Knowing lots of fancy defence strategies is great, but if you don't know where your problems are how can you go about about solving them.
Threat modelling is the process of thinking about possible threats to your system.
There are 3 main reasons why you should perform threat modelling:
- To find security concerns
- To find those concerns earlier
- To find them before the project has moved so far that solving the problems becomes very expensive
- What are you building?
- What can go wrong?
- What are you going to do about it?
- Did you do a good job with 1-3?
In order to look at what can go wrong, you need something to look at! There are many ways that you can model a system, but a common one is using UML (Unified Modelling Language).
Once you know what your system looks like you can start looking at what might wrong.
When identifying threats to a system there are 3 main perspectives to look from:
- Asset centric
- Attacker centric
- Software centric
There are a range of frameworks that you can use to aid threat identification. It can be beneficial to use a framework as it helps to structure the threat modelling process and creates consistency across the company.
I personally like STRIDE and CIAAG, and they tend to work well together.
STRIDE = what you don’t want
CIAAG = what you do want
STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
CIAAG: Confidentiality, Integrity, Authenticity, Availability, Governance
Once you have found the various threats to your system, you need to decide what, if anything, you are going to do about it.
In general, there are three main options:
- Remove the threat
- Mitigate the threat
- Accept the threat
Finally, like at at the end of a maths exam, you need to go back over your work and check it!
Something to note when doing this; be sure to now include any mitigations created during the previous round of modelling in the next round of threat modelling.