Threat-Modeling a System

Copyright © we45 2020

Approach - System Threat Modeling

Copyright © we45 2020

Define Objectives and Security Requirements

• Top-Load your understanding of:

• Existing Security Requirements and Obligations - Contractual, etc

• Compliance Requirements - PCI-DSS, FISMA, FedRAMP, etc

• Management Security Objectives

• Your company’s Information Classification Policies

Copyright © we45 2020

 Define Scope
• Rule of Thumb: The larger your scope, the more diluted your Threat Model

• Rule of Thumb: The larger your scope, the more time-consuming your Threat Model is
going to be

• Bound your scope - There will always be external dependencies, consider them in your
Trust Zone/Boundary

• Remember that Threat Models can never be perfect. But they can be improved and
iterated upon

Copyright © we45 2020

 What about changes?
• Scope may change often. Have a quick meeting to identify threats at a high-
level:

• This may stop there

• This may lead to a more detailed threat model

• This has to be decentralized

Copyright © we45 2020

 Decompose the System
• Break down the system for analysis with:

• Network Diagrams/DFD/Process Flow Diagrams

• Essays/Manuals/Stories

• Trust Zones/Boundaries

• Don’t look for perfection and aesthetics - Focus on threats and mitigations

Copyright © we45 2020

 Threat Analysis

• Leverage your Trust Zones, Diagrams and Essays

• Create a Data Dictionary - Sensitive Data that is stored/processed/

transmitted by the system

• Start Threat Modeling with STRIDE

Copyright © we45 2020

 Success Factors and Gotchas

• Threat Modeling is not a substitute for Vulnerability Assessment:

• Don’t get caught up in effectiveness of existing controls unless you have

hard evidence.

• Better to Threat Model and then validate it (with Vulnerability Assessment)

Copyright © we45 2020

Success Factors and Gotchas - 2

• Ideally a Cross-Functional Team should work on a Threat Model

• Time-box for the best results

Copyright © we45 2020

First map out the EoP Threats
3 E

E 9

E E E
1
2

9
E
0 1 7 E
5

5 7 E

Copyright © we45 2020

Next map out the Spoofing Threats

3 E

SE 9

SE SE E
1
2

9
E
0 1 7 E
5

5 7 E

Copyright © we45 2020

Now, the Tampering Threats

3 TE

SE 9

SE TSE E
1
2

9
T TE
0 1 7
5 TE

5 7 E

Copyright © we45 2020

Now, the Repudiation Threats

Usually exists where S and T lie

3 TE

SE 9

SE RTSE E
1
2

9
RT TE
0 1 7
5 TE

5 7 E

Copyright © we45 2020

Information Disclosure Threats

3 TE

SE 9

SE RTSE E
1
2

9
RT TE
0 1 7
5 TE

5 7 IE

Copyright © we45 2020

 Denial of Service

3 TE

DSE 9

DSE DRTSE DE
1
2

9
RT DTE
0 1 7
5 TE

5 7 DIE

Copyright © we45 2020

Lab: System Threat Model

Copyright © we45 2020