Get to Know Cybersecurity Threat Modeling
Learning Objectives
After completing this unit, you’ll be able to:
- Explain the fundamental concepts and principles of threat modeling.
- Discuss the difference between threat modeling for software developers and threat modeling for threat hunters.
What Is Threat Modeling?
Threat modeling in cybersecurity involves examining a system or network to identify potential risks and vulnerabilities, including those posed by both human and nonhuman threats. It typically involves analyzing system architecture, identifying potential attack vectors, and considering potential attacker behaviors.
The goal of threat modeling is to proactively anticipate and understand the different types of cyber risks, which enables organizations to prioritize security measures and develop effective risk responses. By doing so, organizations strengthen their defenses and better protect their systems from various forms of cyberattacks.
Threat modeling is not limited to the cybersecurity domain. We often use it in our everyday lives, both at home and at work, to assess and address potential risks. For example, when leaving for vacation, many people assess the security of their house by checking if all doors and windows are locked, setting up timers for lights to give the appearance of occupancy, and asking a trusted neighbor to keep an eye on their property. These actions are based on the threat model of potential burglaries or break-ins.
Similarly, at work, the threat model involves considering risks related to unauthorized access to confidential information. Employees are often trained to lock their computers when they step away from their desks, use strong passwords, and be aware of social engineering attempts such as phishing emails. These practices are all part of threat modeling to protect sensitive data and maintain workplace security. In both personal and professional contexts, threat modeling involves recognizing potential risks, analyzing their impact, and implementing measures to effectively respond to those risks.
Software developers and cybersecurity threat hunters use threat modeling to enhance system security. Developers use threat modeling during the software development process to create secure and reliable software. Threat hunters apply threat modeling techniques to actively monitor and protect operational systems from potential threats.
Threat Modeling for Software Developers
Imagine building a house. As the architect and builder, you consider issues such as structural integrity, security, and functionality. In the digital world, software developers use threat modeling to identify potential vulnerabilities in software. These include weaknesses that sometimes allow unauthorized access or cause malfunctions.
Developers typically use threat models that focus on the technical aspects of threats (for example, cookies, reset tokens, credentials) during the design and development of software or systems. These models help identify potential vulnerabilities and risks early in the development process. Commonly used threat modeling methodologies for developers include:
- STRIDE: This model categorizes threats based on six main categories: spoofing, tampering, repudiation, information disclosure, denial of service (DoS), and elevation of privilege. It helps developers identify threats related to how data is processed and stored in software applications.
- DREAD: This model assesses the severity of threats based on five factors: damage potential, reproducibility, exploitability, affected users, and discoverability. It helps developers prioritize threats and allocate resources effectively.
Threat Modeling for Threat Hunters
Now let’s think about a security guard at a shopping mall. Their job is not to build the mall but to protect and secure it. They are constantly looking for potential threats like shoplifters or vandals. Similarly, threat hunters in the digital world use threat modeling to identify possible technical and nontechnical threats that could potentially exploit vulnerabilities in systems, even after the software has been built and deployed.
While threat hunters do draw insights from developer-centric threat models like STRIDE and DREAD, they rely on additional frameworks and intelligence sources to enhance their threat hunting capabilities. Some models and frameworks that threat hunters commonly use include:
- MITRE ATT&CK®: This framework categorizes adversary tactics and techniques, providing a comprehensive taxonomy of threat behaviors. Threat hunters use ATT&CK to understand and identify potential attacker techniques, which helps them detect and respond to threats effectively.
- MITRE Engage: This framework provides guidance on how to engage with adversaries and simulate their behaviors in controlled environments. Threat hunters leverage MITRE Engage to enhance their understanding of adversary tactics and test their detection and response capabilities.
- Cyber Kill Chain®: This model describes the stages of a typical cyberattack, including reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Threat hunters use the cyber kill chain to analyze attack patterns and identify potential indicators of compromise (IOCs).
- Threat Intelligence: Threat hunters leverage various sources of threat intelligence, including reports, feeds, and collaboration with industry peers. These intelligence sources provide valuable information on emerging threats, specific threat actor groups, and IOCs that threat hunters can incorporate into their investigations.
This table aims to illuminate the differences between STRIDE and MITRE ATT&CK® and showcase the approaches these methods offer to address the landscape of cybersecurity threats.
| Feature | STRIDE | MITRE ATT&CK® |
|---|---|---|
|
Scope |
Technical vulnerabilities |
Technical and nontechnical vulnerabilities |
|
Focus |
Types of threats |
Steps of an attack |
|
Use cases |
Software development |
Threat hunting |
|
Level of detail |
High level (six threats) |
Low level (227 techniques, 451 sub-techniques) |
Overall, threat modeling provides organizations with a proactive approach to cybersecurity by comprehensively assessing and addressing relevant technical and nontechnical system and organizational risks. Threat modeling helps organizations identify and prioritize their resources, optimize security efforts, and build resilient systems that can withstand evolving cyber threats.
Threat Modeling and Threat Hunting
While threat modeling focuses on identifying and addressing vulnerabilities and risks before they’re exploited, threat hunting focuses on actively seeking out and responding to potential threats that bypass existing security controls.
What Are Threats?
A threat refers to any potential danger or risk that can exploit vulnerabilities in a system, network, or digital environment. In the vast and ever-evolving landscape of cybersecurity, various types of threats exist that can compromise the confidentiality, integrity, and availability of systems and networks. These threats encompass both human and nonhuman actors.
Types of human threats:
- Hackers: Individuals with malicious intent who aim to gain unauthorized access to systems, steal data, or disrupt operations
- Insiders: Employees, contractors, or other trusted individuals who intentionally or unintentionally misuse their access privileges to access data, introduce malware, or cause harm
- Competitors: Rival organizations or individuals seeking to gain a competitive advantage by targeting systems or stealing proprietary information
Types of nonhuman threats:
- Malware: Software programs designed to damage, disrupt, or gain unauthorized access to systems, including viruses, worms, ransomware, and spyware
- Botnets: Networks of compromised computers that attackers control to carry out coordinated attacks, send spam, or perform distributed denial-of-service (DDoS) attacks
- Environmental threats: Natural disasters (for example, hurricanes, tornados), power outages, or physical damage to infrastructure that can disrupt systems and compromise data security
It’s important to note that this is not an exhaustive list, and new threats continue to emerge as technology advances. Organizations need to stay vigilant and regularly update their understanding of the threat landscape to effectively protect their systems and data.
What Is a Threat Hunter?
Threat hunters are cybersecurity professionals who actively engage in threat hunting activities. Instead of waiting for alerts or IOCs, threat hunters investigate and analyze system logs, network traffic, and other data sources to uncover signs of malicious activity that sometimes evades traditional security controls. Their objective is to detect and respond to threats before they cause significant damage or disruption.
A threat hunting team typically consists of professionals with specialized expertise in various areas of cybersecurity. Some common professionals who are part of a threat hunting team include:
- Cyber threat analyst: Professionals who analyze and assess cyber threats, investigate incidents, and provide insights to enhance security defenses
- Incident response analyst: Experts who specialize in investigating and responding to security incidents, including threat identification, containment, and recovery
- Security analyst: Individuals responsible for monitoring and analyzing security events, identifying potential threats, and recommending security measures
- Digital forensics investigator: Specialists who investigate and gather evidence related to cyber incidents, often with a focus on analyzing digital artifacts and conducting forensic examinations
- Security operations center (SOC) analyst: SOC team members who actively monitor and respond to security alerts, investigating potential threats and taking appropriate actions
- Threat intelligence analyst: Professionals who collect, analyze, and interpret threat intelligence data to identify emerging threats and develop effective mitigation strategies
A skilled threat hunting team is crucial for keeping an organization safe by actively searching for and stopping potential threats that sometimes bypass normal security measures. The team provides extra protection against advanced attackers.
Knowledge Check
Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To start, drag the term in the left column next to the corresponding description on the right. When you finish matching all the items, click Submit to check your work. If you want to start over, click Reset.
Great job! Now that we’ve reviewed information about threat modeling as it relates to threat hunters, let's explore a threat hunter’s daily activities and skills.
Resources
- External Site: Fortinet: Threat Modeling
- External Site: MITRE ATT&CK
- External Site: Lockheed Martin: Cyber Kill Chain
- External Site: MITRE ENGAGE
- Trailhead: Threat Modeling Fundamentals
- Trailhead: Learn Secure Development Best Practices
- Trailhead: Get Started with Threat Intelligence
- External Site: IBM: What is threat hunting?
- External Site: NIST Cybersecurity Framework (CSF) Tools
- PDF: Cyber Security Agency (CSA) of Singapore: Guide to Cyber Threat Modelling