WHAT IS THREAT MODELING?

Structured process of identifying, analyzing, and mitigating potential threats to a system or

network aiming to understand and address security risks before they can be exploited.

COMPONENTS OF THREAT MODELING:

1. DEFINE OBJECTIVES
2. TECHNICAL SCOPE
3. APPLICATION DECOMPOSITION
4. THREAT ANALYSIS
5. VULNERABILITY AND WEAKNESS ANALYSIS
6. ATTACK MODELING
7. RISK AND IMPACT ANALYSIS

A practical example of threat modeling for an organization that operates an online banking
application. This will illustrate how to map the steps of threat modeling into a real-world
scenario.

1. Understand the Organization’s Context

 Business Goals: Provide secure online banking services to customers.

 Critical Assets:
o User accounts and financial data.
o Banking application and databases.
o API endpoints for mobile and web apps.
o Transaction processing systems.

2. Define the Scope

 Focus on the online banking application, covering:

o Web and mobile app interfaces.
o APIs connecting to backend services.
o User authentication processes.
3. Identify Threats (Using STRIDE Framework)

Here’s how STRIDE applies to our online banking example:

Category Example Threats Possible Impact

Unauthorized access to user
Spoofing Attacker impersonates a legitimate user.
accounts.
An attacker manipulates transaction data
Tampering Fraudulent transactions.
during transmission.
A user denies making a transaction due to
Repudiation Legal and compliance issues.
lack of logs.
Information Data breach exposes customer account Financial and reputational
Disclosure details. damage.
Service outages affecting
Denial of Service Flooding login endpoints with fake requests.
user trust.
Elevation of Exploiting a vulnerability to gain admin-
Full system compromise.
Privilege level access.

4. Identify Entry Points

Analyze where attackers could interact with the system:

 External Interfaces:
o Login page (username/password input).
o APIs (used by the mobile app).
o Public-facing web servers.
 Internal Interfaces:
o Communication between application servers and the database.
o Admin panels used by internal staff.

5. Create Data Flow Diagrams (DFDs)

Create a simplified DFD for the online banking system:

 External Entities: Users and mobile/web apps.

 Processes: Login validation, transaction processing, reporting.
 Data Stores: User database, transaction logs.
 Data Flows: User sends credentials → Login validation server → Database.

Here’s how this identifies risks:

 Example Risk: Interception of credentials during login (Information Disclosure).

  Mitigation: Implement HTTPS to encrypt data in transit.

6. Assess Vulnerabilities

Using a vulnerability scanner (e.g., Nessus, Burp Suite):

 Finding: Outdated TLS version (e.g., TLS 1.0) is still enabled.

 Risk: This could allow attackers to decrypt communications.
 Mitigation: Update to TLS 1.3.

Other potential vulnerabilities:

 Weak password policy.

 SQL injection vulnerability in the login API.

7. Rate and Prioritize Risks

 Risk Matrix: Assign Likelihood and Impact to each threat:

Threat Likelihood Impact Risk Level

Credential interception (via HTTP) High High Critical
SQL injection on login API Medium High High
Denial of Service (DoS) attack on login Medium Medium Medium

8. Develop Mitigation Strategies

For each identified threat:

1. Credential Interception:
o Implement HTTPS with strong encryption (TLS 1.3).
o Use HSTS to enforce HTTPS connections.
2. SQL Injection:
o Use prepared statements to sanitize database queries.
o Perform regular code reviews.
3. Denial of Service:
o Implement rate-limiting on login endpoints.
o Use a Web Application Firewall (WAF).
9. Review and Validate the Model

 Stakeholder Review:
o Share the threat model with the IT security team, developers, and business
owners.
 Penetration Testing: Validate mitigations by simulating attacks (e.g., SQL injection
tests).

10. Document and Communicate Findings

Example Summary Report:

 Threat Identified: Credential interception.

 Risk Level: Critical.
 Mitigation: Implement TLS 1.3, enforce HTTPS, deploy HSTS.
 Status: Pending implementation.

11. Continuously Update the Threat Model

As the application evolves:

 Add New Features: E.g., if a chatbot is added, re-evaluate potential risks (e.g., data leaks
via chatbot responses).
 Monitor New Threats: Keep up-to-date with emerging attack vectors (e.g., API abuse).

Practical Tools for the Example

 DFD Creation: Microsoft Visio, Lucidchart.

 Threat Identification: OWASP Threat Dragon, Microsoft Threat Modeling Tool.
 Vulnerability Scanning: Nessus, Burp Suite.
 Risk Tracking: Excel or risk management software like RiskWatch.
Let's do another example of threat modeling for an organization. This example is focused on a
company providing online financial services:

Threat Modeling for an Online Financial Service Provider

1. Objectives

To identify and mitigate potential security threats to the company's web application, customer
data, and network infrastructure.

2. System Components

 Web Application: Portal for customers to access financial services.

 API Server: Handles client requests and communicates with the database.
 Database: Stores sensitive data like customer information and transaction details.
 Network Infrastructure: Firewalls, routers, and VPNs securing communication.

3. Data Flow Diagram (DFD)

Component Interaction Data Transferred

Customer Inputs credentials on the portal Username, password

Web Application Forwards data to API server Encrypted credentials

API Server Queries database Account and transaction data

Database Sends data back to API server Encrypted response

Web Application Displays account information Customer data

4. Identify Threats Using STRIDE

Threat Example Impact

An attacker impersonates a legitimate user to access the

Spoofing Unauthorized access
portal.

Malicious alteration of financial transactions during

Tampering Financial fraud
processing.

A user denies making a transaction due to a lack of proper

Repudiation Legal disputes
logging.
 Threat Example Impact

Information Sensitive customer data is leaked due to a misconfigured

Data breach fines
Disclosure database.

A DDoS attack overwhelms the web application, making it

Denial of Service Service downtime
unavailable.

Full system
Elevation of Privilege Exploitation of an API vulnerability to gain admin access.
compromise

5. Risk Rating and Prioritization

Threat Likelihood Impact Risk Level

Data breach High Critical Critical

Weak password policies Medium High High

SQL Injection Medium High High

DDoS attack Low Medium Medium

6. Mitigation Strategies
Threat Mitigation

Spoofing Implement MFA and strong password policies.

Tampering Use digital signatures for transactions.

Information Disclosure Encrypt all sensitive data at rest and in transit.

Denial of Service Deploy WAFs and enable rate limiting.

Elevation of Privilege Regularly test APIs for vulnerabilities using security tools.

7. Validation

 Conduct penetration tests targeting high-risk areas, such as the web portal and APIs.
 Perform periodic vulnerability scans using tools like Nessus or OpenVAS.
 Test disaster recovery by simulating DDoS attacks and ensuring failover systems activate.

8. Reporting

Create a report with the following:

1. Findings: Summary of identified threats and risk levels.
2. Action Plan: Steps to mitigate risks, prioritized by severity.
3. Timeline: Deadlines for implementing mitigation measures.