SYSTEM SECURITY

& CYBER THREATS

CYB 237
 THREAT
MODELLING

Cyber Security 2
CYB 237
AGENDA
• What Is Threat modelling
• Threat modelling Process:5 Key Steps
• Threat Modelling Methodologies
• Tools for Threat Modelling
• Creating a Threat Model
• Best Practices for Threat modelling

Cyber Security 3
CYB 237
What Is Threat
modelling

Cyber Security 4
CYB 237
WHAT IS THREAT MODELLING?
• Threat modelling is the process of analyzing various business and
technical requirements of a system, identifying the potential threats, and
documenting how vulnerable these threats make the system.
• A threat refers to any instance where an unauthorized party accesses
sensitive information, applications, or network of an organization.

Cyber Security 5
CYB 237
AIM OF THREAT MODELLING
• The aim of the threat modelling process is to get a clear picture of
various assets of the organization, the possible threats to these assets,
and how and when these threats can be mitigated.
• The end product of threat modelling is a robust security system.

Cyber Security 6
CYB 237
SOME CONCEPTS
• Vulnerability: A flaw or weakness in a computer system, its security
procedures, internal controls, or design and implementation, which could
be exploited to violate the system security policy. Example: using
outdated encryption algorithm like MD5
• Threat: is the decryption of hashed passwords using brute force.
• Attacker: is the hacker trying to sell personal information online.
• Mitigation tactic: is the change in an encryption algorithm to something
more modern and robust.

Cyber Security 7
CYB 237
 THREATS AND ATTACKS
• A potential for violation of
security, which exists when
there is a circumstance,
capability, action, or event
that could breach security
and cause harm.
• A threat is a possible
danger that might exploit a
vulnerability.
Threats
• An assault on system
security that derives from
an intelligent threat.
• An intelligent act that is a
deliberate attempt
(especially in the sense of a
method or technique) to
evade security services and
violate the security policy
of a system.
Attacks
Cyber Security 8
CYB 237
THREAT MODELLING APPROACH
• Threat modelling can be approached in three different ways:
• Asset-centric: Take stock of various assets and analyze the
vulnerability of each.
• Attacker-centric: Think of possible attackers, what asset each would
want to attack, and how.
• Software-centric: Focus on the system design, how the data flows
between various layers, and how it is configured.

Cyber Security 9
CYB 237
Threat
modelling
Process:5 Key
Steps

Cyber Security 10
CYB 237
THREAT MODELLING PROCESS: 5 KEY STEPS
• The holistic nature of threat modelling comes from the fact that it
doesn’t just involve programmers.
• For effective threat modelling, you need input from the following
stakeholders:
• Business stakeholders for providing the business impact of the
application.
• Architect to supply an overview of the app ecosystem.
• Programmers for code-specific input like frameworks used, coding
guidelines, etc.
• DevOps to give details of server and network configurations.
• Project manager for resource management.

Cyber Security 11
CYB 237
THREAT MODELLING PROCESS: 5 KEY STEPS
• It is also advisable to recruit a security consultant to steer the threat
assessment exercise. Remember that the key objective of threat
modelling is to align your business objectives with technical
requirements.
• This means, besides the business goals, you also need to consider
compliance requirements as well.
• There are five key steps associated with any threat modelling:
1. Set objectives
2. Visualize
3. Identify threats
4. Mitigate
5. Validate

Cyber Security 12
CYB 237
5 KEY STEPS OF THREAT MODELLING PROCESS

Cyber Security 13
CYB 237
5 KEY STEPS OF THREAT MODELLING PROCESS:
1- SET OBJECTIVES
• Before you get started with threat modelling tools and methods, you
need to be sure of what you want to achieve from this model.
• Usually, goals are set keeping in mind that your application must have:
1. Confidentiality to protect data against unauthorized disclosure
2. Integrity to prevent unauthorized information changes
3. Ability to render required services even while the system is under
attack
• Make a note of committed SLAs in terms of availability and
performance.

Cyber Security 14
CYB 237
5 KEY STEPS OF THREAT MODELLING PROCESS:
1- SET OBJECTIVES (WHAT DO WE WANT TO ACCOMPLISH?)

• Some questions should be taken into consideration:

What trade secrets and intellectual

properties do you need to protect?

Perhaps the most important question at this

stage is how much time and money do you
want to spend on threat modelling?

Cyber Security 15
CYB 237
5 KEY STEPS OF THREAT MODELLING PROCESS:
2- VISUALIZE (WHAT ARE WE BUILDING?)
• This is the step where you document the different components that make
up your system.
• A clearly documented overview of your entire application will go a long
way in making the process simpler. This includes noting down use cases,
data flows, data schemas, and deployment diagrams.
• There are two types of visualizations you can build:
1. Data Flow Diagram (DFD).
2. Process Flow Diagram (PFD).
• Now that you’ve identified your application’s most important actors and
assets, it is time to move on to threat assessment.

Cyber Security 16
CYB 237
5 KEY STEPS OF THREAT MODELLING PROCESS:
3- IDENTIFY THREATS (WHAT CAN GO WRONG?)
• In the previous step, you built the diagrams to understand your system.
In this step, you will need to analyze these diagrams to understand the
actual threats.
• At this stage, you need to figure out the various ways in which your
assets can be compromised and who the potential attackers are.
• There are many methods of doing this. We will be highlight the six most
prominent methods for threat assessment modelling in the next section.

Cyber Security 17
CYB 237
5 KEY STEPS OF THREAT MODELLING PROCESS:
4- MITIGATE (WHAT ARE WE GOING TO DO ABOUT IT?)
• Once you’re done identifying threats, you will end up with a master list
or library of threats associated with each asset and its operations and a
list of possible attacker profiles.
• Now you need to figure out which of these threats your application is
vulnerable to.
• Once vulnerabilities have been mapped out, you need to analyze the
risks associated with each of them.

Cyber Security 18
CYB 237
5 KEY STEPS OF THREAT MODELLING PROCESS:
4- MITIGATE (WHAT ARE WE GOING TO DO ABOUT IT?)
• Based on this risk analysis, you can deal with the vulnerabilities in the
following ways:
1. Don’t do anything (too low risk or too difficult to make the
associated threat)
2. Remove the feature associated with it
3. Turn the feature off or reduce the functionality
4. Bring in code, infrastructure, or design fixes

• You will also be creating a log of vulnerabilities to be subsequently

addressed in future iterations.

Cyber Security 19
CYB 237
5 KEY STEPS OF THREAT MODELLING PROCESS:
5- VALIDATE (DID WE DO A GOOD JOB?)
• During validation, you check if all vulnerabilities have been addressed.
 Have all the threats been mitigated?
 Are the residual risks clearly documented?
• Once this is done, you need to decide the next steps to manage the
identified threats and decide when the next iteration of threat modelling
will be.
• Remember that threat modelling is not a one-time activity. It needs to be
repeated either at scheduled intervals or during specific milestones in the
application development.

Cyber Security 20
CYB 237
Threat
Modelling
Methodologies

Cyber Security 21
CYB 237
THREAT MODELLING METHODOLOGIES
• The development team will be able to implement application security as
part of the design and development process by using threat modelling to
identify threats, risks, and mitigation during the designing phase.
• There are various threat modelling methodologies available:

STRIDE Vast CVSS

Attack
Trike PASTA
trees

Cyber Security 22
CYB 237
Tools for Threat
Modelling

Cyber Security 23
CYB 237
TOOLS FOR THREAT MODELLING
This tool identifies threats based on STRIDE threat model classification
Microsoft’s Threat and is based on Data Flow Diagram (DFD), which can be used to
Modelling Tool discover threats associated with overall IT assets in an organization.
It uses a VAST threat classification scheme and it is based on a Process
MyAppSecurity Flow Diagram (PFD), which provides a detailed view of the risks and
vulnerable loopholes.
This tool is used for the T-MAP approach. It is used to calculate a list of
Tiramisu all attack paths and produce overall threats in terms of the total weight of
attack paths.
the CVV score of vulnerabilities identified for different hardware and
CVSS 3.0 software can be analyzed online, as it aids to identify potential threats,
which can harm the system.
It is a software security requirements management platform. A short
SD Elements by Questionnaire is conducted to generate a set of threats. Countermeasures
Security Compass are included in the form of actionable tasks for developers.
Commercial Tools like SecurITree, AttackTree+, and open-source tools
Modelling Attack like ADTool, Ent, and SeaMonster are used to model Attack Trees.
Trees
Cyber Security 24
CYB 237
Creating a
Threat Model

Cyber Security 25
CYB 237
CREATING A THREAT MODEL
• All threat modelling processes start with creating a visual representation
of the application or system being analyzed.
• There are two ways to create a visual representation:
1. Visual Representation using Data Flow Diagram (DFD).
2. Visual Representation using Process Flow Diagram (PFD).

Cyber Security 26
CYB 237
1- VISUAL REPRESENTATION USING DFD
• DFDs were developed in the 1970s as tools for system engineers to
provide a high-level visualization of how an application works within a
system to move, store, and manipulate data.
• The concept of trust boundaries was added in the early 2000s by
Security professionals in an attempt to make them applicable to threat
modelling.
• DFD does not accurately represent the design and flow of the
application.
• They analyze how data is flowing rather than how users interact with the
system.
• DFD-based threat modelling has no standard approach due to which
different people create threat models with different outputs for the same
scenario or problem

Cyber Security 27
CYB 237
1- VISUAL REPRESENTATION USING DFD
• DFD based approach uses three main steps:

View System as an adversary

Characterize the system

Determine the threats

Cyber Security 28
CYB 237
2- VISUAL REPRESENTATION USING PFD
• To deal with the limitations of DFD-based threat modelling Process
Flow Diagrams were introduced in 2011 as a tool to allow Agile
software development teams to create threat models based on the
application design process.
• These were specifically designed to illustrate how the attacker thinks.
• The attacker does not analyze data flow. Rather, they try to figure out
how they can move through an application that was not supported in
DFD-based threat modelling.
• Their analysis emphasizes how to abuse ordinary use cases to access
assets or other targeted goals.
• The VAST methodology uses PFD for the visual representation of an
application.
• Threat models based on PFD view applications from the perspective of
user interactions.
Cyber Security 29
CYB 237
2- VISUAL REPRESENTATION USING PFD
• Following are the steps for PFD-based threat modelling:

Designing application’s use cases

The communication protocols by which individuals move

between use cases are defined Including the various
technical controls – such as forms, cookies, etc

Creation of process map -showing how individuals move

through an application. Thus, it is easy to understand the
application from the attacker’s point of view.

• PFD-based threat models are easy to understand and don’t require any
security expertise.

Cyber Security 30
CYB 237
Best Practices
for Threat
modelling

Cyber Security 31
CYB 237
BEST PRACTICES FOR THREAT MODELLING
• Now that you know the steps to create a secure application proactively,
here are a few practices for a robust threat modelling process.

Cyber Security 32
CYB 237
CONCLUSION

Cyber Security 33
CYB 237
CONCLUSION
• With the world becoming increasingly digital, cyber attacks have
become more common and frequent, and, as such, threat modelling is no
more an optional activity.
• It is high time that security efforts catch up with our application’s
designs and development life cycles. Even legacy systems cannot be
exempt from the process.
• It is evident when you go through these recommendations that threat
modelling can easily end up becoming a time- and resource-consuming
exercise.
• A robust, secure application is undoubtedly a source of comfort and
confidence for investors, stakeholders, and consumers alike.
• This is why you must follow the above best practices.

Cyber Security 34
CYB 237
 Cyber Security
CYB 210

Building: 61
Room:F122

Contact:
+966551391489

Email address:
[email protected]
a