Security Threat Modeling: Six Steps to Success
Did you know that you possibly work with cybercriminals every day? In fact, you could potentially be one. What if, buried deep inside is a smart intruder who knows how to break into your network and steal information? You and your colleagues are the perfect cybercriminals. You know your coworkers; you have network access; you know the network’s weaknesses better than anyone—so why aren’t more CSOs taking advantage of this group intelligence?
Your internal intelligence – and thinking like an adversary – are the keys to insulating your system against threats. I can’t stress enough the importance of using that internal intelligence to shore up your overall security program. I am always surprised by the number of CSOs who haven’t leveraged the security threat modeling process. It’s by far one of the most underused tools in the industry.
Threat Modeling DefinedLet’s take a step back and define threat modeling for the context of this article. Threat modeling is the understanding of how a threat actor (external, internal, malicious or abusive) can attack a specific asset (system or data). By way of illustration, I have seen a threat model scenario that focuses on “brand reputation.” The purpose of this model is to identify key assets that if compromised or made unavailable, would significantly impact business.
So let’s begin investigating the threats that may affect your business. As a starting point, I would begin by examining threat vectors/actors you see in your own industry, organization, peer groups and company use of social media. This audit will result in a good list of threats you can begin to model. Security threat modeling, the practice of identifying your weakest vulnerabilities and figuring out how to block criminal activity, is putting this intelligence into practice.
Threat and attack modeling is a critical step to understanding which assets are most likely to be targeted, who is after your information, and how they might gain access and escape with your information. This type of modeling is different than testing applications; it evaluates the ecosystem, processes and the circumvention of ecosystem protections. When done correctly it’s one of the best opportunities to evaluate and understand the vulnerabilities in your solutions, systems and data security.
Now it’s time to identify a short list of top threats. Once the top threats are identified, work backwards to identify the attack process and steps necessary to conduct a successful attack on a specific asset. From there you can expand the activity to include areas where infiltration and exfiltration can occur during an attack.
Threat modeling isn’t difficult. Your threat modeling process can be as simple or as complicated as you can support. Start off with simple threat models and use them as a means to train other team members and socialize the concept with other company stakeholders. Brainstorming your top weaknesses and selecting a focus area is an easy way to tap internal brain trust and secure participation. Another option is to identify a few different scenarios and do real testing. Ultimately, making this part of a company governance program is the ideal threat modeling result.
Six Steps to Successful Threat Modeling:1. Find the criminal masterminds in your organization. Approach the various technical teams you work with, for example: engineering, developers, analysts, architects, help desk and support. Choose individuals who think outside the box—and aren’t afraid to speak their minds. If you are threat modeling a process, start with a few business analysts, and ask them how they would circumvent their processes.
2. How would you break in? Send this “criminal” crew an email asking them to brainstorm how they would break your system or products, and even the third-party solutions your organization uses. One week later bring them together, supply them with food and drinks, and have an open discussion. Ask each of them how they would kill your system, and then ask how they would hurt your system. Remember this is an open and frank discussion, gaps will be identified, so don’t take it personally. Most of my previous threat modeling sessions brought up gaps in our infrastructure, security plan and security incident response plan. The key is not to come up with solutions but just think about how an attacker could get in.
3. Prioritize, prioritize and prioritize. It’s very easy to get overwhelmed with the scenarios your criminal crew devised. So take a deep breath and ask yourself: “Which of these scenarios is most likely to occur? Which will cause the most damage? What are our company crown jewels?” It might be inconvenient if your website is taken offline, but intellectual property theft would be crippling.
4. Map your countermeasures. When you have a set of potential threat actors and models, you can start to understand your position. To do so you should start mapping in both active and passive countermeasures to help mitigate the threat at each stage of the model. For example: if someone phishes your organization through employees, you might need education (people), incident response (passive process), and anti-phishing technologies (active technologies).
5. Implement the solution and test it. Now that you have the foundation, it’s time to plug your security gaps and test it. If you have the budget, ask an outside firm to do the testing. If not, leverage the “criminal crew.” After all, they are insiders. Either way this will provide some indicators of successful models and let you know where your security team needs to spend its time. To fill the gaps you also need to challenge your vendor partners. Let them know you’ve identified threat models against some of your top assets and would like to understand how they can help solve your business problem.
6. Innovate. It’s imperative that CSOs revisit the threat modeling exercise at least once a quarter. Cybercriminals are constantly devising new creative ways to break in, circumvent your defenses and eradicate data. You need to stay ahead of them by working with your creative-thinking rock stars. They will be happy to help – just ask them.
I’ve seen this process work time and time again. Sometimes CSOs express reservations with this approach because of the perceived expense and manpower needed. Don’t let this be a roadblock. Remember, it doesn’t have to start complicated. My philosophy is simple: the time and expenses required for threat modeling is worth it. You will spend 10X that amount if your data is stolen or your business disrupted. When you look at it that way, it’s a no-brainer.