The Origins of Threat Modeling

Cyberattack has Become a New Form of Warfare and It Must Be Treated as One
The Origins of Threat Modeling

“It is only one who is thoroughly acquainted with the evils of war that can thoroughly understand the profitable way of carrying it on.”

Sun Tzu, Art of War

Threat modeling is now closely associated with cybersecurity and the most efficient security posture for an organization or application. In this article, we dive into threat modeling methodology.

In an era where digital threats are increasing at an alarming rate, organizations must understand these threats to implement effective security measures. This guide delves into the process of threat modeling, risk assessment, countermeasures, and strategies for mitigation.

Additionally, we will discuss various tools for threat modeling that aid organizations in identifying, analyzing, and prioritizing potential threats.

The History of Threat Modeling

Cyber warfare is rapidly becoming a new battlefield. Cyberattacks require the least effort and minimal human force and can be anonymously conducted from any part of the world. Yet, cyberattacks can be devasting to human lives, businesses, government operations, and infrastructures.

They now target not only large organizations and nation-states, but the focus has also shifted to small and medium businesses and individuals, leaving no one safe from this new reality of warfare amid the digitalization of the world.

Historically, the military used threat modeling in physical warfare for centuries. We started this article with the famous quote from Sun Tzu’s work – Art of War. Developed in the 5th century BC, this Chinese military treatise is still very relevant and can be applied to application and organizational threat modeling to imagine attack scenarios from possible adversaries.

The military has long adopted proactive methods of combatting threats over-reactive measures. Landing from the military origins, VerSprite developed a threat modeling methodology, PASTA (Process for Attack Simulation & Threat Analysis), as the discipline behind threat analysis.

For decades, the US military has leveraged threat modeling to obtain improved insights into how the enemy could adversely affect US interests or military forces. This analysis encompasses the examination of the enemy’s motives, capabilities, and likely attack scenarios as part of an overall objective of defending against as many viable attack scenarios as possible.

Similarly, application and organizational threat modeling extends the capabilities and resources of security professionals, who can now better dissect and understand attacks, correlating the intelligence across multiple application and environmental vulnerabilities. Mapping correlated vulnerabilities and exploits to possible misuse cases through threat modeling allows for creating effective countermeasures within the given environment.

Unpacking Threat Modeling

In Sun Tzu’s quotation, the phrase “profitable way of carrying it on” noticeably stands out. The profit, or gain, of war lies in the avoidance of risks that could have had a crucial impact. Threat modeling allows the “evils of war” to be better recognized using thought-out simulations, and it increases the state of readiness and preparedness for possible attacks.

Threat modeling plays a crucial role in securing contemporary systems. It involves identifying, analyzing, and prioritizing potential threats to these systems, enabling organizations to proactively address vulnerabilities and defend against potential attacks. We will explore the concept of threat modeling, comprehend its importance, and highlight the advantages of adopting threat modeling methodologies.

Threat modeling methodology is a systematic approach to identifying and assessing potential threats that could exploit system vulnerabilities. By understanding potential risks, organizations can create effective security measures and efficiently allocate resources to mitigate these risks. It requires a structured analysis of the system’s architecture, identifying assets, potential attack vectors, and possible weaknesses.

Threat modeling enables organizations to identify vulnerabilities early in the development lifecycle, reducing the risk of expensive security breaches in the future. It assists in making informed decisions about security controls and investments, ensuring resources are allocated to the most needed areas.

Adopting a threat modeling methodology offers several benefits. Firstly, it helps organizations prioritize security efforts by focusing on the most severe threats. By understanding the potential impact and likelihood of different threats, resources can be allocated accordingly.

Secondly, threat modeling aids in identifying security requirements. It assists in defining security controls, guidelines, and best practices specific to the system under consideration. Lastly, threat modeling fosters collaboration and communication among stakeholders, leading to a shared understanding of security risks and necessary countermeasures.


Understanding Cyber Security Threats

Threat modeling methodology involves understanding and analyzing potential threats to an organization’s systems, networks, and data. By identifying and assessing these threats comprehensively, businesses can devise effective strategies to mitigate risks and protect their assets. In this section, we will explore common types of threats, methods to identify potential threats and the importance of threat intelligence sources.

Common threats encompass a broad spectrum of attacks that can target an organization’s infrastructure, such as malware infections, phishing attempts, social engineering tactics, denial-of-service attacks, and unauthorized access. Each threat poses unique risks and requires specific countermeasures to prevent or mitigate potential damage.

Identifying potential threats is a crucial step in threat modeling methodology. Organizations need to evaluate their systems and identify vulnerabilities that attackers could exploit. This process involves conducting risk assessments, analyzing system architecture, reviewing security controls, and considering potential attack vectors. By understanding the weaknesses and vulnerabilities within their systems, organizations can proactively address them and bolster their security posture.

Threat intelligence sources provide valuable insights about emerging threats, vulnerabilities, and attack techniques. These sources include industry reports, security blogs, threat intelligence platforms, and collaboration with security communities. By staying updated on the latest threats, organizations can adapt their security measures and proactively defend against potential attacks.


Continuous Assessment of Internal Capabilities and External Threats

The military applies threat modeling as an ongoing process aimed at assessing both internal capabilities and external threats. The unique characteristic of the military threat modeling process is that data research, review, and reporting are incorporated into many job duties, particularly in defense areas where threats are more probable.

Nearly all personnel are required to report threat data, regardless of job function. This provides status updates on physical and logical infrastructure capabilities, integral to offensive and defensive strategies.

In contrast to this military approach to security, the majority of companies and organizations still opt to assign accountability to segregated security groups. As a result, security groups are predestined to assume adversarial roles when interfacing with business groups. This creates a communication gap and prevents effective assessments and a continuous security process.

PASTA threat methodology considers the military tactic of continuous assessment when approaching threat modeling for an application or an organization. The roles of departments and everyone involved in development are clearly distributed with the RACI model (Responsible – Accountable – Consulted – Informed, learn more here), which allows for clear communication and timely contribution of current updates and information.

This, similarly, to military strategy, reduces the viability of vulnerabilities and threats, giving structure to the communication between a security team, an IT department, and business operations.

Another key element of the military threat modeling that cybersecurity must adopt (and which PASTA methodology incorporates) is looking outward to adversaries to understand their capabilities, vulnerabilities, and potential interests. Reconnaissance exercises within the military follow several degrees of complexity and sensitivity to time, risk, and available resources.


What Does Threat Modeling Account For?

Threat models must account for various critical factors such as the enemy’s attack motives, capabilities, vulnerabilities or flaws, and amount of information. The complexity of threat modeling lies in expedient analysis and process development. In ballistic threat modeling, for example, the process must allow intelligence gathering to feed missile defense designers in a sufficient time frame so that they can defend against future threat scenarios.

While the stakes are not as high in cybersecurity, the ability to obtain highly reliable, recent data will better equip threat models to convey probable threats and impacts with greater accuracy, while the ensuing security requirements serve as guidance for the development of countermeasures that reduce risk scenarios revealed by the threat model.

Let’s take a closer look at the reconnaissance. Espionage requires covert operations behind opposing lines and the ability to perpetrate enemy actors. Finding good, reliable information often takes extreme conditions and effort. Within the military, reconnaissance carries its share of risks: jeopardizing mission objectives, involving resources, and even compromising sensitive information.

In application threat modeling, reliable information is also vital. Although the risks are much less extensive, reliable information is also vital in application threat modeling. External information sources may include application vulnerabilities, as well as a thorough attack library containing current and past exploits that could be used in the form of an attack.

An attack library, a fundamental part of the PASTA threat modeling, encompasses the exploit or series of exploits that are necessary for the attack to be successful. These information sources drive the robust application threat model, similar to how missile defense designers rely on good intelligence for developing a successful ballistic threat model.

Both models depict realistic threat scenarios that a defense system should be prepared to defend. The threat model’s advantage is in its flexibility as it is an ever-changing process that requires updating. Just as in the real world, in cybersecurity threats and threat actors evolve continuously. Military strategies in the 21st century greatly differ from those five hundred years ago, cybersecurity needs to adopt evolving approaches over static frameworks.


A Step-by-step Guide to Threat Modeling

  1. Identify your assets: Start by identifying the assets that need protection. This could include sensitive data, software applications, network infrastructure, or any other valuable resources.
  2. Identify potential threats: Once you’ve identified your assets, brainstorm potential threats that could compromise their security. These threats can include external factors such as hackers, malware, or physical attacks, as well as internal factors like human error or system vulnerabilities.
  3. Assess vulnerabilities: Evaluate the vulnerabilities in your system that could be exploited by the identified threats. This may involve conducting security assessments, penetration testing, or vulnerability scanning.
  4. Determine risks: Analyze the potential impact and likelihood of each threat. This will help prioritize your efforts and allocate resources effectively to address the most critical risks.
  5. Develop countermeasures: Once you’ve identified the risks, develop countermeasures to mitigate them. This may involve implementing security controls, updating software, training employees, or establishing incident response plans.


Why is it Important to Evolve Countermeasures?

Let’s consider the following example. In 2007, a decade-old boot-sector virus, named Stoned. Angelina infected many Vista machines being sold at retail stores. The machines were equipped with A/V solutions; however, the signature sets that were loaded onto the machines did not include defense against the classic virus because it was not perceived to be a threat.


Zero Trust Policy


Attacks against applications are influenced by environmental factors and driven by motives. Socio-economic and geopolitical conditions may provide a ripe time for attacks against the application environment to yield either greater results or improved probabilities for success.

Assessing these factors in conjunction with technical threat analysis within any given threat model provides greater readiness levels on behalf of the defending application owners.

Designing good countermeasures in software applications is one of the key differentiators of application threat modeling over other traditional security efforts (which may only address a portion of the overall threat and associated risks).


Different Methodologies for Threat Modeling

There are various methodologies for conducting threat modeling, each with its approach and focus. Some popular methodologies include STRIDE, DREAD, PASTA, and OCTAVE. These methodologies provide frameworks and guidelines to systematically identify, analyze, and address threats based on specific requirements and objectives.

Threat Modeling at the Department of Defense

Several divisions within the US Department of Defense have effectively applied threat modeling techniques to identify war’s collateral risks such as casualties, illnesses, and adverse economic and environmental effects. For example, the U.S. Army and NASA have used Ballistic Missile Threat modeling for over 50 years. The DoD used threat modeling to build a stronger missile defense system by identifying threats that were able to permeate US defenses.

In the US military, threat modeling is referred to as operational design which aims to assist in understanding of complex environments, nature of problems, as well as helping to develop approaches to problems and achieve the set goals. Operational design framework is the proverbial glasses you wear to approach security issues and the intelligence around it.

Following the operational design, cyber threat intelligence is split into strategic intelligence (such as type of threats, motivation and capability, and potential impacts), operational intelligence (technical direction of threat actors, tactics, techniques, and procedures, resource allocation and task prioritization), and tactical intelligence (adversary action inside your systems, indicator of compromise, and real-time monitoring of systems).

The framework further breaks it down into Data, Information, Knowledge, and Wisdom (DIKW) model, which reveals patterns, principles, and direction of threats and threat actors.


What are the levels of Cyber Threat Intelligence


Operational design and ballistic threat modeling paved the way to application and organizational threat modeling, which also revolves around the necessity for good intelligence. Information surrounding application vulnerabilities and attack patterns provides two key areas of intelligence for building a strong application threat model.

Missile defense teams leverage the gathered intelligence to refine their internal missile defense capabilities. These efforts are synonymous with the attack/exploit research in today’s application security. Acquired intelligence is correlated to one of many vulnerabilities or defects by software systems that could be potential targets.

Applying Threat Modeling to Your Organization

Implementing threat modeling within your organization can significantly enhance your security posture. By integrating threat modeling into your software development life cycle, you can identify and address vulnerabilities early on, reducing the likelihood of security breaches and minimizing the associated costs and damages.

At VerSprite, we offer comprehensive threat modeling services tailored to your organization’s needs. Our expert team can guide you through the threat modeling process, assist in selecting the appropriate methodology, and help you apply threat modeling effectively to protect your critical assets.

Evaluating Risk

To effectively manage and mitigate potential threats, conducting a comprehensive risk assessment is crucial. This process involves identifying and prioritizing risks, evaluating them using various techniques, and determining the best approach for risk assessment.

Identifying and prioritizing risks is the first step in the risk assessment process. This involves identifying potential threats and vulnerabilities that could impact the organization’s assets, such as sensitive data, systems, or physical infrastructure. By understanding the potential risks, organizations can prioritize their efforts and allocate resources accordingly.

Once risks have been identified, various risk evaluation techniques are used to assess the likelihood and impact of each risk. There are various techniques available, including qualitative and quantitative assessments. Qualitative risk assessment involves evaluating risks based on subjective criteria, such as the likelihood and severity of an event occurring. Conversely, quantitative risk assessment involves assigning numerical values to risks, allowing for a more objective evaluation.

When conducting a risk assessment, organizations must decide whether to use a quantitative or qualitative approach. While quantitative risk assessment provides a more precise and measurable analysis, it requires detailed data and can be time-consuming. On the other hand, qualitative risk assessment provides a quicker and more straightforward evaluation, but it is less precise and relies heavily on expert judgment.

By understanding the differences between quantitative and qualitative risk assessment, organizations can determine the most appropriate methodology for their specific needs. Regardless of the approach chosen, conducting a thorough risk assessment is vital to effectively identify, evaluate, and mitigate potential risks.

Threat Modeling Tools

When choosing a threat modeling tool for your organization, it’s important to consider factors such as the tool’s compatibility with your existing systems, ease of use, scalability, and cost. Conducting a thorough evaluation and considering your specific requirements will help you make an informed decision.

Integrating threat modeling into your existing processes is crucial for ensuring its effectiveness

and sustainability. One approach is to incorporate threat modeling activities into the software development lifecycle, such as during the requirements gathering and design phases. This helps identify potential threats early on and allows for proactive risk mitigation.

Furthermore, integrating threat modeling with other security practices, such as penetration testing and security code reviews, can provide a comprehensive security assessment of your applications or systems.

Threat modeling lies at the core of VerSprite cybersecurity principles. We focus on emulating realistic attack patterns and threat motives through risk-centric threat modeling methodology, PASTA (Process for Attack Simulation and Threat Analysis), co-developed by VerSprite CEO and Founder Tony UcedaVelez. The PASTA threat modeling tests the resilience of the business from all angles while considering security risks as well as business objectives.

Let’s explore the realm of threat modeling methodology together.


Contact the cyber security experts at VerSprite today with any questions or to get started on protecting your business from cyber threats or attacks.