Threat Modelling

Lecture 4
Esmiralda Moradian
Learning outcomes
● Understand threats, controls, countermeasures
● Understand the threat modelling process
● Be able to model threats and define threat profiles
Threat
● Threat - a possible danger or vulnerability

● Attack - the action or attempt of unauthorized action

● Threat source - the cause of a threat, such as a human error, a

failure of organization-controlled hardware or software, or other
failure beyond the control of the organization

● Attack/Threat event - an event or situation initiated or caused

by a threat source that has the potential for causing adverse impact
Threat profile
● A threat profile is
– a security design specification for the system
• describes possible goals of the adversary and
• vulnerabilities that exist as a result of those goals.
● A threat profile consists of three main areas
– Identify the threats
– Investigate and analyzing the threats
– Mitigate the vulnerabilities caused by the threats
● Includes
– Non mitigated threats
– Partially mitigated threats
– Fully mitigated threats
Threat modeling

The objectives and the purpose

– Understand the threat profile of the system of interest
– Discover vulnerabilities
– Provide a basis for secure design and implementation
– Provide basis for penetration testing

View a system from an adversary point of view

Threat modeling

● Identifes and investigates potential threats and vulnerabilities

● Defines the security of an application/system/network
● Results in
– finding architecture bugs
– fewer vulnerabilities
– a set of documents used for security specifications and security
testing
Dynamic nature of security
● Attack side (vulnerability, attack, attack vector) is constantly changing
– new vulnerabilities are discovered, attacker motivations change, new threats
arise, and new attacks are created
● Defense side (objectives, metrics, sec. controls) is constantly changing
– security controls are improved, and new types of security controls developed
– re-assess and evaluate defenses
• adopting continuous monitoring practices
• new security automation technologies
• threat intelligence to detect new vulnerabilities and attack attempts
– security metrics (quantitative/qualitative)
● General “best practices” for security is insufficient for safeguarding high value data
– do not take into account the unique characteristics of each system
– do not take into account the security needs for particular data
– may omit security controls that are necessary to effectively reduce risk
The attack side
● Vulnerability - any weakness that can be violated in order to exploit a system.
Types of vulnerabilities include the following
– Vulnerabilities in networks
– A software flaws vulnerability
– A security configuration issue vulnerability
● Attack (Exploit) - Exploit of a vulnerability to violate security objectives, such as
confidentiality, integrity, and availability
● Attack vector – is a pathway that an attacker uses to exploit a vulnerability.
– Malicious web page content (a content) downloaded from a web site (a source)
by a vulnerable web browser (a processor);
– A malicious email attachment (a content) downloaded from an email server (a
source) to a vulnerable email client (a processor);
– Stolen user credentials (a content) typed in by an attacker (a source) to a web
interface for an enterprise authentication system (a processor);
The Defense Side
● Security objectives - provide confidentiality, integrity, and availability.
– relate to the risk management and security controls
● Risk management includes risk assessment and mitigation
– Risk
• a measure of the extent to which an entity is threatened by a potential
circumstance or event
• A function of the adverse impacts that arise if a circumstance or event
occurs, and the likelihood of occurence
● Security controls protect the confidentiality, integrity, and availability of the
system and its information
Threat modeling forms

● Software threat modeling

● System threat modeling
● Data-centric threat modeling
Identify and Characterize the System and
Data of Interest
● Type of data on a particular device/small group of devices
● Once the system and data are defined, they need to be characterized
– What are the security objectives for the data
– The people and processes authorized to access the data
– Understanding of how the data moves within the system between authorized
locations
– The authorized locations for the data within the system
• Storage
• Transmission
• Execution environment
• Input and Output
Characterize the System

● Gather background information about the system

● There are five categories of background information:
– Use Scenarios
– External Dependencies
– External Security Notes
– Internal Security Notes
– Implementation Assumptions
Three steps of the threat modeling process

Step 1: Decompose the System/Application

Step 2: Determine, Analyse and Rank threats
– Critical to the identification of threats is using a threat
categorization methodology.
• the attacker perspective (STRIDE) and
• the defense perspective (ASF)
Step 3: Determine countermeasures and mitigation
Threat Model Information
The first item in the threat model is the information relating to the
threat model. This must include the following:

– Application Name
– Application Version
– Description
– Document Owner
– Participants
– Reviewer
Identify the Entry/Exit Points

● Entry/exit points are the places where data enters or exits the application.
● The following data should be identified and collected
– Numerical ID
– Name
– Description
– Trust Levels
Identify the Assets

● An adversary’s goal is to gain access to an asset

● The overall value of asset can comprise following
– security value of an asset
– financial value
– impact on organization in case an asset is compromised

Assets can interact with other assets, and, because of this, they can act
as a pass-through point for an adversary
Assets

● Assets are threat targets

– Can be both physical assets and abstract assets
• ID
• Name
• Description
• Trust Levels
Information assets
● All information assets may have value to an attacker, depending on their
motivation.
– “information assets”
• health records, credit card payment information, account and
financial information, state secrets, ICS (energy, transport)
● Identify information assets that may be of interest to different attackers
The value of information may not lie only in how an organization uses the
information, but how an attacker could use that information
External Dependencies

● External dependencies define the system’s dependence on outside resources

– how the application will be deployed in a production environment, and what are
the requirements
● When defining external dependencies, the following data should be collected:
– Numerical ID
– Description
– External security note reference. Some examples are
• the college library website will run on a Linux server running Apache. The
server will be hardened in accordance with the college’s hardening standard,
which also includes patches.
• The database server will be MySQL and it will run on a Linux server.
Trust levels
● Trust levels represent the access rights that the application will grant to
external entities
● The trust levels are cross referenced with the entry points and assets
● Trust levels can be documented in the threat model as follows
– ID
– Name
– Description
Use Scenarios
● Use scenarios
– also called use cases or misuse/abuse cases
– describe how the system will be used or not used
– help limit the scope of analysis and validate the threat model
– can be used by the testing team to conduct security testing and identify
attack paths
– identified by the architect and end users
● The following data should be collected
– Numerical ID
– Description
Implementation Assumptions

● Implementation assumptions
– created during the design phase
– contain details of features that will be developed later
● The following data should be collected
– Numerical ID
– Description
Modeling using Data Flow Diagrams (DFDs)
Look at the application through an adversary’s eyes. DFDs can be used to
model the system but also threats. DFDs focus on data and how it flows
through the system.
• The process shape represents a task that handles data within the application.
The task may process the data or perform an action based on the data.
• The multiple process shape is used to present a collection of subprocesses. The
multiple process can be broken down into its subprocesses in another DFD
• External entity - is used to represent any entity outside the application
• Data store shape is used to represent locations where data is stored.
• Data flow - represents data movement within the application
• The privilege boundary shape is used to represent the change of privilege
levels as the data flows through the application
User Login DFD for the College Library Website

Source: Swiderski, Snyder. Threat modelling, 2004

Threat categorization
● The Application Security Framework (ASF) defines threat categories as
– Auditing & Logging,
– Authentication,
– Authorization,
– Configuration Management,
– Data Protection in Storage and Transit,
– Data Validation,
– Exception Management.

Use and abuse cases can illustrate how existing protective measures could be
bypassed, or where a lack of such protection exists
Identify threats
● Identifying threats consists of
– analyzing each entry/exit point,
– determining what critical security processing occurs at the entry/exit point
– how it might be attacked
● To identify threats or goals, ask the following questions:
– How can the adversary use or manipulate the asset to
• Modify or control the system
• Retrieve and manipulate information within the system
• Cause the system to fail or become unusable
• Gain additional rights
– Can the adversary access the asset
• Without being audited
• And skip any access control checks
• And appear to be another user
Determine threats using STRIDE
● DFD is used to determine what data is supplied to a node and the goals
the adversary has for the application.
● The goals are then used within the DFD to determine
– the threat paths,
– locate the entry/exit points and
– follow the data through the system.
● The threat path is the sequence of any process nodes that perform
security-critical processing.
● All areas where there is change or action on behalf of the data, are
susceptible to threats
See the table on the next slide
Determine threats using STRIDE

Source: Swiderski, Snyder. Threat modelling, 2004

Abuse/Misuse cases
Generic Risk Model

Risk = Probability (Likelihood) x Consequence (Impact)

● Probability is defined by the ease of exploitation and by the

possibility to realize a threat
● The impact depends on the damage potentially caused by a
threat.
Threat rating using DREAD model
● DREAD – Damage, Reproducibility, Exploitability, Affected
users, Discoverability
● Threat modeling team calculates security risks as an average of
numeric values assigned to each of five categories
● Use a scale of 1-10 to rate each category
● Add the rating of each category and divide the total by five
● The result can be divided into three sections
– High
– Medium
– Low
Example
Threat: Malicious user views confidential information of the
university website.
– Damage potential: Threat to reputation as well as financial
and legal liability:8
– Reproducibility: Fully reproducible:10
– Exploitability: Require to be on the same subnet or have
compromised a router:7
– Affected users: Affects all users:10
– Discoverability: Can be found out easily:10
Overall DREAD score: (8+10+7+10+10) / 5 = 9
Countermeasure identification

● The purpose is to determine if there is some kind of protective

measure (e.g. security control) in place
● If identified threats are structured (for ex. categorized with
STRIDE or ASF), it is possible to find appropriate
countermeasures within the given category.
Vulnerability resolution and Mitigation

● Unresolved threat = vulnerability

– A vulnerability is present when a threat exists and the steps to
mitigate it have not been implemented
● To reduce the risk caused by threats
– analyze the conditions of each threat to assign a risk level, and
– identify a mitigation strategy to each condition
● Threat tree can be used to identify attack paths, routes from a
condition to a threat
Threat document

● The threats, threat or attack trees, vulnerabilities and mitigations

are compiled into a threat or attack modeling document that
describes the threat profile of the system
● The threat modeling document can be used in the design process
as a security design specification and in the testing process to
identify the vulnerable areas of the system
References

● Steven F Burns. Threat Modeling: A Process To Ensure

Application Security,2005
● Murugiah Souppaya, Karen Scarfone. Guide to Data-Centric
System Threat Modeling, Draft NIST SP 800-154, March
2016
● NIST SP 800-30
● Swiderski, Snyder. Threat modelling, 2004
 Questions?

Questions can be asked in Supervision forum and

during the zoom sessions