Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Peleus Uhley
Peleus Uhley
Connect Directly
E-Mail vvv

Deconstructing Threat Models: 3 Tips

There is no one-size-fits-all approach for creating cyber threat models. Just be flexible and keep your eye on the who, what, why, how and when.

There are a lot of theories about creating threat models. Over the years, I’ve used threat models in many ways at both the conceptual and application level. Their utility often depends on the context and the job to which they are applied.

Deconstructing the purpose of threat models requires taking a step back to examine their value with respect to any risk situation, concentrating on who, what, how, when, and why:

  • Who is the entity conducting the attack, including nation states, organized crime and activists. 
  • What is the ultimate target of the attack, such as credit card data or computer resources. 
  • How is the method by which attackers will get to the data, such as SQL injection or buffer overflows. 
  • Why captures the reason the target is important to the attacker. Does the data have monetary value, or are you just a pool of resources an attacker can leverage in pursuit of other goals?

Simply put, a threat can be described as who will target what, using how in order to achieve why.

What and How: Threat models typically put most of the emphasis on what and how. Looking at the what and how allows you to identify potential bugs that will crop up in the design, regardless of who might be conducting the attack and their motivation. However, the challenge with focusing solely on what and how is that they change over time.

Who and Why: Unlike what and how, who and why tend to be fairly constant. The assumption is that is doesn’t really matter who or why – the focus should be on stopping the attack. However, focusing on who and why can lead to new ideas for overall mitigations that provide better protection than the point fixes identified by how.

For example, we knew that attackers using advanced persistent threats (APT) (who) were fuzzing (how) Flash Player (what). To look at the problem from a different angle, we decided to stop and ask why. It wasn’t solely because of Flash Player’s ubiquity. At the time, attackers were focusing on Flash Player because they could embed it in an Office document to conduct targeted spearphishing attacks.

Targeted spearphishing is a valuable attack method because hackers can directly access a specific target with minimal exposure. By adding a Flash Player warning dialogue to alert users of a potential spearphishing attempt in Office, we addressed the issue that made Flash Player of value to them and therefore made the attack less effective. After that simple mitigation was added, the number of zero-day attacks dropped and forced the attackers had to develop new exploit methods.

When: Examining the when can also be extremely useful. Most people think of threat models as a tool for the design phase. However, threat models can also be used in developing incident response plans. You can take any given risk and consider, "When this mitigation fails or is bypassed, we will respond by...”

Threat Model Flexibility
Having a threat model for an application can be beneficial in controlling both high-level (who/why) and low-level threats (how/what). That said, the reality is that many companies have gotten away from traditional threat models. Keeping a threat model up-to-date can take a lot of effort in a rapid development environment, as Adam Shostack covers in his blog post, The Trouble with Threat Modeling.

Unfortunately, there is not a one-size-fits-all solution to this problem. From experience, the best approach has been to try and keep the spirit of threat modeling, while being flexible on the implementation. In order to achieve this, consider three factors:

  1. There should be a general high-level threat model for each overall application. This high-level model ensures everyone is headed in the same direction, and it can be updated as needed for major changes to the application. A high-level threat model is good for sharing with customers, helping new hires understand the security design of the application, and serve as a reference for the security team.
  2. Threat models don’t have to be documented in the traditional threat model format. The traditional format is very clear and organized, but it can also be complex. The goal of a threat model is to document risks and formulate plans to address them. For individual features, this can be a simple paragraph that everyone can understand. Even writing, “this feature has no security implications,” is informative.
  3. Put the information where developers are most likely to find it. For instance, if you use the simplified format referenced above, then it is easier to place the threat information in line with mitigation exists. The threat information can be included directly in the specs, in the code comments or with threat unit tests. This can help eliminate cross-referencing issues when formal threat models exist as completely separate documents.

The concept of threat modeling still serves a valid purpose by helping to ensure the design is sound. By examining the who, why, and when, the traditional approach to threat modeling can be made more effective at identifying high level mitigations and responses.  By being flexible with the approach to documentation, security information can be captured where developers are most likely to find, use, and maintain it.  These steps can help threat modeling evolve alongside our development processes.

Peleus Uhley has been a part of the security industry for more than 15 years. As the lead security strategist at Adobe, he assists the company with proactive and reactive security. He contributes to the Internet Bug Bounty, OWASP and several other community organizations. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...