Threat Modeling Tips: Assembling the Right Team and Setting Clear Objectives
Threat modeling is a critical exercise that involves brainstorming, collaboration, and communication. It is essential to bridge the gap between application development, operations, business, and security. There is no shortcut to success, but there are some tips that can help improve the adoption and success of threat modeling.
Assemble the Right Team
Threat modeling is a “team sport” that requires the knowledge and skills of a diverse team, where all inputs are valued equally. To assemble the right team, you need to consider the following personas:
•The Business Persona: This persona represents the business outcomes of the workload or feature that is part of the threat modeling process. They should have an in-depth understanding of the functional and non-functional requirements of the workload and ensure that proposed mitigations do not impact these requirements negatively.
•The Developer Persona: This persona understands the current proposed design for the workload feature and has been involved in the design decisions made to date. They should have been thinking about threats to the design and possible mitigations to include.
•The Adversary Persona: This persona puts themselves in the shoes of an attacker and critically reviews the workload design to look for ways to take advantage of a design flaw in the workload to achieve a particular objective. The “attacks” they perform are a mental exercise, not actual hands-on-keyboard exploitation.
•The Defender Persona: This persona sees the possible “attacks” designed by the adversary persona as potential threats and devises security controls that mitigate the threats. They also evaluate whether the possible mitigations are reasonably manageable in terms of on-going operational support, monitoring, and incident response.
Establish Clear Objectives
Before starting the threat modeling exercise, it’s essential to establish clear objectives. This helps keep the exercise focused and ensures that everyone on the team is aligned on the goals. The objectives should answer the following questions:
•What is the workload or feature being threat modeled?
•What is the scope of the threat modeling exercise?
•What are the goals of the exercise?
•Who is the target audience of the exercise?
•What are the expected outcomes of the exercise?
Identify Threats
Once the team is assembled and clear objectives are established, the next step is to identify threats. The team should start by creating an overview of the system or application being modeled. Then, they should use different techniques such as STRIDE, DREAD, or PASTA to identify potential threats. These techniques help to identify threats based on the security properties of the system, the attacker’s motivation, and the impact of the threat.
Assess Risks
After identifying potential threats, the team should assess the risks associated with each threat. The team should consider the likelihood of the threat occurring and the impact it would have on the system. This information helps the team to prioritize the risks and focus on the most critical ones.
Define Mitigations
Once the risks are identified and prioritized, the team should define mitigations to address each threat. The team should consider different types of mitigations such as technical controls, policy controls, and physical controls. They should evaluate each mitigation based on its effectiveness, feasibility, and cost. The team should also consider the trade-offs between security, functionality, and usability.
Review and Refine
After defining mitigations, the team should review and refine the threat model. The team should consider whether the mitigations adequately address the threats and whether they have any unintended consequences. The team should also consider whether the mitigations are implementable and manageable in terms of operational support, monitoring, and incident response. Visit threat-modeling.com for more information about it.