Screen Shadows 🕵🏼♂️
“Heartbleed was the internet's surprise colonoscopy, revealing the embarrassing vulnerabilities we never bothered to look for.” - CS
Picture this: A critical flaw in OpenSSL, a widely used encryption software, remained undiscovered for two years. Known as Heartbleed, this vulnerability allowed attackers to access sensitive information undetected. OpenSSL is essential for securing online communications, but this flaw, caused by a simple programming error, exposed a significant weakness.
When Heartbleed was discovered, it highlighted the mistaken belief that this security measure was infallible. The breach exposed private conversations, sensitive data, user passwords, and encryption keys, leading to a widespread scramble to update passwords and secure systems.
Heartbleed's legacy is a stark reminder that vigilance is priceless in our fast-evolving digital world, and even the smallest oversight can lead to monumentally upsetting breaches.
TL;DR ⌛️
Threat modelling is essential in cybersecurity, a dynamic strategy for outsmarting cyber threats by understanding and preparing for them. Unlike financial modelling’s one-size-fits-all approach, threat modelling is a tailored, active process. It’s a blend of proactive design (Secure by Design) and reactive measures (Threat Hunting), ensuring digital assets are safeguarded from the get-go and continuously monitored.
Effective threat modelling demands a security mindset, understanding system vulnerabilities through methods like FTA and FMEA, and recognising the importance of accident prevention and deliberate attack mitigation. It involves mapping potential attacks, dissecting our digital systems to pinpoint vulnerabilities, prioritising threats, and crafting intelligent defences.
Frameworks like PASTA and STRIDE offer systematic ways to uncover and mitigate risks. Remember, cybersecurity is a journey of constant learning and adaptation, with threat modelling at its core.
🚨 Security Briefing 🚨
Threat modelling is a term often used by professionals (even some security professionals) but is not well understood. When I first heard it, I tried to liken it to financial modelling, as I’d done so much of this after I became a qualified accountant. Depending on your objective for the model you’re trying to build, there are many templates for financial models.
I was mistaken to try and apply the same concept to cybersecurity as here; we’re dealing with something quite different. Where financial modelling is often an out-the-box exercise where you can simply manipulate inputs for your own use-case, threat modelling is a highly tailored exercise, and one which is as active and dynamic as the four seasons. 🍂🌞❄️🌷
So, with that said let’s see what’s on the menu today. We’ll be covering…
What threat modelling is.
How we should think about approaching threat modelling.
The key practical considerations.
Prioritising and responding to identified threats.
Without further adieu…
Threat Modelling Decoded 👨🏼💻
Threat Modelling Defined:
In the cybersecurity realm, the overarching objective is to keep our assets safe from those with malicious intent (or those accessing information without authorised purpose). At the heart of this endeavour lies the practice of threat modelling, an indispensable strategy that helps us foresee and outsmart potential cyber threats.
Conceptually simple. Pragmatically involved.
This isn't merely about putting up firewalls and calling it a day; it's a methodical process of identifying, classifying, and evaluating threats to ensure our virtual valuables are well-protected.
Think of threat modelling as a two-part harmony.
On one side, we have the defensive strategy 🛡️, similar to designing a medieval castle with defence in mind right from the drawing board. This approach, taken during the earliest stages of system development, involves anticipating potential cyber-attacks and weaving in defences as we build. It's all about being one step ahead, ensuring that security is a fundamental aspect of the system's design, effectively reducing the chances and impacts of any digital breach. This preventive measure is not just savvy; it's cost-effective too, saving resources that might otherwise be spent ‘sticking’ on security measures after the system has been built.
Utilising frameworks like STRIDE or PASTA and tools such as Microsoft Threat Modeling Tool or OWASP Threat Dragon allows for a systematic analysis of threats.
On the flip side, we explore the adversarial strategy 🗡️, which kicks in post-deployment (this is after a product has been created and deployed, even if only in a test environment). This is where the cybersecurity militia don their white hats, engaging in ethical hacking and penetration testing to hunt down and fix vulnerabilities. It’s a bit like checking the locks and alarms after the house is built. Although invaluable in shoring up defences, this reactive measure often involves patching up security holes discovered after the fact, which is a bit like playing catch up.
This strategy relies heavily on tools and methodologies designed to identify and exploit weaknesses, such as Metasploit, Burp Suite, and Nmap. Penetration testers use these tools to simulate real-world attacks, uncovering vulnerabilities that could be exploited by malicious actors.
Unsurprisingly, the comprehensive and most robust approach is a combination of the two.
Secure by Design (defensive) + Threat Hunting (reactive) = Security Personified
By integrating proactive security considerations into the design process and complementing them with vigilant, ongoing scrutiny, we enhance our shield against cyber threats. This dual approach not only aims to minimise the number of security flaws but also to dampen the impact of any that might slip through the net—which is bound to have some holes, of course.
NB - Security State of Mind:
Before diving headfirst into the deep end of threat modelling, it's crucial to set the scene. Understanding the security landscape and our objectives lays the groundwork for effective defence strategies.
Two seasoned methods stand out when it comes to dissecting potential system vulnerabilities: Fault Tree Analysis (FTA) and Failure Mode and Effects Analysis (FMEA). Both demand a thorough understanding of the systems at hand and a recognition that automation has its limits, given the complexity and potential for change within any given system.
Automation is incredibly brilliant and all, but it isn’t magic—it still depends on integration with systems, pre-defined rules and machine learning capabilities.
Our quest for security doesn't stop at just safeguarding against deliberate attacks, either; it, of course, extends to accidents and human error, too. This is where application-specific knowledge gained over time is of prime value in security. Partner with such people when working on security-related problems, they’ll accelerate the learning process.
Take the automotive industry, for example, Tesla, more specifically. The increasing reliance on electronic systems in their cars means that traditional safety checks, such as ensuring headlamps work correctly, now need to incorporate considerations of cybersecurity threats. Imagine a filthy hacker taking control of your Tesla’s entertainment system, and while you’re bombing it down the highway at 125 mph 🏎️🛣️ (on the Autobahn, of course), he switches off the headlamps—a risk that could be mitigated by introducing firewalls within Tesla’s network, as an example.
But if you’re not thinking in this way, how will you effectively defend against threats?
Navigating the intricate landscape of modern system security calls for both a structured and dynamic approach, aligning our protective measures with clearly defined objectives and a strategic risk management plan. Is there one way to do this? Absolutely not! This is why we must adopt a security state of mind.
Mapping the Attacker's Mind
The next step in threat modelling is to determine the potential types of attacks that could be waged against us.
The first step is to create a (sometimes not-so-simple) map or diagram that shows how information moves in a system. For example, the paths data takes during an online transaction or how data is shared between your computer and the Internet.
This map helps highlight the system's key parts, where it's vulnerable, and where we need to tighten security.
This isn't about delving into the nitty-gritty of computer code; rather, it's a bird's-eye 🦅👁️ view of where our system's digital walls and gates lie. For more complicated setups, we might need several of these maps, zooming in on different security zones to catch the important areas.
Security Zone:
A network segment with specific security controls to regulate access and protect sensitive information.
-OR-
A protected area in a computer network where special rules keep information safe
Once our map is ready, the second step is to pinpoint every piece of technology on it. Third, we brainstorm all the ways someone could launch an attack on each part, considering not just hacking attempts but also physical break-ins or other deceptive techniques like phishing scams. This mapping and brainstorming lay the groundwork for moving to the next stage—figuring out how to reduce these threats.
The fourth stage in threat modelling is to perform a reduction analysis, or as I like to call it, the art of cyber dissection 🔪. Imagine taking a complex system—be it software, a network, or even an entire business setup—and breaking it down into bite-sized pieces. It's akin to dismantling a watch to understand how each cog and wheel (component) contributes to telling time (objective), except here, we're unravelling the digital threads that make our systems tick, which can be very time-consuming if the system is complex.
This meticulous breakdown helps us examine the inner workings of our digital beasts, from the small routines in software to the big protocols governing networks. By segmenting our focus, we can scrutinise how data dances 💃🏼 from one point to another, how decisions 🗺️ are made within the system, and how securely 🔒 information is stored and managed.
Key to this process are a few navigational concepts:
Trust Boundaries: These are the digital 'Do Not Cross' tapes, marking where we ramp up our security checks as trust levels increase.
Dataflow Paths: The highways and byways along which our data zips, carrying information from A to B.
Input Points: Our system's mailboxes, where we receive external information, and yes, sometimes spam.
Privileged Operations: Think of these as VIP access areas, where only the high-flyers with special passes (higher privileges) can make significant changes.
Security Stance and Approach: Our manifesto, outlining how we plan to defend our digital domain, from the ground rules to the lofty ideals.
By dissecting our systems in this way, we not only understand their anatomy but also prepare better defences against the cyber threats lurking in the shadows.
Prioritisation and Response
Now we've got all our potential cyber threats down on paper; the next crucial step is figuring out which ones we should lose sleep over 💤. This is where we start ranking these threats. There are a few ways to do this, and it's not one-size-fits-all, as with anything in cybersecurity. One popular method gives threats scores from 1 to 100, mixing how likely they are to happen with how much havoc they could wreak.
Another method uses a simpler approach, tagging threats as high, medium, or low risk, similar to categorising them into the red, yellow, or green traffic light system 🚦. This creates a sort of danger map, showing us where the biggest fires could start so we know where to focus our firefighting efforts. Then there's the DREAD system, which sounds as ominous as it is for those often malevolent hackers 🥷🏼. It asks five critical questions about each threat, from "How bad would the damage be?" to "How easy is it for bad actors to find and exploit this weakness?"
Once we've decided which threats are the meanest, it’ll be time to plan our counter. This could mean tweaking our digital defence, changing how we do things day-to-day, or introducing new so-called shields and watchtowers in our cybersecurity setup. It's all about finding the smartest, efficient and most cost-effective way to keep our most valuable assets safe.
Common Examples:
Two common frameworks you're likely to encounter in threat modelling are PASTA and STRIDE. Each offers a distinct pathway for navigating the complex landscape of digital threats by helping to uncover and mitigate potential vulnerabilities in a systematic way. PASTA, which stands for Process for Attack Simulation and Threat Analysis, takes a risk-centered approach, weaving together business objectives with technical analysis across seven detailed steps.
Meanwhile, STRIDE breaks down threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Developed by the tech giant Microsoft, STRIDE simplifies the process of identifying potential threats by giving teams a clear framework to categorise and tackle each type of risk. When STRIDE and PASTA are employed together, they provide a holistic view of both the forest and the trees: STRIDE focuses on the technical details of potential vulnerabilities, while PASTA aligns threat modelling with business impacts.
….and besides, who doesn’t like pasta? 🍝
Conclusion
This serves as a pretty sensible introduction to threat modelling if I do say so myself. It’s also a very practical way to prepare for an interview, enter an organisation, or engage in a conversation and be equipped with the general and somewhat specialist knowledge to add value to the discussion, but it’s important that your understanding of threat modelling does not end here.
You see, cybersecurity is a lifelong journey of learning and adapting, and threat modelling encompasses much of that because it’s so vast and is, by nature, woven into the very tapestry of security.