Threat modeling is best applied continuously throughout a software development project. Following is a four question framework that helps understand threat modeling → What are we working on? What can go wrong? What are we going to do about it? Did we do a good job? The following are the steps to be taken for threat modeling →
- Assessment Scope → Identifying tangible assets, like databases of information or sensitive files, understanding the capabilities provided by the application and valuing them.
- Identify Threat Agents and Possible Attacks → Characterization of the different groups of people who might be able to attack the application, both insiders and outsiders performing inadvertent mistakes or malicious attacks.
- Understand Existing Countermeasures
- Identify Exploitable Vulnerabilities
- Prioritize Identified Risks → For each threat, estimate a number for likelihood and impact factors to determine an overall risk or severity level.
- Identify Countermeasures to Reduce Threat
Generic questions for a threat modeling exercise
- What is the scope of infrastructure covered? (he number of devices and servers, the type of servers)
- What type of system is it? Client-Server based or service based?
- What are the assets? What data is handled? Who is the provider? Who is the customer?
- What technologies are being used for the application/software?
- What kind of data is stored and where? Is the data store encrypted?
- Who has access to the data store? How can it be accessed?
- What are the entry points to the system? (points of entry for the attacker like website, service at port xx, etc.)
- What functions does the application perform? Is any function privileged?
- Is there an authorization system in place for privileged functions?
- How many sub systems make up the entire application?
- How do those sub systems communicate? Is the communication secure (SSL/TLS)? Is the communication?
- Do usual actions employ Failsafe default and Least privilege?
- What kind of authentication system is in place (OAuth, MFA, etc.)? How is authentication maintained over time?
- What kind of data is logged and monitored by the system and/or the sub systems?
- Do the logs contain sensitive information? Are log files accessible based on authorization?
- Is there some kind of backup in place? Is the backup secured? Where is the backup stored? How is data sent there (transit)?
- Looking at STRIDE, what sort of attacks are possible based on gathered information? (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privileges)
- Do the sub systems store different kinds of data in different places? How does one compromised sub system affect the other?
- What are the current countermeasures in place?