Providing useful, actionable understanding of the organization’s attacker population has been a significant weakness of traditional threat modeling methodologies. However, developing an intelligent security policy requires an understanding of the organization’s adversaries that goes beyond applying simple, pre-defined labels. Attempting to develop a proactive security policy without truly knowing the adversary is a futile exercise. History demonstrates that it is impossible for security teams to effectively distribute their finite resources across the organization’s entire attack surface. Frederick the Great in the late 1700s succinctly summarized the crisis of cybersecurity: “he who defends everything defends nothing.”
A threat refers to any method that unapproved parties can use to gain access to sensitive information, networks and applications. Some of these threats may take the form of
application attacks, and
These are a few common threats companies should plan for by using threat modeling techniques:
Malware, short for malicious software, is a category of cybersecurity threats that includes threats such as
It’s one of the most common threats to target both businesses and individuals.
Companies can use threat modeling to ensure that their firewalls are adequately prepared, that zero-day vulnerabilities are minimized and that new exploits or malware signatures are documented. Proper planning, along with antivirus and other security software, will ensure networks are not compromised by malware.
DDoS (distributed denial of service) attacks are a method of bombarding websites and web applications with enormous traffic requests that overload the servers they are hosted on. These attacks are powered by thousands of bots and are indistinguishable from legitimate users attempting to access the site.
Companies can model their defense and response plans to prevent this from happening. Businesses can use DDoS protection software, load balancing software and network monitoring software to improve their ability to
discover DDoS attacks early,
balance workloads properly, and
restrict traffic access by malicious visitors.
Phishing is a method of obtaining user information through fraudulent communications targeted directly at people. It’s often accomplished through emails disguised as coming from a legitimate source, but delivers the target’s information back to the hacker’s actual source.
Phishing can enable hackers to gain access to sensitive information or privileged applications. Businesses can prevent this type of cybercrime through
the use of email security software for filtering and identification,
along with security awareness training to ensure employees can identify fraudulent communications.
Threat modeling is a way to plan and optimize network security operations. Security teams l
ay out their goals,
identify vulnerabilities, and
outline defense plans to prevent and remediate cybersecurity threats.
These are a few components of threat modeling that can be used to improve security operations and effectiveness:
Secure design is necessary during application development to ensure the identification and prevention of vulnerabilities. Code analysis and security testing during all stages of development can help to ensure bugs, flaws and other vulnerabilities are minimized. Engineers can
analyze their code for known flaws during development or dynamically as an application runs, and
perform penetration tests after development.
The resulting data is used to plan for future attack mitigation and to implement updates related to new threats.
It is important to keep an up-to-date database of threats and vulnerabilities to ensure applications, endpoints and networks are prepared to defend against emerging threats. These databases may consist of public information, reside in proprietary threat intelligence software, or be built in-house.
It’s important to keep IT and software assets properly documented at all times. Without proper tracking and documentation, these assets may possess known flaws that are not be identified. New assets, even potentially dangerous third-party assets, may be accessing networks without security teams’ knowledge.
Mitigation capabilities refer to a security team’s ability to detect and resolve attacks as they emerge. This may mean the identification of malicious traffic and removal of malware, or it could simply refer to contacting your managed security services provider. Either way, mitigation is essential to effective planning so that teams are aware of their ability to combat threats with their existing resources.
After application code is determined to be safe and endpoints are properly implemented, companies can assess the overall risk of their various IT components. Components may be scored and ranked or simply identified as “at risk.” Either way, they will be identified and secured in order of importance.
These methods are combined to build visual workflows and security operations plans with the goal of resolving existing issues and planning for future threats. This type of threat modeling is based on a multi-angle approach and requires threats be planned for from every potential angle.
Threat models that are missing one component of proper planning measures may leave assets susceptible to attacks. Proper implementation will lead to faster threat mitigation in real-world scenarios and simplify the operational processes associated with detection, mitigation and analysis.
VAST is an acronym for Visual, Agile, and Simple Threat modelling. The methodology provides actionable outputs for the unique needs of various stakeholders like application architects and developers, cyber security personnel etc.. It provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.
To deal with the limitations of DFD based threat modelling Process Flow Diagrams were introduced in 2011 as a tool to allow Agile software development teams to create threat models based on the application design process. These were specifically designed to illustrate how attacker thinks.
Attacker do not analyze data flow. Rather, they try to figure out how they can move through application which was the not supported in DFD based threat modelling.
Their analysis lays emphasis on how to abuse ordinary use-cases to access assets or other targeted goals.
VAST methodology uses PFD for the visual representation of application.
Threat models based on PFD view application from the perspective of user interactions. Following are the steps for PFD based threat modeling:
Designing application’s use cases
The communication protocols by which individuals move between use cases are defined
Including the various technical controls – such as a forms, cookies etc
PFD based threat modelling has following advantages:
PFD based threat models are easy to understand that don’t require any security expertise.
Creation of process map -showing how individuals move through an application. Thus, it is easy to understand application from attacker’s point of view.
Threat models are limited by the number of resource hours an application evaluation consumes. Conducting a thorough threat evaluation of a single application using manual processes could take several hours. Then multiply that by every application in an enterprise, and by several re-evaluations and updates required for ongoing post-deployment threat modeling.
Automated threat modeling eliminates the repetitive portion of threat modeling, taking the time needed to update a model from hours to minutes. This allows a threat modeling process to be ongoing – threats can be evaluated during design, implementation, and post-deployment on a regular basis. It also allows threat modeling to be scaled to encompass the entire enterprise, ensuring that threats are identified, evaluated, and prioritized throughout.
Often times, key stakeholders worry that threat modeling is too challenging to produce actionable results. Read our blog post where we debunk 5 Common Myths About Threat Modeling.
A threat modeling process must integrate with the tools used throughout the SDLC to provide consistent results for evaluation. These tools may include those targeted to support the Agile framework for software development, which emphasizes adaptive planning and continuous improvement.
With an Agile SDLC, large projects are broken down into short-term goals, completed in two-week sprints. For threat modeling methodologies to support Agile DevOps, the threat model itself must be Agile, supporting the short-term sprint structure and employing threat modeling in an environment of continuous improvement and updates.
VAST is the only threat modeling methodology that was created with the principles of Agile DevOps to support scalability and sustainability.
An enterprise-wide threat modeling system requires buy-in from key stakeholders, including software developers, systems architects, security managers, and senior executives throughout the organization.
Scalable threat modeling requires these stakeholders to collaborate – using a combined view of different skill sets and functional knowledge to evaluate threats and prioritize mitigation. Without collaboration, an enterprise-wide view is impossible to achieve. On the other hand, collaboration helps a company scale threat modeling activities to cover all stages of the SDLC and respond to new threats with a deeper understanding of the risks posed to the organization as a whole.
VAST threat modeling works best for enterprises that need to automate and scale threat modeling across the entire DevOps portfolio, and are looking for the process that will complement an Agile framework of continuous delivery. Integration with Agile, as well as other production tools in use by the team forms the foundation for a collaborative, comprehensive threat modeling process that leverages the strengths and skills of key stakeholders throughout the organization.
The Visual, Agile, and Simple Threat modeling (VAST) methodology was conceived after reviewing the shortcomings and implementation challenges inherent in the other threat modeling methodologies. The founding principle is that, in order to be effective, threat modeling must scale across the infrastructure and entire DevOps portfolio, integrate seamlessly into an Agile environment and provide actionable, accurate, and consistent outputs for developers, security teams, and senior executives alike.
A fundamental difference of the VAST threat modeling methodology is its practical approach. Recognizing the security concerns of development teams are distinct from those of an infrastructure team, this methodology calls for two types of threat models.
Application threat models for development teams are created with process flow diagrams (PFD). Process flow diagrams map the features and communications of an application in much the same way as developers and architects think about the application during an SDLC design session.
Operational threat models are designed for the infrastructure teams. Though more similar to traditional DFDs than application threat models, the data flow information is presented from an attacker – not a data packet – perspective. By relying on PFDs rather than DFDs, VAST threat models do not require extensive systems expertise.
Uniquely addressing both developer and infrastructure team concerns allows organizations to incorporate threat modeling as a part of their DevOps lifecycle with different outputs for various key stakeholders.
The most significant difference of the VAST threat modeling methodology, however, is its ability to allow organizations to scale across thousands of threat models.
The pillars of a scalable threat modeling practice – automation, integration, and collaboration – are foundational to VAST threat modeling.
As the organization matures and new threats arise, these pillars help to develop a sustainable self-service threat modeling practice driven by the DevOps teams rather than the security team.
VAST — VAST (Visual, Agile and Simple Threat modeling) is a malleable and scalable modeling process for security planning throughout the software development lifecycle. It’s based on three pillars:
The model focuses on actionable outputs and the unique needs of developers, security personnel and executives.
VAST can be used for both operational and application threat modeling and uses workflow diagrams to illustrate
in a understandable way. It’s also designed to mirror the existing operational processes of agile software development teams.
There is no silver bullet for security operations planning, and different modeling methods may suit some businesses better than others. It’s important to understand your existing development, IT management and security operations processes before settling on a modeling format.
The fundamental value of the method is the scalability and usability that allow it to be adopted in large organizations throughout the entire infrastructure to produce actionable and reliable results for different stakeholders.
Recognizing differences in operations and concerns among development and infrastructure teams, VAST requires creating two types of models:
application threat models: use process flow diagrams, representing the architectural point of view.
operational threat models: created with an attacker point of view in mind based on DFDs.
This approach allows for the integration of VAST into the organization’s development and DevOps