effective approach to analyzing the design of a feature, application, or product to eliminate potential security flaws. The primary goal of threat modeling is to understand the risks before developing a system.
There are three main benefits to proactive threat modeling:
- Ensures that application security is built into the product as it’s being developed
- Security problems are found and fixed early in the development process
- The security mindset is encouraged in developers and testers
By implementing threat modeling, organizations can save time and money by identifying and fixing security issues early in development, leading to a more secure and robust product.
The steps involved in the threat modeling process are as follows:
- Scope - Define the scope of the threat model, including the system or application to be modeled, its assets, data, and users.
- Draw - Identify and list all the assets within the scope of the model, including hardware, software, data, and other resources that attackers could target.
- Analyze - Assess the likelihood and potential impact of each threat.
- Mitigate - Implement controls to reduce the likelihood or impact of each threat, which may include technical controls such as firewalls or intrusion detection systems or non-technical controls such as security policies or training.
- Document - Document the process, outcome, methodology, and narrative for future reference.
In order to create a comprehensive and effective threat model, it is crucial to involve all stakeholders throughout the SDLC. By engaging diverse perspectives, potential threats can be identified and addressed from multiple angles, resulting in a more robust and resilient security strategy.
Step-by-Step Guide to Creating a Threat Model
You are tasked with protecting your organization’s website as a marketing tool and e-commerce platform. It’s critical to protect your organization and your customer information that is connected to this website.
So, you gather a team internally and start creating a threat model. Let’s look at each step of the threat model process for this website.
Step 1 - Scope
The first step in the threat model process is to define the scope of the threat model, including the system or application to be modeled, its assets, data, and users.
The assets that need to be protected include:
- The Website Itself
- The Customer Database
- The Financial Data
We will focus on protecting these three main areas for the rest of the threat model process.
Step 2 - Draw
Next, your team lists all the assets within the scope of the model, including hardware, software, data, and other resources that attackers could target.
Some of the threats that could impact these assets include:
- The Website – Hosting platforms like WordPress, HubSpot, Wix, and any plug-in or third-party apps like Pixel Trackers, PDF Readers, etc.
- The Customer Database – CRM systems like Salesforce, Zendesk, etc.
- The Financial Data – Stripe, QuickBooks, or custom-built systems.
Step 3 - Analyze
It’s time to assess each threat's likelihood and potential impact.
The most widely used framework for analysis in a threat model is called STRIDE. STRIDE is a mnemonic that lists different threat categories:
- Spoofing - pretending to be someone or something else
- Tampering - modifying a piece of data through unauthorized channels
- Repudiation - being able to claim that you did not do something
- Information Disclosure - exposing information to an entity that is not authorized to view it
- Denial of Service - using more resources on a service resulting in the unavailability of the service
- Elevation of Privileges - gives someone or something the ability to do something they should not be allowed to do
After analyzing the possible threats, the next step is to prioritize them. This step is subjective based on the specific organization and system. While your team works through each threat one at a time, evaluate each threat based on its risk.
To help calculate the risk, we will use another useful mnemonic device called DREAD. Answer each question in the DREAD mnemonic with a rating of 1-5, assuming that the threat has occurred.
- Damage - How much damage will be caused?
- Reproducibility - How easy is the threat to reproduce?
- Exploitability - What resources are needed to exploit this threat?
- Affected Users - How many users will be affected?
- Discoverability - How easily can this threat be discovered again?
Using our website example, let’s look at how much of a threat spoofing is: "a user finding a way to purchase something as another user and using their payment information", let’s walk through the scoring:
- D – 5 - Credit card companies would refund the money and cancel the transactions, and if merchandise has already been sent, it could cost the company a lot of money
- R – 4 - If this is a vulnerability with one of the APIs, it could be easy to reproduce
- E – 5 - An API vulnerability could be very simple to exploit using a tool
- A – 5 - This would affect every user of the system
- D – 4 - This may take some work to find, but would not be too complex
The total score for spoofing would be 23. Now you go through the rest of STRIDE to calculate each threat’s score. Once the threats have been assessed, they can be prioritized. The threats with the highest likelihood and impact should be addressed first.
Step 4 - Mitigate
Now that you know the risks and have work prioritized, it’s time to get started. It’s time to ask, ‘How can your team implement controls to reduce the likelihood or impact of each threat?’
For each threat, you have four options: Mitigate, Eliminate, Transfer, or Accept. Let’s look at what we can do with our website threats:
- Mitigate the Threat - Firewalls can help to block unauthorized access to the website
- Eliminate the Threat - Access control policies can limit who has access to the website and what data they can access
- Transfer the Threat – Third-party Data encryption can help to protect customer data and financial information from unauthorized access
- Accept the Risk - Do not act on this threat as you are willing to accept the consequences
Step 5 – Document
As you go through the threat modeling process and work to mitigate potential threats to your website, create a paper trail for future reference.
Some important questions to ask your team are:
- Has the model really covered everything? Is there anything missing?
- Does everybody on the team agree on the inputs to the threat model?
- Does the risk management align with the prioritization of the protection of our system?
- Are the attacks an actual threat? Will they actually occur?
- How are you going to monitor the threat landscape on an ongoing basis?
- When the threat landscape changes, who will help reassess and modify the threat model?
Your team may create a file on your organization’s internal drive to store meeting notes, analysis documents, action logs, and more.
Every Process Starts with Education
Implementing proactive threat modeling is a critical component of building secure and robust systems. Organizations can identify and address potential security issues early in the development process by following a step-by-step process that includes defining the scope of the model, identifying assets, analyzing threats, implementing controls, and documenting the process.