Threat modelling: the new normal
Identifying threats, vulnerabilities and countermeasures has to become routine for businesses, which is why threat modelling is gaining ground as a proactive defensive measure.
Cyber attacks are on the rise. In 2018, software vulnerability exploits rose by 150%, and it’s predicted that moving forward, damage caused by cybercrime and software vulnerability exploits will be in excess of $6 trillion.
Threats are coming from both inside and outside organisations, and the consequences are devastating, causing both financial and reputational damage. Attacks range from completely disabling systems to leaking sensitive information that diminishes trust in the organisation. The consequences are equally dire for the users of those systems, such as people not being able to use their banking apps to pay suppliers, for example.
Threat modelling is the process of identifying potential risks and then creating tests and countermeasures to respond to those. You have to ask yourself: "How can we, as an organisation, be exposed?" And then build in contingency plans to prevent it from happening. But you also need to develop a plan on how to respond as quickly as possible should a breach occur. Look at what you’re building, whether it be an app, a system or a service, and then consider what could go wrong, such as a breach or identity theft, and have a proactive plan in place to deal with it.
Jarrod Mouton, Cloud Architect at BUI, says: “Threat modelling is gaining adoption as a proactive defensive measure that is helping organisations protect their systems against these types of attacks.”
There are at least 12 different approaches to threat modelling. Some are more focused on threats from people, others on app breaches. Security teams can review documented approaches to threat modelling and choose the right tool for their purposes. They can also use more than one approach to cover all their bases.
Says Mouton: “While these tools can be helpful, you need to be cognisant of the fact that different tools have been developed for different scenarios, and choose ones that suit your needs and business. While app developers or database administrators may need a very specific type of tool, others may get away with more generic ones.”
This isn’t a once-off activity, warns Mouton. "It’s something that needs to be updated on an ongoing basis as new technology is released and as you become more aware of how to protect it. The threat modelling procedure needs to be reviewed regularly. This approach to cyber threats should be the new normal for cybersecurity teams, who are trying to predict all the threats and permutations of those threats and vulnerabilities so they can come up with ways to defend their organisation.”
Also, says Mouton, threat modelling should be done early in the software development (dev) lifecycle so that countermeasures can be built in to defend the systems. However, this doesn’t mean that legacy systems are beyond protection: threat modelling can help you defend legacy systems too.
“Of course, today it’s even more challenging as you have a combination of cyber and physical infrastructures, so you not only have to consider the physical layer of people and buildings, but also the technology that interacts with these types of systems.”
Mouton advises: “The team that does threat modelling must hold discussions in the form of workshops with stakeholders from across the organisation, ranging from representatives of the dev team, the software architects and even, where possible, customers or people who know how the customer thinks. Everyone must be given an opportunity to raise their concerns about whatever system it is that you’re looking to address, and start proposing solutions. All suggestions should be considered around potential breaches or potential solutions to the issue.
Says Mouton: “It’s important to define what you’re building and to understand the system. Ideally, you want to break it down into smaller components. Look at what it is, who will use it, what does it do, and as you work through the components, you’ll get a better understanding of how they’ll interact with each other and where potential threats lie. Then you can start asking what can go wrong, creating ‘what if’ scenarios.
"Do research about what can go wrong, but also be realistic about which threats are feasible. Then think about what you’re going to do if each scenario actually materialises. What can you put in place to counter that?”
This will require recurring sessions as new threats emerge, or as different types of attacks become feasible because of changes to the system over time. The threat landscape is ever evolving, so constant updates are required to counter this.
Mouton identifies some common mistakes that emerge during these sessions: “Sometimes people believe they can think like an attacker, but the best that they’ll manage is an educated guess. It’s safer to stick to scenarios you do understand. Don’t try to be too esoteric or predict scenarios that might never happen, such as planning for aliens. Rather focus on real and manageable risks, things you can control and manage, such as your access system, your ID system, logging and auditing.
"Don’t ever make the mistake of thinking that your threat model is complete, because you can’t ever imagine everything that’s out there. You need to be constantly reviewing new threats and new developments, and updating existing models.
“The majority of the breaches that you read about in the media are on legacy systems. It just doesn’t make sense for businesses to invest large sums of money in security and have a single point of failure, which is their legacy system.”
To find out more about how to implement threat modelling in your organisation, click here.