Difference between revisions of "Threat Model"

Latest revision as of 18:39, 12 June 2025

Full Title or Meme

A model of an information processing system that shows data flows around the system and which spots in the network that are susceptible to Attack.

Context

Carnegie Mellon University Software Engineering Institute published a report on "Threat Modeling: 12 Available Methods" ^[1]

Loren Kohnfelder paper 'Threat Modeling Retrospective'^[2]

Anytime an endeavor experiences a setback that takes the team by surprise, threat modeling could probably have averted the problem or at least provided an opportunity to plan ahead and take action proactively. Since trouble has a way of surprising us, it’s incredible what a wide range of things this applies to: buying goods or services, crafting legislation, military planning, starting a business, investing, choosing a college and degree program, getting married, you name it. If you don’t consider what could possibly go wrong up front, you can easily make a bad decision or act unprepared.

Crispin Cowan on The Calculus of Threat Modeling ^[4]

Adam Shostack in 20 Years of STRIDE ^[5]

Problems

• There are many different Threat Modeling Paradigms. - 12 at this link. This page focuses on the STRIDE method.
• Another model that has been promoted by MITRE is the Attack mode. (qv)
  • DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse 2024-04-11

Solutions

From LK book.^[6]

1. Work from a comprehensive model of the system to be sure to consider everything that is scope.
2. Identify assets (valuable data and resources) within the system that need protection.
3. Identify any potential threats in that system model, component by component, identifying attack surfaces (places where an attack could originate); trust boundaries (interfaces bridging more-trusted parts of the system with the less-trusted parts), and different types of threats.
4. Analyze these potential threats, from the most concrete to the hypothetical.
5. Rank the threats, working from the most to least critical.
6. Propose mitigations to reduce risk for the most critical threats.
7. Add mitigations, starting from the most impactful and easiest, and working up to the point of diminishing returns.

STRIDE is an acronym for: Spoofing identity, Tampering data, Repudiation (denial of responsibility), Information disclosure (data breach), Denial of Service (DoS), and Elevation of privilege.^[7]

Each threat is a violation of a desirable property for a system:

See Native App Security for a comparison with a set of threat events from NIST NCCoE.

OWASP Threat Modeling Project

This is a documentation project to provide information on threat modeling techniques for applications of all types, with a focus on current and emerging techniques.

Most threat model techniques answer one or more of the following questions:

• What are we working on?
• What can go wrong?
• What are we going to do about that?
• Did we do a good enough job?

Threat modeling schema

OWASP Ontology-driven Threat Modeling (OdTM) Framework

• Purpose: To formalize security knowledge and create domain-specific threat models.
• Features:
  • Uses OWL (Web Ontology Language) for representing threat models.
  • Facilitates automation of the threat modeling process by allowing for automatic reasoning based on data flow diagrams.
  • Enables knowledge sharing among security professionals, software architects, and developers.

OWASP Threat Dragon

https://owasp.org/www-project-threat-dragon/

Mandatory Access Levels

As expressed in the Bell-LaPadula Model there are two rules:

1. The simple security policy that allows no read up to acquire data from a higher privilege process.
2. The star (*) policy that allows no write down to send data to a lower prevailed process (or directory).

One example of a MAC treat export was and article by Joel Reardon on apps from related companies where an app with high privilege reads the device IMEI and writes it into a file that can be read by a app that does not have that privilege. They were discovered by looking at the data flowing from the less privilege app looking for data exfiltration.

Mandatory Integrity Levels

As expressed in the Bell-LaPadula Model there are two rules:

1. no read down
2. no write up

Complete Security

• From the about is should be clear that no access for read or rite is allowed to cross any level boundary.
• Since this does not allow for most purposes in computer science some sort of trust monitor is required for any level transition.

Design Models

Traditionally threat modeling has been done based on a data low diagram of the system or application to be analyzed. Other models, like UMF have also been used.^[6]

Template

1. Identity Spoofing: The attacker is able to act as the user
2. Tampering:
3. Repudiation:
4. Information Disclosure:
5. Denial of Service: Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine. When an attacker can temporarily make the system resources (processing time, storage, etc.) unavailable or unusable, we have a denial of service threat. We must protect against certain types of D.o.S. threats for improved system availability and reliability. However, some types of D.o.S. threats are very hard to protect against, so at a minimum, we must identify and rationalize such threats.
6. Elevation of Privilege:

Banking

• ThreatModeling-LLM: Automating Threat Modeling using Large Language Models for Banking System

Without an Object Model

A Threat Model can be constructed without having a model of the object, but it requires a different approach than traditional object-based security frameworks. Instead of designing protections around a specific object, you focus on contextual, behavioral, or environmental security principles. The Alternative to a Object Model include:

The MITRE ATT&CK Framework

(Adversarial Tactics, Techniques, and Common Knowledge) is a publicly accessible knowledge base of cyber adversary tactics and techniques. It helps cybersecurity professionals understand how attackers operate by categorizing their actions into tactics (goals) and techniques (methods) used during different stages of an attack lifecycle. This framework provides a common language for describing and understanding cyber threats, enabling organizations to better defend against them.

Zero-Trust Architecture (ZTA)

• Security is enforced without assuming trust in any object, identity, or system.
• Access is continuously verified based on dynamic risk factors.
• Example: A user’s authentication isn’t based solely on a device but on behavioral patterns (location, access history, anomalies).

Threat-Based Modeling

• Defines security parameters based on potential threats, not an object’s attributes.
• Uses attack vectors, adversary behavior, and real-time risk assessments.
• Example: DDoS mitigation strategies target patterns of excessive traffic rather than a specific resource.

Policy-Based Security

• Security decisions rely on defined policies rather than object properties.
• Policies adapt to environmental context, ensuring resilience even without full object modeling.
• Example: Adaptive encryption rules based on network trust levels, not specific device types.

Behavioral & Anomaly Detection Models

AI-driven detection focuses on abnormal behavior rather than predefined object characteristics.

Security responses adjust dynamically, making object-modeling unnecessary.

Example: Fraud detection in banking relies on transaction anomalies instead of predefined customer risk profiles.

Decentralized Identity & Cryptography

Security models shift from centralized object validation to cryptographic guarantees.

Proof-based security ensures trust without requiring a persistent object model.

Example: Zero-Knowledge Proofs (ZKP) allow verification without exposing actual identity data.

Implications of Object-Free Security Models

• Flexibility: Can adapt to unknown objects or changing environments.
• Privacy-Preserving: Reduces reliance on static identity tracking.
• Resilience: Protects against threats without requiring predefined entity characteristics.

Examples

• TM examples from Tal Eliyahu on GitHub

References

1. ↑ Nataliya Shevchenko, Threat Modeling: 12 Available Methods (2018-12-03) https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
2. ↑ Loren Kohnfelder, Threat Modeling Retrospective Medium https://medium.com/@lorenkohnfelder/threat-modeling-retrospective-72910908533c
3. ↑ Loren Kohnfelder, Threat Modeling threat modeling (2023-08) https://designingsecuresoftware.com/writings/threat_modeling_itself/
4. ↑ Crispin Cowan The Calculus of Threat Modeling https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling
5. ↑ Adam Shostack, 20 Years of STRIDE: Looking Back, Looking Forward. Dark Reading https://www.darkreading.com/20-years-of-stride-looking-back-looking-forward/a/d-id/1334275
6. ↑ ^{6.0 6.1} Loren Kohnfelder, Designing Secure Software No Starch Press 2022 ISBN 9781718501928
7. ↑ Garg and Kohnfelder The threats to our Products. (1999) Microsoft https://adam.shostack.org/microsoft/The-Threats-To-Our-Products.docx

Other Material

• Transforming Data Flow Diagrams for Privacy Compliance Privacy by Design, Data Flow Diagrams, GDPR.

  Abstract: Most software design tools, as for instance Data Flow Diagrams (DFDs), are focused on functional aspects and cannot thus model non-functional aspects like privacy. In this paper, we provide an explicit algorithm and a proof-of-concept implementation to transform DFDs into so-called Privacy-Aware Data Flow Diagrams (PA-DFDs). Our tool systematically inserts privacy checks to a DFD, generating a PA-DFD. We apply our approach to two realistic applications from the construction and online retail sectors.

• Michael Howard, Praerit Garg Loren M. Kohnfelder, RAPID APPLICATION SECURITY THREAT ANALYSIS US Patent 7,243,374 B2 (2007-07-12) Abstract

The following Subject matter provides for modeling an application's potential security threats at a logical component level early in the design phase of the application. Specifically, in a computer system, multiple model components are defined to represent respective logical elements of the application. Each model component includes a corresponding set of security threats that could potentially be of import not only to the component but also to the application as a whole in its physical implementation. The model components are interconnected to form a logical model of the application. One or more potential security threats are then analyzed in terms of the model components in the logical model.