Performing threat modelling
When delivering a service you need to understand how robust it will be when faced with cyber attack techniques which could be used to exploit vulnerabilities.
Threat modelling is a highly technical security activity and should be conducted by cyber security specialists with input from your delivery team. Engage with your organisation’s risk management team to determine what support they can provide for your service.
Threat modelling is the follow-up activity to a threat assessment. Once you have gathered information on the motivation, intent and capability of threat actors, you should explore possible vulnerabilities and issues that might apply to your service. This will allow you to:
- identify likely threat events and how they may be conducted by attackers
- discover how non-malicious system failures may affect the availability or security of your service
- articulate pertinent security risks and justify the need for appropriate and proportionate security measures
- proactively build security controls into the service that reflect defined threats on the service’s attack surface
- consider the threats that other compromised services pose to your service and the threat your service would pose to other services if it were compromised
Threat modelling should take place during the service design and build phase as a precursor to carrying out a risk assessment. It should be repeated during the delivery lifecycle whenever there are design changes that have security implications, or when new threats that can potentially compromise your service are identified.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to adopt a risk-driven approach and minimise the attack surface.
Who is involved
This is an activity performed by cyber security specialists either within your delivery team, from your organisation, or through an external consultancy.
The work of threat modelling experts should be facilitated by your Senior Responsible Officer (SRO), service owner and programme manager with input from technical and security professionals within your project.
How to perform threat modelling
The following steps are a description of the process that cyber security professionals will go through when performing threat modelling. This will change depending on the nature of your service and the setup of your organisation.
Step 1: Conduct threat discovery workshops
A series of physical or digital workshops will help you uncover the answers to two important questions; what are we working on, and what could go wrong?
These should be interactive sessions and involve the people with knowledge of the hardware, software, data assets and architecture of your service. The main areas to cover are:
- the core components of the service you are building
- how the service will be used
- system interfaces (such as file transfers or APIs)
- user interfaces (such as a website or app)
- the relationships and trust boundaries between components
Map out the service architecture using sticky notes, a digital whiteboard, or specialist threat modelling tools (such as OWASP’s Threat Dragon or Microsoft’s Threat Modeling Tool). To ensure each area is given sufficient attention, focus on subsets of components in separate workshops rather than tackling the whole architecture at once.
Highlight areas that may cause a potential security issue, considering:
- what could go wrong with the service
- what threat events (such as a phishing attack) could impact the components
- paths that attackers may take to exploit your service
Recommended threat discovery frameworks and methods
- MITRE ATT&CK, MITRE D3FEND and MITRE CAPEC – used to explore possible vulnerabilities and issues that might apply to your service
- STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) – a model for exploring different threat categories
- Attack Trees – for representing the paths adversaries may use to attack your service so you can design solutions to prevent them
Step 2: Identify potential threat responses
Once the threats have been identified, the focus of your workshops should turn to the topic of what you are going to do about them.
Your threat response will usually come in the form of security controls or measures that could be used to reduce or eliminate risks. Go through your architecture and consider:
- if your organisation or technology suppliers already provide any security controls
- what security control options are available to mitigate a threat event (or multiple threat events)
- how security controls will impact the threat event, and any possible drawbacks
- estimates of cost to implement and maintain security controls
These do not need to be complete or definitive solutions, but should include enough detail to be used when carrying out a risk assessment for your service.
For example, to partially mitigate against distributed denial-of-service (DDoS) attacks you could integrate a tool into your service that prevents likely malicious traffic from reaching your web servers. The effort to enable this control is negligible and the cost will already be included within your content delivery network (CDN). The drawbacks may be some legitimate users temporarily prevented from accessing the service, for example if they’re using a virtual private network (VPN). However this is unlikely and an acceptable consequence to guard against the security risk.
Step 3: Collate and share your threat model
If the information from your workshops has been gathered using sticky notes or a digital whiteboard, consider the best way to convert this to an accessible format that can be distributed and used by the service delivery team who are responsible for system and security design.
You will also want to share your threat model with:
- people who are responsible or accountable for managing delivery risks and deciding on an appropriate treatment for security risks such as Senior Responsible Owners (SRO) and service owners
- people who have oversight responsibilities for cyber security and risk management such as you head of cyber security
- people in your organisation’s Network Operations Centres (NOC) or Security Operations Centres (SOC)
Step 4: Review your threat model
Once your service has been designed and the security controls outlined in your threat model have been included or deployed, it’s essential to revisit the outputs of this exercise to ensure that the solutions meet the identified issues.
It’s good practice to get feedback from others who were not involved in the workshops. Security professionals from other teams, other departments or the National Cyber Security Centre (NCSC) will be able to provide an unbiased view on the effectiveness and comprehensiveness of your security measures.
This should be routinely reviewed whenever there is a significant change in the service or the threat assessment. The controls identified in your initial threat model are unlikely to work forever and you should be prepared to make regular patches and fixes to operating systems and applications.
- NCSC: Threat Modelling
- NCSC: Building a Security Operations Centre (SOC)
- Government Digital Service (GDS): Threat modelling
- Threat Modelling Manifesto
- Open Worldwide Application Security Project (OWASP) Threat modeling
- Department for Science, Innovation & Technology (DSIT): Conducting a STRIDE-based threat analysis