PV286/PA193:
THREAT MODELING
2024 EDITION
AGENDA Threat Modeling
Term definitions
Examples!
Attack Trees, STRIDE, Security Cards
Practical Threat Modeling
SERIOUS LIFE QUESTIONS
• What is the purpose of life?
• Shall I patch the vulnerability on my internal server?
• Can we keep the default admin password?
• What is the air-speed velocity of an unladen swallow?
• Can we keep the thermal exhaust port as it is now?
• What is the difference between living and existing?
• Is 42 a perfect number?
• Could sharks be a serious threat to my house?
THREAT
MODELING
THE MODERN
TECH STACK
XKCD 2166
TERM DEFINITIONS
Asset
An asset is what we’re trying to
protect.
Threat
What we’re trying to protect against.
Vulnerability
A weakness or gap in our protection
efforts.
Risk
Risk is the intersection of assets,
threats, and vulnerabilities.
DEFINITION: THREAT MODELING
Threat modeling is a process by which potential
threats can be identified, enumerated and prioritized,
all from a hypothetical attacker’s point of view.
(aka “analyzing risky designs”)
PRIMARY COMPONENTS
• Assets
• Personas/Attackers
• Not just people, it could be other disasters as well
• Methods/Attack Vectors
• Impacts
• Likelihood
• Mitigation/Countermeasuers
THREAT MODELING THE DEATH STAR
• Credit: Threat Modeling the Death Star;
Mario Areias; PyCon 2019
YOUR MISSION
• Goal: The Death Star
• Stakeholder: Galactic Empire
• Project status
• Big, very big waterfall project
• 20 years in the making
• Way over budget
• Deadline missed many times
• Motivated leader with vision!
• Known terrible security of the past projects
THREAT MODELING: ATTACK TREES
• Evil Personas
• Have the right people in the room
• Build the trees
• Brainstorm!
• Find mitigations
• And implement them
PERSONAS
POTENTIAL ATTACKERS
SCRIPT KIDDIES
Expertise
Resources
Organization
BOUNTY HUNTERS
Expertise
Resources
Organization
JEDI
Expertise
Resources
Organization
INSIDER THREAT
Expertise
Resources
Organization
NATION STATE
Expertise
Resources
Organization
RIGHT PEOPLE IN THE
ROOM
LET’S DO SOME ANALYSIS!
OUR TEAM
• Engineers
• Architects
• You, as a lead security architect!
ATTACK VECTORS
GOALS, METHODS
THREAT MODELING: ATTACK TREES
Goal
THREAT MODELING: ATTACK TREES
Goals
Take control of
Death Star
Take Death Star
out of action
THREAT MODELING: ATTACK TREES
Goals
Take control of
Death Star
Take Death Star
out of action
THREAT MODELING: ATTACK TREES
Take Death Star
out of action
Disable Death
Star
Destroy Death
Star
THREAT MODELING: ATTACK TREES
Take Death Star
out of action
Disable Death
Star
Destroy Death
Star
THREAT MODELING: ATTACK TREES
Disable Death
Star
System Failure
Mechanical
Failure
THREAT MODELING: ATTACK TREES
Systems Failure
Compromise
Critical IT
Mechanical
Failure
Overload critical
infrastructure
THREAT MODELING: ATTACK TREES
Compromise
Critical IT
Privileged
Access to
Network
Overload critical
infrastructure
THREAT MODELING: ATTACK TREES
Privileged
Access to
Internal Network
Get Physical
Access to Death
Star
Death Star out
of Action
Disable Death
Star
System
Failure
Compromise
IT systems
Mechanical
Failure
Compromise
Infrastructure
Privileged
Network
Access
Physical
Access to
Death Star
THREAT MODELING: ATTACK TREES
Take Death Star
out of action
Disable Death
Star
Destroy Death
Star
THREAT MODELING: ATTACK TREES
Destroy Death
Star
Military Attack Destroy Reactor
THREAT MODELING: ATTACK TREES
Destroy Reactor
Shoot at Thermal
Port
Obtain Death
Star Plans
Death Star out
of Action
Disable Death
Star
System
Failure
Compromise
IT systems
Mechanical
Failure
Compromise
Infrastructure
Privileged
Network
Access
Physical
Access to
Death Star
Destroy Death
Star
Military
Attack
Destroy
Reactor
Shoot at
Thermal Port
Obtain Death
Star Plans
Death Star out
of Action
Disable Death
Star
System
Failure
Compromise
IT systems
Mechanical
Failure
Compromise
Infrastructure
Privileged
Network
Access
Physical
Access to
Death Star
Destroy Death
Star
Military
Attack
Destroy
Reactor
Shoot at
Thermal Port
Obtain Death
Star Plans
MITIGATION
STRATEGIES
MINIMIZE THE RISKS
PRIVILEGED ACCESS TO NETWORK
Impact: CRITICAL Likelihood: MEDIUM
Mitigation strategies
Better authentication / authorization
Defense in Depth
Pen Testing the Systems
…
Likelihood: LOW
MILITARY ATTACK
Impact: CRITICAL Likelihood: HIGH
Mitigation strategies
Incident Response procedures
Star Destroyers “On Call”
Monitor Rebellion Activities
…
MILITARY ATTACK
Impact: CRITICAL Likelihood: HIGH
Mitigation strategies
Incident Response procedures
Star Destroyers “On Call”
Monitor Rebellion Activities
…
Impact: HIGH
Likelihood: MEDIUM
SHOOT AT THERMAL PORT
Impact: CRITICAL Likelihood: LOW
Mitigation strategies
Move Death Star plans to Imperial Security
complex.
JOB WELL DONE!
LET’S DEPLOY THAT THING
FORENSIC ANALYSIS
WHAT HAPPENED?
NEW PERSONA?
Another Jedi in the story!
Support from a Bounty Hunter!
Princess Leia’s brother!
Son of a.. your boss!
DESIGN FLAWS
Insufficent design reviews!
A vital flaw in design
Introduced by an insider
THREAT MODEL EARLY
AND OFTEN
LIST OF STANDARDIZED COMPONENTS
SECURITY THROUGH
OBSCURITY
IS A TERRIBLE IDEA
THREAT MODELING EXAMPLES
• Rob a bank?
• Steal a car?
• Short-n-easy examples
• Threat modeling of movies/heroes
• Batman or Harry Potter
• Physical security
• Criminal Gang
• Other criminal gangs
• Police raids
• Tower defense games
METHODOLOGIES
• Attack Trees
• STRIDE
• PASTA
• CVSS
• Security Cards
• … and plenty of others!
THREAT MODELING: STRIDE
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Services
Elevation of Privileges
THREAT MODELING: STRIDE
• Provides a good methodology
• Various areas people could start with
• Tools available!
• Microsoft Threat Modeling tool
• OWASP Threat Dragon
• Adopted by Microsoft, Github, …
Category Threat Description Mitigation
Information
Disclosure
Credentials Theft An unauthorized person could get to the
credentials, which could be used to alter
potentially sensitive/vital information.
Least privilege principle;
dynamic, generated credentials
(if possible, with time limited
validity).
Repudiation Performing operations
on someone else's
behalf
Sharing secrets makes non-repudiation
impossible – there's always a space for
justified doubt about who could actually
be the initiator of a potentially harmful
actions.
Least privilege, no shared
secrets, strong authentication,
good audit logs.
Tampering Rewriting a crucial
secret.
When a write permission on the secrets is
also shared by a group of individuals, it's
possible to harm services by rewriting the
stored secret (either deliberately or by
accident).
Secrets versioning, strict roles
and least privilege.
SECRETS IN A GIT REPOSITORY
THREAT MODELING: SECURITY CARDS
• Gamification of threat modeling!
• 4 different categories of cards (“dimensions”)
• Human Impact
• Adversary’s Motivation
• Adversary’s Resources
• Adversary’s Methods
• Interactive
THREAT MODELING: SECURITY CARDS
• Custom cards possible
• Extensions:
• Elevation of Privilege cards (Microsoft)
• Elevation of Privacy cards (F-Secure)
• Cornucopia (OWASP)
EOP VS CORNUCOPIA
PRACTICAL
THREAT MODELING
THERE’S NOTHING MORE PRACTICAL
THAN A GOOD THEORY!
SECURITY
STARTS
WITH U!
HOW TO THREAT MODEL EFFICIENTLY
• Security engineers threat model every story
• Delays!
• Software engineers threat model every story
• Too much time spent on reviews.
• Teaming with Security
• Software engineers assess risk on every story
• A questionnaire supporting their decisions
• “When a software engineer feels they must choose between doing security and doing engineering,
you have lost the battle.”
SECURITY QUESTIONNAIRE SAMPLE
• Does it deal with customer data?
• Does it communicate over network?
• Is this a critical component?
• Does your component require authentication?
• Does your project introduce or utilize a third-party library?
• Are you implementing or modifying any APIs?
• Does your project utilize a database via SQL?
• …
HOW TO THREAT MODEL EFFICIENTLY
• What works
• Shifting left, like a boss
• Re-usable reviewed and assessed components
• Proper threat modeling and risk assessment for the critical ones
• Questionnaire to support the activity
• Security impact criteria
• Security Engineers teaming up with software engineers and developers
• Mutual respect and understanding
RISK MITIGATION ACTIONS
• Remove the threat
• e.g. by removing the respective functionality
• Mitigate
• e.g. through standard practices like encryption
• “What cannot be mitigated could perhaps be monitored.”
• Accept
• be careful about “accepting” risk for your customers
• Transfer
• e.g. via license agreements or terms of service
YOUR THREAT
MODEL IS NOT MY
THREAT MODEL
SERIOUS LIFE QUESTIONS
• What is the purpose of life?
• Shall I patch the vulnerability on my internal server?
• Can we keep the default admin password?
• What is the air-speed velocity of an unladen swallow?
• Can we keep the thermal exhaust port as it is now?
• What is the difference between living and existing?
• Is 42 a perfect number?
• Could sharks be a serious threat to my house?
Depends on your threat model.
QUESTIONS?
NOTES
• Agile Threat Modeling
• https://martinfowler.com/articles/agile-
threat-modelling.html
• AppSec at scale
• https://r2c.dev/blog/2021/appsec-
development-keeping-it-all-together-at-
scale/?s=09