Threat Modeling Insider – November 2024

Threat Modeling Insider Newsletter

39th Edition – November 2024

Welcome!

We’re excited to bring you the latest edition of the Threat Modeling Insider Newsletter!

This month, we’re featuring a guest article by Michael Boeynaems on Layered Threat Modeling, an enterprise architectural approach for scaling your threat modeling efforts. Additionally, don’t miss our Toreon blog post by Sebastien Deleersnyder, where he shares a Data Flow Diagram template for Miro to help take your threat models to the next level.

And there’s more! This edition is packed with insights and resources you won’t want to miss.

Let’s dive in!

Threat Modeling Insider edition

Welcome!

Threat Modeling Insider edition

We’re excited to bring you the latest edition of the Threat Modeling Insider Newsletter!

This month, we’re featuring a guest article by Michael Boeynaems on Layered Threat Modeling, an enterprise architectural approach for scaling your threat modeling efforts. Additionally, don’t miss our Toreon blog post by Sebastien Deleersnyder, where he shares a Data Flow Diagram template for Miro to help take your threat models to the next level.

And there’s more! This edition is packed with insights and resources you won’t want to miss.

Let’s dive in!

On this edition

Tips & tricks
Threat Modeling Hackathon 2025

Training update
An update on our upcoming training sessions.

Guest article

Layered Threat Modeling, an enterprise architectural approach

I love hate threat modeling

My relationship with threat modeling is complicated. The first time I seriously started to learn about threat modeling was at an OWASP conference about ten years ago. Since then, I have tried to wrap my head around it, but I still find it challenging on multiple fronts:

  • How detailed should I go? Is ‘buffer overflow via parameter expansion (CAPEC-47)’ a threat? Or should I simply stick to ‘elevation of privilege’ as threat? 
  • How to reuse existing threat catalogs, such as the one with 47 threats from the BSI IT-Grundschutz, or the prime threats from ENISA?
  • Should I use STRIDE-LM, or MITRE CAPEC. Or MITRE ATT&CK? Or OCTAVE? Or maybe a NIST special publication?

  • Is my threat model complete?

  • How can I bring threat modeling to enterprise architects?

All of the above questions lead to my complicated relationship with threat modeling. Most of the time I am trying to overengineer it, thereby ending in analysis paralysis. Whatever the case, I think that threat modeling is really hard. But, it’s also really fun, which is why I kept trying.

Getting the right perspective

Recently I have built an understanding that closely aligns with the architectural vision we try to put forward at Splynter. We often work as part of (enterprise) architecture, and then we often ask ourselves: is the model complete? How detailed do I need to go? Which building blocks can I reuse? The architectural discipline is subject to a lot of formalization thanks to resources such as TOGAF, SABSA, and ArchiMate, and is able to formulate quite a good answer to these questions.

All of these frameworks have one thing in common, which dates back to a paper written by the famous John Zachman (*J. A. Zachman, “A framework for information systems architecture,” in IBM Systems Journal, vol. 26, no. 3, pp. 276-292, 1987, doi: 10.1147/sj.263.0276.*). A broadly used insight of that paper is the concept of perspectives. Zachman identifies 6 perspectives, each of which views a solution from a different angle. Examples are the owner’s perspective and the builder’s perspective. Zachman concludes that ’there is not an information systems architecture, but a set of them’ and that ‘architecture is relative’. 

Applying these same understandings, I argue there’s not a single threat model but a set of them, each one tailored to a specific perspective:

  • [contextual] A CEO worries about threats such as ransomware or supply chain attacks. (in case you don’t agree that these are threats, please take your argument to ENISA
  • [conceptual/logical] An enterprise architect worries about the grand set of threat categories (such as STRIDE-LM)
  • [conceptual/logical] An enterprise security architect dives deeper and uses [CAPEC’s meta-attack patterns (Version 3.9)
  • [logical/physical] A solution architect worries about more technical threats and considers the EoP threat modeling game or CAPEC’s standard attack patterns. Software developers also use this.
  • [physical] A web application developer rather looks at OWASP’s Cornucopia
  • [cross-cutting] A security analyst considers MITRE ATT&CK as their go-to catalog.

And that’s where the concept of ‘layered threat modeling’ comes from!

Layered threat modeling

Let’s reuse an example, that Roos and I presented at ThreatModCon 2024. This example hopefully proves the hypothesis that threat modeling is layered, using just two layers:

  • an architectural layer (in this context, the conceptual perspective) describing architectural building blocks (ABBs). ABB is a TOGAF concept and refers to an abstract and reusable concept. In a train analogy, the concept of ‘locomotive’ could be an ABB. It should fulfil the function of moving passenger cars, at speeds of 200km/h.  
  • a solution layer (in this context, the logical perspective) describing solution building blocks (SBBs). SBB is a TOGAF concept as well which refers to a more concrete concept. In the same analogy you would model a ‘Siemens HLE 18′ as an SBB (that’s the locomotive often used in Belgium, by the way).

We say that the SBB layer ‘realizes’ the ABB layer, and the train analogy is shown in the image below.

The example we use further in this article is a bit more complex than the train one, but not much. It describes how to securely access a REST API. The image below shows the two layers: the architectural layer presenting ABBs, and the solution layer presenting SBBs. The model is oversimplified. It lacks trust boundaries and flow information, but it is detailed enough for our argument.

We then threat model each layer using a different set of threats (we use CAPEC’s *attack* list, a discussion on the differences or similarities between attacks and threats is for another time):

While it does not matter which threat catalog we use, the fact that we do use different threats for each layer is the core message of this article. Using higher-order threats (‘meta-attacks’) on the architectural layer is more efficient and effective than using very concrete and technology-specific threats (‘standard attacks’).

For example, arguing about SQL injection (a standard attack) with an enterprise architect when it is not even known yet that the database technology will actually be susceptible to such an injection makes little sense. Talking about the more generic ‘command injection’ threat (a meta-attack) at the architectural layer is more helpful. The SQL injection threat does become relevant when discussing actual solutions.

As a second example, discussing password brute forcing, phishing, password spraying, etc. (standard attacks) on the architectural layer is much too narrow and leads to useless conversations because the actual technology is not yet known. Rather, using the broader meta-attack of ‘identity spoofing’ at the architectural layer is much more useful: it makes the architect realize that this threat should be covered using the correct authentication and authorization building blocks, without diving into a discussion on threats that are not relevant at this point yet.

This reasoning results in architectural threats on the architectural layer and solution threats on the solution layer. Of course, the threats on both layers are interlinked (the solution-layer threat ‘realizes’ the architecture-layer threat) as shown on the following model:

This link between architectural threats and solution threats can easily be found in the CAPEC documentation but exists regardless of the threat catalog that is adopted. Next, we should think about the security controls (what are we going to do about it), but I wanted to keep the focus on the threat modeling part.

Conclusion

Threat modeling can and should be done at various layers. Thinking in these different layers or perspectives helps to make sure the threat model is relevant for your stakeholders. It also helps in being complete, and it helps in realizing that certain threat catalogs may be better suited for certain perspectives. This latter conclusion just made it click for me and made me love threat modeling again.

Two bonus conclusions are hidden in this article. One, I’ve demonstrated how threat modeling can practically be done by enterprise and solution architects who operate using a TOGAF-based methodology and use the ArchiMate notation (the modeling conventions for the threats are based on the whitepaper by The Open Group titled ‘How to model enterprise risk management and security with the ArchiMate language’). Two, threat models at the architecture layer can often be reused across organizations as they are solution-independent. In the Enterprise Security Architect focus group of the Cyber Security Coalition, we are currently defining patterns that are threat modeled and can freely be used. Stay tuned!

Authors

Lead author: Michael Boeynaems
Supporting author: Roos Hubrechtsen

Advance your career with our in-company Threat Modeling Practitioner certification - tailored training options available!

Testimonial from a Happy Customer:

The Threat Modeling training from Toreon was a game changer. The trainers were true experts, answering all our questions and guiding us through complex topics. The hands-on sessions and well-structured approach gave our team the confidence to tackle threat modeling effectively, no matter their experience level. It’s made a real impact on how we protect our organization.

Maxine McFarlane, Application Security SME, Lloyds Banking Group

CURATED CONTENT

Handpicked for you

Level Up Your Threat Models: Data Flow Diagram Template for Miro

TTPs.ai for GenAI-Targeted Attacks

Ever stared at a blank Miro flowchart board, wondering how to kickstart your threat modeling session? You’re not alone. In our decade+ of training security professionals, we’ve seen even experienced architects struggle with creating clear, effective Data Flow Diagrams (DFDs).

That’s why we’re sharing something special: our professional Miro template that’s been battle-tested in hundreds of training sessions.

Michael Bargury wrote a thought-provoking piece on how Threat Actors are Using AI to Launch GenAI-Targeted Attacks. In this article, he breaks down the growing risks of AI-generated cyberattacks and explores the tools malicious actors are using to exploit these advanced technologies. With AI becoming more accessible, the potential for targeted attacks is increasing—so what can be done to mitigate these threats?

Dive into Michael’s insights to understand how the landscape is shifting and what businesses can do to stay ahead.

Elevation of Privilege

This application provides an online version of the card games Elevation of Privilege, OWASP Cornucopia, OWASP Cumulus, and Elevation of MLsec, enabling remote or geographically distributed developer teams to play these threat modeling games.

TIPS & TRICKS

Threat Modeling Hackathon 2025

We’re excited to announce that Toreon’s Steven Wierckx, a leading expert in Threat Modeling, will be Chair of the Judging Panel for Hackathon 2025! This event brings together professionals to solve real-world security challenges through hands-on threat modeling.

Steven will be part of the jury and use his expertise to evaluate their innovative solutions, making it a great opportunity to learn from one of the best.

For more details, check out the Threat Modeling Connect Hackathon 2025 website.

Upcoming trainings & events

Book a seat in our upcoming trainings & events

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 6 Dec 2024

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, online, hosted by Black Hat Europe, London

Next training dates:
9-10 December 2024

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by NDC Security, Oslo

9-10 December 2024

Threat Modeling Practitioner training, hybrid online, hosted by DPI 

Cohort starting on 6 Dec 2024

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, online, hosted by Black Hat Europe, London

Next training dates:
9-10 December 2024

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by NDC Security, Oslo

9-10 December 2024

Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.

Start typing and press Enter to search

Shopping Cart