Despite consistent headlines of breach after breach, organizations still struggle to understand the security threats that could impact their systems. 

To get a better understanding of threats and where weaknesses may exist, security leaders should look to threat modeling — a form of risk assessment used to identify exposures and mitigations in a system.

Threat modeling is an architecture-level process for reviewing a system design, listing threats and mitigations, validating controls and mapping out the attack surface of a system. This can be for an application, a network, a device, containers or any system or element of software or hardware. 

Here are three threat models to consider and how to use them: 

STRIDE

STRIDE, a mnemonic, is one of the most popular threat modeling frameworks. 

• Spoofing: An attacker attempts to impersonate an entity — for example, a user, a service — that interacts with some part of the system.
• Tampering: An attacker tries to modify data to manipulate some outcome.
• Repudiation: A user is able to deny actions, leading to a lack of attribution.
• Information disclosure: A system exposes information not intended to be released or that can be used for malicious purposes.
• Denial of service: Normal access to a system is restricted or prevented.
• Elevation of privilege: Permissions or authorizations not available to an entity are granted.

LINDDUN

Organizations that have concerns about data privacy should include a more focused threat modeling approach. One such framework is LINDDUN, which provides a catalog of privacy threats to enable the investigation of a wide range of design issues that could impact privacy. 

The acronym “LINDDUN” represents the following privacy threat types:

• Linking: The ability to associate data or actions to an individual or group.
• Identifying: Learning the identity of an individual.
• Nonrepudiation: Being able to attribute a claim to an individual.
• Detecting: Deducing the involvement of an individual by observing.
• Data disclosure: Excessively collecting, storing, processing or sharing personal data.
• Unawareness: Insufficiently informing, involving or empowering individuals in the processing of personal data.
• Noncompliance: Deviation from security and data management best practices, standards and legislation.

The methodology for both STRIDE and LINDDUN consists of modeling a system (using a data flow diagram), identifying where threats could impact the system, and determining where controls can be put in place to mitigate those threats.

Security decision trees

Security decision trees are an attacker-centric threat modeling technique that allows teams to model how an attack might unfold using a tree structure. The attack scenario models the actions an attacker might take at each stage of an attack and what a system can do to counter the attacker.

This approach can help teams understand the attacker mindset and decision-making process, along with the return on investment (ROI) of the attack.

When to use threat modeling frameworks

Organizations should use these frameworks during specific points in time within risk assessment processes to get a broad and consistent understanding of threats. These points should align with the different phases of system evolution that include initial system design, legacy system review and strategic IT or business changes.

The frameworks can be used as stand-alone approaches or as a further analysis complementary to each other. The process could be further enhanced with adversary tactics and techniques as defined by the MITRE ATT&CK framework or the Lockheed Martin Cyber Kill Chain framework.

Use a diversity of techniques to understand threats

Using frameworks to perform threat modeling is an important component of an organization’s risk assessment process. The frameworks should be used, as a manual effort or along with automated solutions, to understand threats. 

However, instilling a threat-conscious mindset into the organization will take a diversity of techniques. Some of the techniques are informal, and those, listed below, get to the heart of the art of threat modeling.

• The devil’s advocate: Organizations need to break out of their echo chambers and have their assumptions challenged. Complacency can breed insecurity. What is needed is for organizations to have people and/or processes in place to arouse them from the sleep of the status quo.
• Analogical thinking: Sometimes it is important to be able to draw connections between something that is familiar and something that is alien to our understanding. Such connections can help us better understand new and complex issues and enable us to communicate such issues. 
• Model once, apply to many: Organizations typically have hundreds, if not thousands, of applications and systems in their environment. Often, what must be considered is that not all of these systems or applications are unique in every dimension. It is possible that lessons learned from one threat model can be applied to multiple systems or applications. 

When considering who to involve in threat modeling, it is important that a diversity of roles within the organization are involved in these exercises so that a complete picture of the threat landscape can be illustrated.

For instance, business roles help provide context to what is being modeled, while security roles provide guidance on how a threat could unfold. Architects and developers will also provide insights into components of the application and infrastructure.

Using any of these threat modeling techniques will allow employees to be more threat conscious where they can use better judgment with respect to cyber activities.

It is an important trait in a world where common threats persist because they consistently work and new threats emerge to adapt to new technologies and sociotechnical structures (for example, threats to — and from — generative AI).