This post – What is Threat Modeling? – is the first in a series to educate those who are interested in a first experience with Threat Modeling.
Intro to Threat Modeling part 1
What is Threat Modeling (TM)?
Threat Modeling is a way to analyze the risk inherent to a system’s design. Originating from application security circles, the technique has been found to be effective in many circumstances for many types of systems – IT and OT (operational technology). We’ve successfully run threat models for industrial installations, nuclear installations, wind generators and smart grids.
It is a way to ‘shift left’, meaning to make sure security is part of the picture as early as possible when designing a system. But TM can just as easily be used to analyze an existing system.
We also refer to TM as ‘whiteboard hacking’. It’s true: We bring together the owners, architects, designers and developers of a system (usually an application) around the table and effectively analyze the system – often on the whiteboard.
How to Threat Model
The Threat Modeling process is done in two phases, split up in two workshops: data modeling and threat modeling.
First, during the data modeling phase, the system is analyzed and drawn out. All the connections and dataflows are detailed in a diagram. Special attention is given to the trust boundaries. These are points of interest where the level of security changes. They represent the attack surface or your system.
The second workshop focuses on threat modeling itself. A methodology for threat evaluation (such as STRIDE – more on STRIDE in another post) is used to create and categorize ‘worst case’ scenarios and analyze the potential impact.
What you get
The result of the whole exercise is a technical risk analysis that shows you the pressure points of your system. These are points of interest for penetration testing, further analysis and improvement.
In the long term, the Threat Model acts as a piece of security documentation – a living document. Whenever the system is updated or adapted, the Threat Model can be revisited, the change analyzed and the models updated.
This way, the Threat Model becomes a useful piece of documentation to show and demonstrate the security considerations of an IT or OT system.
This post is part of our effort to bring Threat Modeling to a wider audience. We have a tradition of teaching Threat Modeling to experts, helping them how to execute them better. However, when speaking with security and IT professionals, we realized that not only do they not know how to Threat Model, many don’t even know why they should, what the benefits are, or how it all works.
Our next blog is ‘9 benefits of Threat Modeling‘.