Threat Modelling Simplified

Threat Modelling is a structured approach to identify threats and their impact to the systems in terms of business loss.As part of Threat Modelling System Owners identify various risks/threats and implement mitigation plans.

In this post we will try to understand Threat Modelling terminologies.

Threat Agents
These are the individuals or group of users trying to gain access to the system either by stealing identity of the legitimate users or by tricking the system to believe that they are the real users.It can be determined if Threat Agent is a small group or an organisation depending on the size of the threat and possible gains of exploitation.Very sensitive part of the systems should not be easily accessible to anyone and must have multiple layers of security and user verification mechanisms.

Trust Zones
Different parts of system generates or stores different kinds of data with varied levels of sensitivity.For example, data stored in Database is used by applications and is highly trusted hence usually there is no need for additional validation to be performed at the time of usage.If the Database is compromised then there will be a Very High Impact on the application.

Impact
It is a quantification of potential loss in terms of reputation, finances and user trust.Determining the impact of each possible threat will help the system owners to implement appropriate controls.

Controls
These are the countermeasures put in place to prevent, detect or mitigate the threats.

• Preventive Controls totally avoids the threat
• Detective Controls observes the running system and determine existence of the threat
• Mitigations are the measures put in place to drastically reduce the likelihood of threat occurrence.

Likelihood
Possibility of the threat occurrence depends on how much infrastructure attacker will need to put in place to exploit the system and possible rewards out it.Threat Intelligence available from study of similar systems can also help to determine likelihood and appropriate controls.

Threat Mapping
It is a process to map different paths attacker will follow to take advantage of the missing controls.Data Flow Diagrams is the best way to determine how bad actors can move from one component to another and eventually reach to the most sensitive part of the systems where they can cause maximum damage.Understanding of the system from multiple view points (https://en.wikipedia.org/wiki/4%2B1_architectural_view_model) helps in effective Threat mapping.

Asset Identification
System Owners should have real time tracking of the assets.Any unauthorised addition or removal of the asset could be a possible active threat to the system.

These are the basic Threat Modelling terminologies that every developer, architect or system designer should understand to build secure systems and effectively apply Threat Modelling methodologies.