What Is Threat Modelling and Why Is It Important?

What is Threat Modelling?

Threat modelling is a term used to describe the analysis of systems, technologies and services to identify potential weaknesses within their design from an attacker’s perspective. Unlike penetration tests or other methods of vulnerability identification, threat models are often conducted using whiteboards or collaborative environments, with multiple parties and stakeholders contributing to the outcome.

Threat models also occur earlier in the project life cycle than penetration testing or other risk identification methods, as threat modelling can be conducted as early as the design and ideation phase of a project, long before any infrastructure or architecture is developed and deployed. 

Goals of Threat Modelling

The ultimate goal of threat modelling is to identify threats before they materialise. However, threat modelling can help your organisation achieve a number of other goals that contribute to your wider security posture.

Risk Mitigation

Threat models help your project teams understand the inherent risks introduced into systems from different design and architectural decisions. Identifying such risks early allows your teams to iterate solutions to mitigate any potential risks as systems are developed, long before entering production use.

Enhanced Security Awareness

Through the process of threat modelling, you gain a better understanding of your systems' security posture and threat surface. In addition, threat modelling is often a collaborative practice with personas and stakeholders from multiple domains present, which promotes a security-conscious culture throughout your organisation.

Easier Compliance

Conducting regular risk and vulnerability assessments are requirements of key information security frameworks like NIST Cybersecurity Framework, ISO 27001 and NCSC Cyber Assessment Framework. Threat modelling serves as a systematic method of identifying potential risks and vulnerabilities early, enabling prompts recording and mitigation of any legitimate risks.

Cost-effective Security

Threat models often produce actionable outputs and give your organisation a proactive method of considering threats, risks and impacts early in the development lifecycle. Threat modelling necessitates no additional operational overheads as it requires only short intervals of project development time and is integrated within sprints or at key project phases.

In addition, by performing threat models at key points within the development and deployment lifecycle, you can allocate security resources more efficiently as your teams prioritise security efforts more deliberately and proactively.

Advantages of Threat Modelling

Beyond the goals outlined above, threat modelling provides some additional benefits, including:

• Remediating vulnerabilities before security incidents occur with proactive security threat modelling.
• Structuring your approach of identifying security gaps and allowing all stakeholders across your organisation to contribute to the identification or threats and collaborate on security efforts. (This can be best achieved with communication threat modelling).
• Informing risk decision-making by identifying risks and their potential impacts so your organisation can better inform risk responses.
• Enabling iterative modelling that can be repeated as threat landscapes and techniques change. By regularly performing threat models, you can adapt to changing threats quickly and respond without delay or additional risk appetite. (This can be best achieved with adaptability threat modelling).

How Should You Approach Threat Modelling?

To get start with threat modelling in your organisation, we recommend a five-step approach.

1. Defining Systems: Implementing threat modelling firstly requires defining the systems, assets and data in scope of the model.
2. Consider Threats: Then, consider the potential threats faces by these systems, and which threat actors are the biggest threats to the organisation.
3. Likelihood and Impact: The likelihood and potential impact of each threat should be considered, to support the prioritisation of risks.
4. Risk Response: Then potential mitigations for the identified risks, such as new controls or compensatory controls should be ideated and reviewed.
5. Continuous Review: The threat modelling process and outputs should be continuously reviewed and updated to maintain a present understanding of threats posed.

Threat Modelling Methodologies

Myriad methodologies exist for threat modelling, each with unique focuses and benefits. The question of which methodology is most appropriate for your organisation depend on what systems are being assessed and the desired outcome of threat modelling for your the organisation.

STRIDE

Standing for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Escalation of privilege, STRIDE is ubiquitous across multiple industries and counts the NCSC as one of its proponents.

Additionally, STRIDE-LM can be employed similarly to STRIDE, including Lateral Movement an additional element in the threat model.

LINDDUN

Similarly structured to STRIDE, LINDDUN offers a privacy-focused approach to threat modelling, making it a more suitable option for identifying potential privacy concerns. The components of LINDDUN (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of Information, Unawareness and Non-compliance) can be directly mapped to STRIDEs components, making it possible to use LINDDUN as a supplementary framework to STRIDE

DREAD

DREAD considers threats based on: Damage potential, Reproducibility, Exploitability, Affected users and Discoverability. DREAD focuses on the potential impact threats may have on systems or organisations. DREAD scores findings, enabling a quantitative and repeatable approach to rating threats.

PASTA

The Process for Attack Simulation and Threat Analysis is a risk focuses methodology, producing a business impact oriented output. Following seven iterative stages, PASTA identifies threats by aligning business and security objectives, prioritising findings in a business context.

ATTACK TREES

Employing hierarchical representations of different attacks against a system, attack tree’s focus on routes an attacker may take to achieve a particular goal. With their goal as the ‘root’ of the tree, attack tree’s branch different methods of attack that could be utilised to achieve that goal. As methods of attack become more nuanced or complex, trees can spawn additional branches and subbranches.

Attack Trees produce vivid and visual representations of potentially complex attack vectors and represent the progression an attacker may follow when attempting to exploit a system.