Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Peleus Uhley
Peleus Uhley
Connect Directly
E-Mail vvv

Deconstructing Threat Models: 3 Tips

There is no one-size-fits-all approach for creating cyber threat models. Just be flexible and keep your eye on the who, what, why, how and when.

There are a lot of theories about creating threat models. Over the years, I’ve used threat models in many ways at both the conceptual and application level. Their utility often depends on the context and the job to which they are applied.

Deconstructing the purpose of threat models requires taking a step back to examine their value with respect to any risk situation, concentrating on who, what, how, when, and why:

  • Who is the entity conducting the attack, including nation states, organized crime and activists. 
  • What is the ultimate target of the attack, such as credit card data or computer resources. 
  • How is the method by which attackers will get to the data, such as SQL injection or buffer overflows. 
  • Why captures the reason the target is important to the attacker. Does the data have monetary value, or are you just a pool of resources an attacker can leverage in pursuit of other goals?

Simply put, a threat can be described as who will target what, using how in order to achieve why.

What and How: Threat models typically put most of the emphasis on what and how. Looking at the what and how allows you to identify potential bugs that will crop up in the design, regardless of who might be conducting the attack and their motivation. However, the challenge with focusing solely on what and how is that they change over time.

Who and Why: Unlike what and how, who and why tend to be fairly constant. The assumption is that is doesn’t really matter who or why – the focus should be on stopping the attack. However, focusing on who and why can lead to new ideas for overall mitigations that provide better protection than the point fixes identified by how.

For example, we knew that attackers using advanced persistent threats (APT) (who) were fuzzing (how) Flash Player (what). To look at the problem from a different angle, we decided to stop and ask why. It wasn’t solely because of Flash Player’s ubiquity. At the time, attackers were focusing on Flash Player because they could embed it in an Office document to conduct targeted spearphishing attacks.

Targeted spearphishing is a valuable attack method because hackers can directly access a specific target with minimal exposure. By adding a Flash Player warning dialogue to alert users of a potential spearphishing attempt in Office, we addressed the issue that made Flash Player of value to them and therefore made the attack less effective. After that simple mitigation was added, the number of zero-day attacks dropped and forced the attackers had to develop new exploit methods.

When: Examining the when can also be extremely useful. Most people think of threat models as a tool for the design phase. However, threat models can also be used in developing incident response plans. You can take any given risk and consider, "When this mitigation fails or is bypassed, we will respond by...”

Threat Model Flexibility
Having a threat model for an application can be beneficial in controlling both high-level (who/why) and low-level threats (how/what). That said, the reality is that many companies have gotten away from traditional threat models. Keeping a threat model up-to-date can take a lot of effort in a rapid development environment, as Adam Shostack covers in his blog post, The Trouble with Threat Modeling.

Unfortunately, there is not a one-size-fits-all solution to this problem. From experience, the best approach has been to try and keep the spirit of threat modeling, while being flexible on the implementation. In order to achieve this, consider three factors:

  1. There should be a general high-level threat model for each overall application. This high-level model ensures everyone is headed in the same direction, and it can be updated as needed for major changes to the application. A high-level threat model is good for sharing with customers, helping new hires understand the security design of the application, and serve as a reference for the security team.
  2. Threat models don’t have to be documented in the traditional threat model format. The traditional format is very clear and organized, but it can also be complex. The goal of a threat model is to document risks and formulate plans to address them. For individual features, this can be a simple paragraph that everyone can understand. Even writing, “this feature has no security implications,” is informative.
  3. Put the information where developers are most likely to find it. For instance, if you use the simplified format referenced above, then it is easier to place the threat information in line with mitigation exists. The threat information can be included directly in the specs, in the code comments or with threat unit tests. This can help eliminate cross-referencing issues when formal threat models exist as completely separate documents.

The concept of threat modeling still serves a valid purpose by helping to ensure the design is sound. By examining the who, why, and when, the traditional approach to threat modeling can be made more effective at identifying high level mitigations and responses.  By being flexible with the approach to documentation, security information can be captured where developers are most likely to find, use, and maintain it.  These steps can help threat modeling evolve alongside our development processes.

Peleus Uhley has been a part of the security industry for more than 15 years. As the lead security strategist at Adobe, he assists the company with proactive and reactive security. He contributes to the Internet Bug Bounty, OWASP and several other community organizations. ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-16
IBM Sterling File Gateway through is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.