What Is Threat Modeling and How Does It Work?

What Is Threat Modeling and How Does It Work?

Do you want attacks to stop being a surprise to you? Moreover, do you want your level of protection to be a surprise to attackers? This is what threat modeling is for: an effective way to protect systems, applications, networks, and services. It is a design method that identifies potential threats and makes recommendations to help mitigate risks and ensure security objectives are met early in development.

What is threat modeling?

An information security threat modeling describes existing information security threats, their relevance, feasibility, and consequences. Adequate information security threat models can identify existing threats and develop effective countermeasures, thereby increasing information security levels and optimizing protection costs (focusing on current threats). This is the best threat modeling definition.

Why do you need threat modeling?

One of the critical problems in ensuring the security of information systems in a single organization is the lack of understanding by the management. Suppose regulations require the protection of information in a particular information system. In that case, the system owner strives to comply with regulatory requirements at minimal cost unless his information security department explains that it is in his own interests to do much more.

Unfortunately, the arguments familiar to information security specialists, “a hacker can hack the system and distort information,” do not tell the system owner what losses he may incur in such an incident and whether the proposed costs of protection against such incidents are justified.

To solve this problem, the methodology suggests starting threat modeling process by identifying negative consequences that may seriously concern the management of organizations. This does not mean that the information security specialist should be able to determine what precisely the administration cares about:

1. many industrial enterprises develop industrial safety declarations, which indicate the dangerous consequences of a possible violation of technological processes
2. many large enterprises have divisions that assess and monitor operational risks, and internal control systems for operational activities have been introduced
3. in almost any enterprise, it is enough to talk to the heads of functional departments to get an idea of ​​​​what disruptions in the work of the IT infrastructure can seriously interfere with their activities

It is essential to understand that the definition of negative consequences is not yet threat modeling but only a prelude to it. At this stage, it is not required to assess whether the occurrence of any of the named consequences is possible in principle. It will only determine the fears of functional units related to information resources and IT infrastructure.

Examples of negative consequences that actually motivate department heads to take security issues seriously include:

1. for a large organization: a one-time theft of significant funds
2. for an industrial enterprise: export of finished products without registration of accounting documents, stop of production processes for more than a day
3. for medical institutions: distortion of reporting on activities related to the circulation of prescription drugs, failure of the duty hospital to provide specialized medical care for it, leakage of data from special registers
4. for the authorities: the inability to deliver public services in electronic form for a long time, the leakage of data from special records (for example, the record of HIV-infected residents of the municipality)

Advantages of threat modeling

After the objects of influence and sources of the corresponding threats are identified, it is necessary to assess whether the considered source of threats can realize the threat leading to such consequences. The methodology actually concretizes the concept of “information security threat”: a threat is a potential or actual possibility of the specified negative effects occurring due to one of the identified negative impacts on one of the specified objects of impact. In the considered example of an enterprise management information system, the threats leading to the theft of funds will be:

1. generating a false order to transfer funds by obtaining unauthorized access to the exchange folder with the rights of a domain administrator, local administrator, or the rights of the technology account of the payment module
2. formation of a false payroll in the accounting module by obtaining unauthorized access to the DBMS of the enterprise management system, etc

A threat is recognized as possible if an intruder is identified, whose goals correspond to the negative consequences of the implementation of the threat, and whose capabilities allow to perform the corresponding impact. At the same time, the question of “how the intruder will get to the object of influence” is not considered.

If the threat is recognized as possible, it remains to assess whether the selected intruder can practically implement the threat by considering possible scenarios. It is a sequence of tactics and techniques of the intruder’s actions through which he could obtain from some initial state the capabilities necessary to implement the threat. In practice, this means assessing whether an intruder from the given starting conditions can “pass through” the organization’s IT infrastructure and get a practical opportunity to implement the threat.

Threat modeling: steps to make

The procedure for building an information security threat model consists of several successive steps:

1. Identification of sources of threats
2. Identification of critical objects of the information system
3. Definition of a list of threats for each critical object
4. Identification of ways to implement threats
5. Assessment of material damage and other consequences of the possible implementation of threats

Threat models are based on constantly changing data and therefore must be regularly reviewed and updated.

Practice shows that today there is no alternative to threat modeling. An analysis of publicly known incidents and testing results show that the problem is not even that the IT infrastructure of organizations, as a rule, does not have a range of protection measures necessary to counter attackers with a medium level of ability. The most severe problem of countering computer attacks is that even the typical actions of an attacker, using well-known techniques and freely distributed tools, often come as a surprise to the defending side. Information security departments are often unaware of such practices, unable to determine their use and effectively counteract them even in cases where they manage to detect an attack.

When building threat models, Bliscore specialists use catalogs and lists of threats contained in official information security standards and methodological documents, as well as lists of threats identified during the audit of the customer’s information system.