Using threat modeling can be an effective way to prioritize security control implementation efforts for a given solution. The resulting prioritization can then be used to help optimize time or financial costs during solution development. The following is a brief overview of using the threat modeling process to select both NIST CSF security outcomes and NIST security controls.
What is threat modeling?
There are entire books written on this topic but simply put, threat modeling is thinking about what bad things could happen and how they can be compensated for. When designing IT systems, it is a common practice to develop “user stories” to detail how a user is expected to interact with a system and how it will respond. Threat modeling is thinking about how, instead of being properly used, the system can be abused by attackers. It is a kind of anti-user story.
Including the threats along with the traditional user stories can be an effective way to ensure security requirements are included in the earliest phases of solution development. Incorporation of security in early phases of development will reduce the overall number of security issues requiring remediation at later stages of the project.
Choosing your threat model
Traditional threat models categorize the threats into broad categories. Those threat categories can then be used to group the threats together, prioritize them, and make design decisions based on what threats are most important to mitigate. There are many threat models available, however one of the most common for cybersecurity is STRIDE and its extension, STRIDE-LM. A detailed discussion on STRIDE-LM is not the focus of this post, but as a refresher STRIDE-LM is an acronym for the threat categories it covers:
- Spoofing – Impersonating another user or system component to obtain its access to the system
- Tampering – Altering the system or data in some way that makes it less useful to the intended users
- Repudiation – Plausible deniability of actions taken under a given user or process
- Information Disclosure – Release of information to unauthorized parties (e.g., a data breach)
- Denial of Service – Making the system unavailable to the intended users
- Elevation of Privilege – Granting a user or process additional access to the system without authorization
- Lateral Movement – Expanding control over the target network beyond the initial point of compromise.
Modeling (and mitigating) your threats
Threats against your organization will vary widely depending on the industry you do business in and the type of products or services you provide. The NIST Cybersecurity Framework describes a set of security outcomes that are designed to mitigate threats to technology systems and the organizations that depend on them. By examining which framework elements best mitigate the most concerning threats, security outcomes can be prioritized.
For example, if you are developing a new technology platform for customers to access via the web, determining the most common threats against those types of services is the first step in developing your threat model. One way to determine the most common threats is to look at industry research such as the Verizon Data Breach Investigation Report. As seen in the figure, the top two threat vectors in the breaches they analyzed were:
- Use of Stolen Credentials / Brute Force – Attackers can obtain legitimate usernames and passwords using password dumps from websites that were already compromised and for which the user used an identical password. Brute Force attacks involve using a large number or possible passwords (such as trying every word in the dictionary). These are spoofing threats.
- Vulnerability Exploitation is a broad class of attacks that go well beyond the scope of this post. However, the most common vulnerability in web applications is injection attacks, such as SQL injection that cause the system to run untrusted code in a trusted context. Vulnerability exploitation is an elevation of privilege threat.
Using the NIST Cybersecurity Framework filtering tool, you can examine what outcomes address the threats and then prioritize those outcomes in your cybersecurity risk management plan.
Note that your current program maturity level and the current subcategory (outcome) implementation tier will likely affect prioritization. That’s another post, though!
Threat based cybersecurity control selection
The focus of the Framework on security outcomes is helpful for security program development and planning. However, when designing technology solutions specific threat mitigation techniques must be identified.
Cybersecurity controls are designed to mitigate specific threat actions. By combining the addressed threats with the implementation groups, baselines, and priorities included in many control sets, control implementation can be prioritized during solution design.
For example, in the last section we prioritized protection against Use of Stolen Credentials and Exploitation of Vulnerabilities such as SQL injection. Using the NIST Special Publication 800-53r5 control set, combined with an implementation baseline, we can select controls for consideration.
(The Internet is a very hostile environment and we would have a much longer list of threats for a real application, but this is just an example to illustrate the basic premise.)
Once we have a list of all the controls that address the threats we are concerned about, we can select which controls are relevant to our implementation (a web application).
Upon reviewing the controls, we see that there are several controls in the Access Control and Identification and Authorization families that can address spoofing; the Access Control, System and Communications Protection, and System and Information Integrity families contain several controls that can protect against escalation of privilege and can be evaluated for implementation.
The relationships between threats and controls can be further explored using the Threat to Controls visualization.
Conclusion
Threat modeling can be a useful tool to drive control selection. The CSF Tools site has several resources we hope are helpful. Give them a try and leave us some feedback. Thanks for visiting!