The Origins of Threat Modeling
Cyberattack has Become a New Form of Warfare and It Must Be Treated as One
“It is only one who is thoroughly acquainted with the evils of war that can thoroughly understand the profitable way of carrying it on.”
Sun Tzu, Art of War
Threat modeling is now closely associated with cybersecurity and the most efficient security posture for an organization or application. However, the approach is not new and it takes its roots from the art of warfare, both ancient and modern.
In this article we will dive deeper into what the cybersecurity threat modeling was derived from and what principles lay at its foundation, making the methodology one of the most effective ways of combating modern cyber threats. We will explore the threat modeling origins, why military chooses the strategy, and how cybersecurity benefits from adopting it.
Historical Usage of Threat Modeling
Cyber warfare is rapidly becoming a new battlefield. Cyberattacks require least effort and minimal human force, and can be anonymously conducted from any part of the world. Yet, cyberattacks can be absolutely devasting to human lives, businesses, government operations, and infrastructures. They now target not only large organizations and nation states, the focus has shifted to Small to Medium Businesses and individuals leaving no one safe from this new reality of warfare amid digitalization of the world.
Historically, military used threat modeling in physical warfare for centuries. We started this article with the famous quote from Sun Tzu’s work – Art of War. Developed in the 5th century BC, this Chinese military treatise is still very relevant and can be applied to application and organizational threat modeling with the goal of imagining attack scenarios from possible adversaries. Military has long adopted proactive methods of combatting threats over reactive measures. Landing from the military origins, VerSprite developed threat modeling methodology, PASTA (Process for Attack Simulation & Threat Analysis), as the discipline behind threat analysis.
For decades, the US military has leveraged threat modeling to obtain improved insights into how the enemy could adversely affect US interests or military forces. This analysis encompasses the examination of enemy’s motives, capabilities, and likely attack scenarios as part of an overall objective of defending against as many viable attack scenarios as possible. Similarly, application and organizational threat modeling extends the capabilities and resources of security professionals, who can now better dissect and understand attacks, correlating the intelligence across multiple application and environmental vulnerabilities. Mapping correlated vulnerabilities and exploits to possible misuse cases through threat modeling allows for creating effective countermeasures within the given environment.
In Sun Tzu’s quotation, the phrase “profitable way of carrying it on” noticeably stands out. The profit, or gain, of war lies in the avoidance of risks that could have had a crucial impact. Threat modeling allows the “evils of war” to be better recognized using thought-out simulations, and it increases the state of readiness and preparedness for possible attacks.
Threat Modeling at the Department of Defense
Several divisions within the US Department of Defense have effectively applied threat modeling techniques to identify war’s collateral risks such as casualties, illnesses, and adverse economic and environmental effects. For example, US Army and NASA have used Ballistic Missile Threat modeling for over 50 years. The DoD used threat modeling to build a stronger missile defense system by identifying threats that were able to permeate US defenses.
In the US military, threat modeling is referred to as operational design which aims to assist in understanding of complex environments, nature of problems, as well as helping to develop approaches to problems and achieve the set goals. Operational design framework is the proverbial glasses you wear to approach security issue and the intelligence around it. Following the operational design, cyber threat intelligence is split into strategic intelligence (such as type of threats, motivation and capability, and potential impacts), operational intelligence (technical direction of threat actors, tactics, techniques, and procedures, resource allocation and task prioritization), and tactical intelligence (adversary action inside your systems, indicator of compromise, and real-time monitoring of systems). The framework further breaks it down into Data, Information, Knowledge, and Wisdom (DIKW) model, which reveals patterns, principles, and direction of threats and threat actors.
Operational design and ballistic threat modeling paved the way to application and organizational threat modeling, which also revolves around the necessity for good intelligence. Information surrounding application vulnerabilities and attack patterns provides two key areas of intelligence for building a strong application threat model. Missile defense teams leverage the gathered intelligence to refine their internal missile defense capabilities. These efforts are synonymous to the attack/exploit research in today’s application security. Acquired intelligence is correlated to one of many vulnerabilities or defects by software systems that could be potential targets.
Continuous Assessment of Internal Capabilities and External Threats
The military applies threat modeling as an on-going process aimed at assessing both internal capabilities and external threats. The unique characteristic of the military threat modeling process is that data research, review, and reporting are incorporated into many job duties, particularly in defense areas where threats are more probable. Nearly all personnel are required to report threat data, regardless of job function. This provides current status updates on physical and logical infrastructures capabilities, integral to offensive and defensive strategies.
In contrast to this military approach to security, majority of companies and organizations still opt to assigning accountability to segregated security groups. As a result, security groups are predestined to assume adversarial roles when interfacing with business groups. This creates a gap in communication and prevents effective assessments and continuous security process.
PASTA threat methodology takes the military tactic of continuous assessment into consideration when approaching threat modeling for an application or an organization as a whole. The roles of departments and everyone involved in development are clearly distributed with the RACI model (Responsible – Accountable – Consulted – Informed, learn more here), which allows for clear communication and timely contribution of current updates and information. This, similarly to the military strategy, reduces the viability of vulnerabilities and threats, giving structure to the communication between a security team, an IT department, and business operations.
Another key element of the military threat modeling that cybersecurity must adopt (and which PASTA methodology incorporates) is looking outward to adversaries to understand their capabilities, vulnerabilities, and potential interests. Reconnaissance exercises within the military follow several degrees of complexity and sensitivity to time, risk, and available resources. Threat models must account for various critical factors such as enemy’s attack motives, capabilities, vulnerabilities or flaws, and amount of information. The complexity of threat modeling lies in expedient analysis and process development. In the ballistic threat modeling, for example, the process must allow intelligence gathering to feed missile defense designers in a sufficient time frame so that they can defend against future threat scenarios.
While the stakes are not as high in cybersecurity, the ability to obtain highly reliable, recent data will better equip threat models to convey probable threats and impacts with greater accuracy, while the ensuing security requirements serve as guidance for the development of countermeasures that reduce risk scenarios revealed by the threat model.
Let’s take a closer look at the reconnaissance. Espionage requires covert operations behind opposing lines and ability to perpetrate enemy actors. Finding good, reliable information often takes extreme conditions and efforts. Within the military, reconnaissance carries its share of risks: jeopardizing mission objectives, involved resources, and even compromising sensitive information. In application threat modeling, reliable information is also vital. Although the risks are much less extensive, reliable information is also vital in application threat modeling. External information sources may include application vulnerabilities, as well as a thorough attack library containing current and past exploits that could be used in the form of an attack.
An attack library, a fundamental part of the PASTA threat modeling, encompasses the exploit or series of exploits that are necessary for the attack to be successful. These information sources drive the robust application threat model, similar to how missile defense designers rely on good intelligence for developing a successful ballistic threat model. Both models depict realistic threat scenarios that a defense system should be prepared to defend. Threat model’s advantage is in its flexibility as it is an ever-changing process that requires updating. Just as in real world, in cybersecurity threats and threat actors evolve continuously. Military strategies in 21st century greatly differ from those five hundred years ago, cybersecurity needs to adopt evolving approaches over static frameworks.
Developing Countermeasures Based on Threat Modeling
Countermeasure design must be:
- Based upon both historical and new data
- Flexible to encompass changes in design
To ensure a good defense system, for example, in ballistic missile defense, designers must address static and dynamic criteria of the threat that are likely to change (behavior of missile, projectile path, etc.) and those that are not (i.e. – size of missile). Similarly, in application threat modeling, there are threat elements that are more consistent in nature as well as those that are more variable. Application threat modeling users need to ensure that changes in a threat model, previously used to create adequate application-level countermeasures, are regularly updated so both the model and the countermeasures used are commensurate to the threat.
Why is it important to evolve countermeasures?
Let’s consider the following example. In 2007, a decade-old boot-sector virus, named Stoned. Angelina, infected many Vista machines being sold at retail stores. The machines were equipped with A/V solutions; however, the signature sets that were loaded onto the machines did not include defense against the classic virus because it was not perceived to be a threat.
Designing good countermeasures in software applications is one of the key differentiators of application threat modeling over other traditional security efforts (which may only address a portion of the overall threat and associated risks).
Attacks against applications are influenced by environmental factors and driven by motives. Socio-economic and geopolitical conditions may provide a ripe time for attacks against the application environment to yield either greater results or improved probabilities for success. Assessing these factors in conjunction with technical threat analysis within any given threat model provides greater readiness levels on behalf of the defending application owners.
Threat modeling lies at the core of VerSprite cybersecurity principles. We focus on emulating realistic attack patterns and threat motives through risk-centric threat modeling methodology, PASTA (Process for Attack Simulation and Threat Analysis), co-developed by VerSprite CEO and Founder Tony UcedaVelez. The PASTA threat modeling tests the resilience of the business from all angles while taking into account security risks as well as business objectives.
Contributors: Daniel Stiegman (Threat Intelligence Managing Consultant), Tony UV (CEO and Founder of VerSprite)
For more information on how threat modeling can be integrated into your application’s lifecycle or organizational operations in general, contact us.