Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Peleus Uhley
Peleus Uhley
Connect Directly
E-Mail vvv

Deconstructing Threat Models: 3 Tips

There is no one-size-fits-all approach for creating cyber threat models. Just be flexible and keep your eye on the who, what, why, how and when.

There are a lot of theories about creating threat models. Over the years, I’ve used threat models in many ways at both the conceptual and application level. Their utility often depends on the context and the job to which they are applied.

Deconstructing the purpose of threat models requires taking a step back to examine their value with respect to any risk situation, concentrating on who, what, how, when, and why:

  • Who is the entity conducting the attack, including nation states, organized crime and activists. 
  • What is the ultimate target of the attack, such as credit card data or computer resources. 
  • How is the method by which attackers will get to the data, such as SQL injection or buffer overflows. 
  • Why captures the reason the target is important to the attacker. Does the data have monetary value, or are you just a pool of resources an attacker can leverage in pursuit of other goals?

Simply put, a threat can be described as who will target what, using how in order to achieve why.

What and How: Threat models typically put most of the emphasis on what and how. Looking at the what and how allows you to identify potential bugs that will crop up in the design, regardless of who might be conducting the attack and their motivation. However, the challenge with focusing solely on what and how is that they change over time.

Who and Why: Unlike what and how, who and why tend to be fairly constant. The assumption is that is doesn’t really matter who or why – the focus should be on stopping the attack. However, focusing on who and why can lead to new ideas for overall mitigations that provide better protection than the point fixes identified by how.

For example, we knew that attackers using advanced persistent threats (APT) (who) were fuzzing (how) Flash Player (what). To look at the problem from a different angle, we decided to stop and ask why. It wasn’t solely because of Flash Player’s ubiquity. At the time, attackers were focusing on Flash Player because they could embed it in an Office document to conduct targeted spearphishing attacks.

Targeted spearphishing is a valuable attack method because hackers can directly access a specific target with minimal exposure. By adding a Flash Player warning dialogue to alert users of a potential spearphishing attempt in Office, we addressed the issue that made Flash Player of value to them and therefore made the attack less effective. After that simple mitigation was added, the number of zero-day attacks dropped and forced the attackers had to develop new exploit methods.

When: Examining the when can also be extremely useful. Most people think of threat models as a tool for the design phase. However, threat models can also be used in developing incident response plans. You can take any given risk and consider, "When this mitigation fails or is bypassed, we will respond by...”

Threat Model Flexibility
Having a threat model for an application can be beneficial in controlling both high-level (who/why) and low-level threats (how/what). That said, the reality is that many companies have gotten away from traditional threat models. Keeping a threat model up-to-date can take a lot of effort in a rapid development environment, as Adam Shostack covers in his blog post, The Trouble with Threat Modeling.

Unfortunately, there is not a one-size-fits-all solution to this problem. From experience, the best approach has been to try and keep the spirit of threat modeling, while being flexible on the implementation. In order to achieve this, consider three factors:

  1. There should be a general high-level threat model for each overall application. This high-level model ensures everyone is headed in the same direction, and it can be updated as needed for major changes to the application. A high-level threat model is good for sharing with customers, helping new hires understand the security design of the application, and serve as a reference for the security team.
  2. Threat models don’t have to be documented in the traditional threat model format. The traditional format is very clear and organized, but it can also be complex. The goal of a threat model is to document risks and formulate plans to address them. For individual features, this can be a simple paragraph that everyone can understand. Even writing, “this feature has no security implications,” is informative.
  3. Put the information where developers are most likely to find it. For instance, if you use the simplified format referenced above, then it is easier to place the threat information in line with mitigation exists. The threat information can be included directly in the specs, in the code comments or with threat unit tests. This can help eliminate cross-referencing issues when formal threat models exist as completely separate documents.

The concept of threat modeling still serves a valid purpose by helping to ensure the design is sound. By examining the who, why, and when, the traditional approach to threat modeling can be made more effective at identifying high level mitigations and responses.  By being flexible with the approach to documentation, security information can be captured where developers are most likely to find, use, and maintain it.  These steps can help threat modeling evolve alongside our development processes.

Peleus Uhley has been a part of the security industry for more than 15 years. As the lead security strategist at Adobe, he assists the company with proactive and reactive security. He contributes to the Internet Bug Bounty, OWASP and several other community organizations. ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...