Present-day information and communication systems face a variety of cybersecurity threats. The number of these threats is increasing as technologies change.
The cost of malware attacks which exploit hardware and software vulnerabilities, reached $5.5bn in 2022, breaking the downward trend that started in 2019.
Additionally, expenses for losses caused by cybercrime in 2023 reached $8.15bn and are expected to reach $13.82bn by 2028.
Cybersecurity threats come from both outside and inside organizations and have devastating consequences. Attacks can altogether disable a system or lead to the leakage of confidential information, reducing consumer confidence in the system provider.
To prevent threats from being successfully implemented, teams can use different methods and tools to model them.
Threat modeling definition
Threat modeling imitates real cyber threats to analyze system reactions to them.
The main goal of threat modeling is to assess the risks of cyber attacks and take measures to prevent them.
Network security threat modeling occurs at the planning phase of a system or network to detect potential problems in the early stages. If implemented in the right way, threat modeling can prevent significant costs to organizations, in the event of malicious attacks, and strengthen the security of a software system.
To get the most out of the threat modeling process, companies should run it on a regular basis. It is especially important to model threats after significant changes in a network’s architecture.
By adhering to the principle of regularity in threat modeling, companies reduce network vulnerabilities and become more resistant to cyber-attacks.
Essential components of threat modeling
According to ISO, there are seven key elements of threat modeling. They are:
Owners — individuals or entities responsible for specific assets within a network. They are accountable for asset security and protection.
Countermeasures — security measures implemented to mitigate identified threats and vulnerabilities. Countermeasures aim to prevent or minimize the potential impact of attacks.
Vulnerabilities — weaknesses or flaws in a system that attackers can exploit. These can exist in software, hardware, or configurations and pose a risk to the system’s security.
Risk — potential harm that may result from exploiting vulnerabilities. It is calculated based on the likelihood of an attack occurring and its impact on the organization if successful.
Assets — valuable elements within a system, such as data, applications, hardware, or intellectual property. It is crucial to identify and classify assets to understand what needs to be protected.
Threats — potential dangers or harmful events that can exploit vulnerabilities and compromise assets.
Threat agents — individuals or entities that carry out attacks. They exploit vulnerabilities to compromise assets. Understanding threat agents helps in predicting potential attack scenarios.
Seven steps to implement network security threat modeling
Consistency and a systematic approach are the basis for successful implementation of threat modeling. Of course, each project is unique. However, there is a generally accepted algorithm that will help you follow threat modeling methodology without chaotic and thoughtless actions.
Here are the steps to follow:
1. Define scope
Specify network segments, applications, and services to be analyzed.
Network segments
- Internal networks: internal LANs, VLANs, and intranets
- DMZ (demilitarized zone): servers accessible from the internet
- Partner networks: networks shared with business partners
- Remote access networks: VPNs and other remote access points
Applications
- Web-based applications, including APIs and web services
- Databases that store sensitive information
- Email servers and services
- Collaboration platforms, including document-sharing and messaging apps
Services
- DNS (Domain Name System)
- DHCP (Dynamic Host Configuration Protocol)
- NTP (Network Time Protocol)
- File sharing services
2. Identify assets
List all network assets, such as servers, databases, routers, and sensitive data repositories. Understand the value of each asset and its importance to the network’s operations.
To simplify asset identification:
- Create a comprehensive inventory of all network assets
- Categorize assets as critical, important, or non-critical
- Classify data stored or processed by assets ( this might be customer data, financial data, intellectual property, etc.)
- Map the relationships between assets
- Analyze dependencies between assets
- Identify asset vulnerabilities and misconfigurations that could be exploited
- Review access controls for each asset
- Create detailed documentation for each asset
Need help in identifying your security assets? Hire experienced cybersecurity experts
3. Enumerate threats
List external and internal threats specific to network security. Enumerate threat agents that could be responsible for network attacks.
External threats
- Malware — viruses, trojans, and ransomware
- Phishing attacks — deceptive emails or websites
- DoS (Denial of Service) attacks — overwhelming a network’s resources
- DDoS (Distributed Denial of Service) attacks — similar to DoS, but coordinated from multiple sources
- MitM (Man-in-the-middle) attacks — altered communication between two parties
- Password attacks — unauthorized access through brute force or credential stuffing
- DNS spoofing — redirecting users to malicious sites
Internal threats
- Insider threats — actions from employees or contractors within the organization
- Data theft — unauthorized access to sensitive data for personal gain or espionage
- Social engineering — tricking employees into divulging confidential information
- Misconfigured access controls — accessing data or systems beyond employees’ roles
- BYOD risks — threats from employees using personal devices on the corporate network
Threat agents
- Threat agents
- Hacktivists
- Cybercriminals
- State-sponsored actors
- Insiders
- Amateur hackers
- Competitors
- Terrorist groups
- Disgruntled employees
- Ethical hackers
- Automated bots
4. Assess vulnerability
At this step of threat modeling, it is necessary to evaluate software flaws, misconfigurations, weak authentication mechanisms, and inadequate encryption protocols. You should assess both known vulnerabilities and potential zero-day vulnerabilities.
We recommend using manual and automated inspection to get a full picture of potential network threats.
For automated scanning, you can use tools like Nessus, OpenVAS, or Qualys.
For manual checks, utilize code reviews, configuration checks, and physical security inspections.
5. Assess risk
This is when the threat modeling will help you understand the quantitative impact of potential data breaches.
As a part of risk assessment, you can calculate:
- Operational impact, which defines costs associated with downtime and recovery efforts
- Reputational impact, which estimates the costs of lost customers, decreased sales, and PR efforts to rebuild trust
- Legal impact, which considers fines, lawsuits, and settlements
We recommend assigning impact levels to the defined risks to prioritize their elimination:
- High impact — if the successful attack would cause severe financial, operational, reputational, or legal damage
- Medium impact — if the consequences are significant but manageable
- Low impact — if the impact is minor and easily recoverable
6. Countermeasure selection
Choose appropriate security controls and countermeasures to mitigate the identified risks. Here is what you can do:
- Patch and update operating systems, applications, and firmware to address known vulnerabilities
- Follow the principle of least privilege, ensuring users have the minimum access required to perform their tasks.
- Segment the network into zones based on security requirements
- Deploy firewalls to monitor and control incoming and outgoing network traffic.
- Use intrusion detection and prevention systems to identify potential threats in real-time
- Encrypt sensitive data at rest and in transit
- Develop a robust incident response plan
- Backup data and test the recovery process
- Ensure the security practices of third-party vendors meet your organization’s security standards
- Implement device encryption, remote wipe capabilities, and application restrictions
7. Document the threat modeling process
Document the entire threat modeling process, including identified assets, threats, vulnerabilities, risk assessments, chosen countermeasures, and action plans.
This documentation will serve as a reference for future security initiatives. It will help teams to monitor progress and make informed decisions.
It is essential to update the threat modeling documentation as the network evolves and new threats emerge.
Common threat modeling methodologies
Several threat modeling methodologies are widely used in the field of cybersecurity. Here are the most common ones:
STRIDE
STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. The STRIDE model categorizes security threats based on these six categories.
STRIDE threat model example: web application authentication process
Spoofing: An attacker attempts to impersonate a legitimate user by using stolen credentials.
Tampering: An attacker modifies user information during authentication to gain elevated privileges.
Repudiation: An attacker exploits vulnerabilities to perform unauthorized actions, such as changing account settings, and then denies involvement when questioned.
Information disclosure: A security flaw enables unauthorized access to sensitive user data, including email addresses and financial information.
Denial of service: A DDoS floods the web server, crashes the app, and makes it inaccessible to legitimate users.
Elevation of privilege: User exploits vulnerability to gain unauthorized access to administrative actions.
Countermeasures:
Spoofing: Implement strong user authentication mechanisms to verify users’ identities.
Tampering: Implement input validation and output encoding to prevent data manipulation within the app.
Repudiation: Implement comprehensive logging and auditing mechanisms to track user activities.
Information disclosure: Employ access controls to restrict users from accessing unauthorized data.
Denial of service: Utilize firewalls and intrusion detection systems to detect and block DDoS attacks.
Elevation of privilege: Practice the principle of least privilege, ensuring users have the minimum necessary access rights.
DREAD
DREAD stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. The DREAD threat model helps prioritize threats by assigning scores to the mentioned categories.
DREAD threat model example: network file sharing application
Damage potential: If a malicious user gains access to critical business documents, it could lead to financial loss (high potential damage)
Reproducibility: If the vulnerability is well-known, it can be exploited using easily available tools (high reproducibility)
Exploitability: If the network application has a known vulnerability for which public exploit code exists, it becomes an attractive target for attackers (high exploitability)
Affected users: The vulnerability could potentially impact the entire user base (high affectability)
Discoverability: If the vulnerability is easily discoverable through network scanning or publicly available information, it is more likely to be exploited (high discoverability)
Countermeasures:
Damage potential: Encrypt sensitive files, set up access controls, and implement user authentication.
Reproducibility: Regularly update the network application, perform penetration testing, and run code reviews.
Exploitability: Implement intrusion detection and prevention systems, educate users about phishing and social engineering attacks.
Affected users: Segregate user roles and permissions based on their responsibilities within the app.
Discoverability: Regularly scan the network for vulnerabilities using automated tools.
Not sure which threat model to choose? Ask cybersecurity specialists
PASTA
PASTA stands for Process for Attack Simulation and Threat Analysis. It is a method that helps teams figure out which threats they need to focus on. PASTA identifies business needs and matches them with the technical requirements. There are seven steps in PASTA:
PASTA threat model example: Internet of Things (IoT) smart home system
Understanding business objectives: The smart home system aims to provide homeowners with automated control over lights, thermostats, and security cameras. The system must ensure user privacy, comply with data protection laws, and offer seamless integration with IoT devices.
Asset profiling: Assets include IoT devices (smart thermostats, cameras, door locks), user data (personal preferences, usage patterns), and the central control server.
Threat analysis: Threats include IoT device vulnerabilities (lack of secure firmware updates), eavesdropping attacks, physical attacks on devices, and home network attacks.
Attack modeling: An attacker exploits an unpatched vulnerability in a smart thermostat’s firmware, gaining unauthorized control over the home’s heating system. Another attacker intercepts unencrypted communication between the central server and IoT devices, capturing sensitive user data. A physical attacker gains access to a vulnerable smart lock through tampering and physically breaking into the home.
Risk assessment: The IoT device vulnerability has a moderate likelihood but would have a high impact if exploited, as it could lead to unauthorized control over critical home systems. Eavesdropping attacks have a moderate likelihood and impact as they compromise user privacy. Physical attacks have a lower likelihood but pose significant risks if successful, as they compromise the home’s physical security.
Mitigation: Countermeasures include firmware updates for IoT devices, end-to-end encryption for communication, intrusion detection systems to detect unauthorized physical access, and user education on securing their home network and devices.
Validation: Conduct penetration tests on IoT devices, update security protocols, and monitor user accounts and device activities for suspicious behavior.
Trike
Trike is a threat modeling methodology that integrates various threat modeling approaches. It stands for Threat, Requirements, Intelligence, Knowledge, and Estimation.
Trike threat model example: cloud-based document management system
Defining the system: The system is a web application hosted on a cloud server. Users can upload, share, and edit documents. It integrates with various third-party services for authentication and storage.
Identifying assets: Assets include user accounts, sensitive documents, authentication tokens, database records, and system configurations.
Choosing methodologies: Use STRIDE to identify spoofing (fake authentication tokens), tampering (modifying documents in transit), and information disclosure (unauthorized access to documents). Apply PASTA to analyze the attack scenarios, such as phishing attacks to steal user credentials or DDoS attacks to disrupt service availability.
Analyzing threat scenario: An attacker exploits a vulnerability (tampering) to inject malicious code into a document. This compromises user systems upon document download.
Mitigating threats: Follow secure SDLC, encrypt documents at rest and in transit, implement strong authentication, and employ DDoS protection services.
Validating and iterating: Conduct penetration testing to validate security controls. If new features or vulnerabilities are discovered, iterate the Trike threat modeling.
Attack trees
Attack trees are graphical representations depicting the possible routes to attacks within a system. The Attack trees threat model visualizes and analyzes potential attack scenarios in a systematic and hierarchical way.
Attack trees threat model example: exploiting a vulnerability to deface a website
Root node: website defacement
Sub-goals:
Find vulnerability
- Attack method 1: Scan for known vulnerabilities (e.g., outdated CMS versions)
- Attack method 2: SQL injection testing
Gain unauthorized access
- Attack method 1: Brute force login for admin panel
- Attack method 2: Exploit weak passwords of admins
Deface website
- Attack method: Upload Malicious Script to Modify Web Pages
Attack tree visualization:
Mitigation strategies:
- Security patching: Regularly update the app and its components
- Robust authentication: Enforce password policies and MFA
- Input validation: Implement strict input validation to prevent SQL injection
- File upload security: Restrict allowed file types and store uploaded files in a secure location
- Validation: Conduct security audits, incident response drills, and user training sessions.
Implementing threat modeling with Erbis
Threat modeling is an effective technique in cybersecurity. It allows you to identify application vulnerabilities and create an effective plan to prevent attacks.
Threat modeling is an integral part of threat intelligence, which means that all stakeholders know potential attacks and take measures to mitigate them.
At Erbis, we have deep expertise in threat intelligence and threat modeling. We help startups and enterprises create secure software products resistant to malicious intrusions and hacker attacks.
If you are looking for a reliable technology partner to create a security application from scratch or conduct a security audit of an existing product, contact us. We’ll be happy to help.
FAQ
How often should I conduct threat modeling for my network?
The frequency of conducting threat modeling for your network depends on its complexity and the evolving threat landscape. As a general guideline, it’s recommended to perform threat modeling regularly, such as annually or whenever there are significant changes in your network infrastructure, applications, or security requirements.
Is it possible to automate threat modeling, and if so, how?
Yes, it is possible to automate threat modeling to a certain extent. Automated tools can assist in identifying common vulnerabilities, analyzing configurations, and generating basic threat models. However, human expertise is crucial for in-depth analysis, understanding unique business contexts, and addressing complex security scenarios that automated tools might miss.
How much time does threat modeling take?
The time required for threat modeling depends on the complexity of the system being analyzed and the depth of the analysis. It can range from a few days for smaller applications to several weeks for large, intricate systems.
