John Taylor
|
Information Security Leader
August 20, 2024

Setting the scene for your threat modeling program

In a recent webinar led by John Taylor and Adam Shostack, they discussed what you need to start with for your threat modeling program to effectively set it up for success. Several topics were covered, including: 

  • Where to begin: establishing your current state
  • Scope: How are you planning to deliver a program?
  • Frameworks: to support your next steps

You can see the webinar in full on YouTube here, or read a roundup of the key takeaways in this blog.

Setting your stage 

“Understanding where you are is a crucial step to determine the direction you need to go with a threat modeling program. There are a series of items to think about and through when you are considering the direction of your program design.”

Be honest and work out where you are with threat modeling and how you are currently doing it (if at all, yet). Here are some options:

  • Manually
  • Adhoc modeling
  • Repeatable processes in place

Do you already have a good level of maturity and are looking to scale? Or is it that you are putting your best foot forward in your first program? Either way, there are frameworks and approaches that can work for both novice and experienced threat modeling practitioners. 

Where to begin

“Look at what your modeling efforts are like today. It doesn’t matter where we are as we can all improve and take it to the next level.”

In the words of Adam Shostack, ‘just dive in and threat model’. Starting somewhere and starting small is as good a point as any. The Threat Modeling Manifesto is a fantastic resource and aims to get you actually threat modeling and not just talking about it. Utilizing the Four Questions, also from Adam Shostack, is a hugely helpful framework to get you going and provides steps to get you threat modeling. 

Incorporating the Four Question Framework into what you are doing will get you leaps and bounds forward and get you started on your threat modeling journey, providing you a repeatable approach that can be reused.  

Scope

“How we determine what and how we threat model, by scope, goes a long way to building a base to our programs.”

In order to effectively scale, we can’t usually do this alone. You may need buy-in from leadership, or other stakeholder support. Of equal importance is to define the scope of your program so that you can clearly set the scene for all those who become involved in the rollout of the initiative.

Decide which applications will be threat modeled first/ retrospectively. But keep in mind it is not a one and done activity, threat models need to be iterated. Processes need to be simple and straightforward for stakeholders to understand for minimal resistance to coming onboard with this journey. Utilizing frameworks like the RACI model can also be helpful to clearly establish roles and responsibilities. The key thing to say when defining scope is to ensure it is clear and simple enough for maximum chances of buy-in and involvement. 

You can also consider some delivery models, three of which are as follows, which may work for your organization type: 

  1. Self Service – We train and have people start and complete their threat models
  2. Collaborative Service – Threat modeling team works with product teams to build, analyze and deliver the threat model with outputs to take action on.
  3. Full Service – A threat modeling team does all the work but validates and still works with the product team to ensure model accuracy

Depending on the number of stakeholders, the size and geographical spread of teams, your industry, or even just a preferred way of working, may all feed into which of the above approaches you choose. Be sure to communicate which option you are moving forward with to support those expectations and requirements. 

Frameworks

“Frameworks provide a foundation to threat modeling processes. Various threat frameworks can help organizations stay focused on answering the four question framework.”

We already mentioned the Four Questions, which is hugely popular and widely used. Other frameworks and methodologies include:

  • STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Elevation of Privilege). The advantage of STRIDE is that it allows organizations to analyze systems and networks, classifying threats in a prioritized list, based on the likelihood of them occurring and the scale of their potential impact.
  • PASTA (The Process of Attack Simulation and Threat Analysis) is a risk-centric threat modeling methodology which has the added benefit of scalability, it can scale up or scale down as required which is ideal for growing businesses, while most other threat modeling frameworks can also map into it.
  • Attack Trees. An Attack Tree helps to describe the potential security breaches that could happen on IT and security systems, allowing organizations to develop countermeasures to such attacks to prevent a Threat Actor from achieving their goals against a certain asset or target.
  • Kill Chains. Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

Key takeaways

For getting started with threat modeling, you can remember the following points to give you a good head start and action points: 

  1. Determine where you are and where you want to go
  2. Involve people. You can’t do this in a vacuum
  3. Plan for maturity to increase. You don’t have to be perfect
  4. Scope what you do. Don’t plan on something too big
  5. Define how you deliver the program/service
  6. Set some standards, processes, and leverage frameworks where needed

Still need support? Take a look at the recent session on ‘Building foundations for your threat modeling program’.