TMI newsletter 12 – Keys to successful privacy threat modeling


Hi there, welcome to our next edition of Threat Modeling Insider.

With this newsletter, we deliver guest articles, white papers, curated articles and tips on threat modeling that help you bootstrap or elevate your security knowledge and skills.

Our “TMI” line-up:

  • A guest article by Kim Wuyts, postdoctoral researcher at imec-DistriNet, KU Leuven covering “Keys to successful privacy threat modeling”;
  • We donated our Threat Modeling Playbook to OWASP;
  • Curated resources covering “Wikipedia on Threat Modeling history” and “Threat modeling your CI/CD pipeline”;
  • Tip: Webinar “Ask me Anything on Threat Modeling”;
  • Updates on upcoming Toreon training sessions.

Keys to successful privacy threat modeling

Guest article by Kim Wuyts, postdoctoral researcher at imec-DistriNet, KU Leuven

Privacy is important! This has been underlined by the GDPR and other data protection legislation that entered into force in the past years and that highlight the need for privacy integration in the software development lifecycle.

The privacy-by-design principle requires privacy to be included early on in the development lifecycle. But how can this be done in practice? Threat modeling, a systematic approach to reason about what can go wrong in a system, has proven its value in security engineering, and is equally useful for privacy. To get the most out of your privacy threat modeling experience, there are however some simple, yet important, rules you should take into account.

The key aspects listed below follow from our experiences with LINDDUN, however they are applicable to privacy threat modeling in general, independent of the specific approach or knowledge base that you want to apply.

LINDDUN provides a structured process for threat modeling enriched with an extensive privacy knowledge base. It was inspired by Microsoft’s STRIDE and therefore roughly shares the same steps yet focusing on the 7 privacy threat categories that are contained in its acronym (i.e. linkability, identifiability, non-repudiation, detectability, disclosure of information, unawareness, non-compliance). LINDDUN GO is the recently launched light-weight variant.

1 – Understand what privacy is about

Privacy is not a synonym for confidentiality. Clearly, protecting access to data in general is an important aspect to ensure privacy, but in essence it remains a security property. Even a perfectly secure system (if that would even exist) could still violate the privacy of its users. Privacy is more concerned about what can be done with the data once someone has access to them (whether this was intentional or not) and what can be done to prevent this.

LINDDUN encapsulates and supports 7 privacy threat categories:

  • Linkability- Two (or more) items of interest can be linked, even without knowing the identity of the data subject(s) involved.
  • Identifiability- A data subject can be identified from a set of data subjects through an item of interest.
  • Non-repudiation- The data subject is unable to deny a claim (e.g. having performed an action or sent a request).
  • Detectability- It is possible to distinguish whether an item of interest about a data subject exists or not, regardless of being able to read the contents itself.
  • Disclosure of information- An adversary is able to learn the content of an item of interest about a data subject.
  • Unawareness- The data subject is unaware of, or unable to intervene in, the collection, processing, storage, or sharing activities (and corresponding purposes) of the data subject’s personal data, and their own rights related to these data.
  • Non-compliance- The processing, storage, or handling of personal data is not compliant with legislation, regulation and/or policy.

In addition to LINDDUN, you might find other privacy taxonomies useful, such as Solove’s privacy taxonomyHansen et al.’s privacy goals (i.e. intervenability, transparency, linkability), and NIST’s privacy engineering objectives (i.e. predictability, manageability, disassociability).

2 – Get rid of your security mindset

This is probably the most challenging one for those who are familiar with (security) threat modeling. While the essence of threat modeling (i.e. think about what can go wrong in a structured way) remains the same and there is a strong dependency between privacy and security, privacy threat modeling approaches the system from a different perspective. Rather than protecting your assets, privacy is about protecting the data subjects’ data and their right to privacy. Not only (external) attackers can bring harm, also the system itself can misbehave and violate a person’s privacy. Therefore, you need to think about it with the data subject in mind and also critically reflect on the actions the system is performing on the personal data. For instance, do we need all these data or is a subset sufficient? What are the consequences of storing or sharing this dataset and what will (other) people be able to ‘learn’ from it?

3 – Find the approach that suits your needs

There are different ways to actually apply privacy threat modeling. Even within a single framework, method or knowledge base, execution can vary.

LINDDUN has 3 main variants to elicit privacy threats:

  • Full-fledged threat modeling(‘full’ LINDDUN) – Inspired by STRIDE (as described by Howard&Lipner), LINDDUN provides systematic support to elicit and mitigate privacy threats. In summary, each system component (i.e. DFD element) needs to be examined with the LINDDUN threat categories in mind to determine whether threats apply. To help elicit these threats, LINDDUN provides privacy threat trees which describe the most common privacy threat types. This variant is most suited for those looking for an extensive analysis with strong traceability of the process they executed.
  • Acronym-based brainstorming(LINDDUN as mnemonic) – At the other end of the spectrum is a more freestyle type of exercise. In practice, people sometimes only use the LINDDUN categories as input for a brainstorming session. While this highly reduces the effort required, it also reduces the systematicity and traceability of the process. In addition, the output solely depends on the threat modeler’s (privacy) expertise. This variant is therefore most suited for an experienced threat modeler who is looking for a quick, rather than an exhaustive, result.
  • Guided light-weight threat modeling(LINDDUN GO) – LINDDUN GO aims to bridge the gap between the previous two variants by combining the best of both worlds. Inspired by the Elevation of Privilege cards, LINDDUN GO provides light-weight support by reducing the complexity of both the threat modeling process and the provided privacy knowledge while still maintaining systematicity and extensive knowledge support. This variant is thus suited for people who are relatively new to the field, as well as for those who prefer more light-weight support in general.

Overall, the less (privacy) expertise you have, the more you will need to find support in a threat modeling method and its corresponding knowledge base.

To conclude, remember that privacy isn’t the same as security, hence you should also approach it differently. LINDDUN provides you with different approaches, from informal to systematic, that can support you in doing so.

Kim Wuyts, postdoctoral researcher at imec-DistriNet, KU Leuven

We donated our Threat Modeling Playbook to OWASP

We aim to improve product and software security with our new threat modeling playbook. We consider threat modeling as a foundational activity to improve your software assurance. We are convinced that a good threat modeling practice will measurably decrease security issues of delivered products.

As strong believers in open source, active OWASP collaborators and to increase our impact beyond our Toreon customers, we donate this threat modeling playbook to the community: visit the new OWASP project page.

We hope you will use this playbook to improve your threat modeling practice. We also encourage you to provide feedback to our OWASP threat modeling community in order to make this playbook even better in our next release.

If you are interested in the PDF version, it is available for download on our website.

Sebastien Deleersnyder
CEO Toreon
OWASP volunteer

Curated threat modeling content

Wikipedia on Threat Modeling history

The entry covering Threat Modeling on Wikipedia is an interested and recommended read. Especially the section on the evolution of IT-based threat modeling. This section described the history of threat modeling, going back as early as 1960!

Some sections can be improved. For example, the methodology section only covers STRIDE, PASTA and Trike. While we already mentioned the Study of SEI in newsletter 2 covering 12 methodologies.
You can help Wikipedia by contributing to this page.

Threat modeling your CI/CD pipeline

Michael Koopman wrote a great Master Essay at the University of Twente covering “A framework for detecting and preventing security vulnerabilities in continuous integration/continuous delivery pipelines.”

This paper aims at delivering a framework for detecting and preventing security vulnerabilities in Continuous Integration/Continuous Delivery pipelines in the context of a large consultancy company which provides Continuous Integration/Continuous Delivery environments as a service to customers and internal development teams.
Some exploratory research is done on how CI/CD is used within the company, and together with experts from the company, the framework is built.
Great input to build your own CI/CD threat model!

Tip: Webinar Ask me Anything on Threat Modeling!

Join me next 5-Nov for an open Q&A session.
We will go live at 5 pm CET in Europe, which is 11 am EST or 8 am PST in the US.

This will be an “Ask me Anything”(*) session with our Black Hat trainer and CEO Sebastien Deleersnyder. We will at least cover the following questions:
• What threat modeling tools do you recommend?
• How do I scale threat modeling in my organization?
• How do I convince my DevOps team to do threat modeling?

Bring your questions and fire away! This is the webinar that’s all about your questions on Threat Modeling.

Details and registration:

Upcoming public Toreon trainings

  • Hands-on threat modeling and tooling for DevSecOps hosted by Toreon  (2 x 4h on 17-18 November, 2020)
  • Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling at Black Hat Europe, London (7-8 December, 2020)
  • Whiteboard Hacking a.k.a. Hands-on Threat Modeling hosted by Toreon  (2 x 4h on 13-14 January, 2021)

Want to learn more about Threat Modeling training? Contact us, so we can organize one in your neck of the woods.

We aim to make this a community-driven newsletter and welcome your input or feedback. If you have content or pointers for the next edition, please share them with us.

Kind regards,
Sebastien Deleersnyder
CEO, Toreon

Book your seat in our Hands-on Threat modeling course

Do you want to discover everything you need to know about threat modeling? And get concrete tools to implement threat modeling in your organisation? Book your seat in our Hands-on Threat modeling course.

Start typing and press Enter to search

Shopping Cart