Threat modelling is the process of identifying potential risks to a system or software using a structured methodology and addressing them to prevent their impact on the system. It is a means of incorporating security into the software or system you are building. The goal is to find threats to the system before they have a chance to affect it.
Threat modelling aids in the understanding of your security needs as well as the development of safer software or systems.
Threat modelling process
The threat modelling approach is guided by four questions. These questions specify what happens in each stage, much like the steps in threat modelling. The questions are;
- What are you building?
- What can go wrong?
- What are you going to do about it?
- Did you do an acceptable job?
What are you building?
You need to have a good understanding of the system you are building; you need to know how the system works, how data flows through it and be able to communicate that to others. Diagrams are a good way to communicate what you are building. Create a diagram showing how the system works and how data flow through it.
Another important thing you have to do in this step is to indicate your trust boundaries - a trust boundary is a point where entities in different trust levels exchange data. Authorization and ownership help you identify where to set your trust boundaries. Trust boundary is drawn at points where entities with limited authorization interact with the system and for services running on your system that are not owned or managed by you or handed off to a different environment.
The diagram above is a data flow diagram of a shopping website. The dotted area represents the trust boundary. I will use the website for illustration.
What can go wrong?
This question tries to capture or identify what your threat model is. Your threat model are those things, people or events that pose a threat to your system. They are those things you want to protect your system from. Your threat model should include threat actors, their motivation, the attack vector, and the outcome of an attack.
The activity done in this stage is to find the threats to the system you are building. There are different methodologies for finding threats, and while there are several out there we will be exploring one of the most common ones - the STRIDE methodology.
STRIDE is a mnemonic that stands for:
- Information Disclosure
- Denial of service
- Elevation of privilege
STRIDE is a model developed by Microsoft for finding security threats. Each of the threats breaches an information security principle. For this methodology, you identify how these threats can occur or affect the system or software you are building.
- Spoofing threat: spoofing is an attack in which an attacker masquerades as a legitimate entity (a user or website). It is an attack on authentication, the attack can manifest in the shopping website in various ways. For example, an attacker can gain access to a customer's account by brute-forcing the password. An attacker can also execute a cross-site scripting attack, injecting malicious URLs that redirect customers to a malicious website.
- Tampering threats: This is an attack on the principle of integrity - the unauthorized modification of information or information system. For example, a flaw in the website may allow users or attackers to change the price of the goods on the shopping website. In addition, an attacker can launch SQL injection to make changes (insert or delete data) to the website's database.
- Repudiation threats: Repudiation breaches the principle of non-repudiation -the deniability of the occurrence of a transaction. It is an attack against the evidence of an action, which also occurs in the business world. People sign signature to validate a transaction or agreement.
The threat can manifest in these ways; a customer may deny ordering a product. An attacker may gain access to the logs and delete them.
- Information disclosure: This is when information is accessed by persons who are not authorized to access it. It is a breach of confidentiality, an example is of an attacker can infect the checkout page of the shopping website with a malicious code that skims payment card information from every transaction, leading to the disclosure of customers' payment card information.
- Denial of Service: This is a threat in which a service is made inaccessible to legitimate users. Denial of service is a breach of availability, an attacker can exhaust the network resources of the website by sending bogus requests to the server, making it impossible for legitimate customers to access the website.
- Elevation of Privilege: This occurs when an entity gains rights that should not be available to them, a breach of authorization. For example, a customer can gain access to administrator level credentials that they shouldn't be able to do by design.
For each of these threats, you should discover at least one threat that affects your system. Make a list of the threats you discover then move on to the next step.
What are you going to do about it?
This question is about your mitigation plan. How do you intend to address the threats you discovered in the previous step.
How to mitigate the STRIDE threats
• Spoofing can be mitigated using authentication techniques such as username, password, and other identifiers for customers, and cryptographic means (HTTPS/SSL) for the network address.
• Tampering can be mitigated by cryptographic techniques like hashes, digital signatures and permission mechanisms like access lists (ACLs).
• Repudiation is mitigated by keeping logs and protecting them from tampering using cryptographic means like hashes.
• Information disclosure is prevented by encrypting information and implementing a permission system.
• Denial of service can be mitigated by increasing bandwidth and filtering network requests.
• Elevation of privilege is mitigated by authorization techniques like ACLs and role-based access control, and by authentication techniques.
Did you do an acceptable job?
In this stage, you access the efficacy of the work you did. You have to test the mitigation you've put in place. This can be done by
- Trying to bypass the mitigation
- Considering how the mitigation can be attacked
- Recreating the action that triggered a bug to test if the fix is working.
The idea of threat modelling is that the outcome becomes your security program. Threat modelling should not be done by one person; it should be done by a cross-functional team. The team should include security experts and persons with relevant knowledge of the system or software being threat modelled.