The Hybrid Threat Modeling Method (hTMM) was developed by the Software Engineering Institute (SEI) in 2018. It consists of a combination of
SQUARE (Security Quality Requirements Engineering Method),
Security Cards, and
The targeted characteristics of the method include
no false positives, no overlooked threats,
a consistent result regardless of who is doing the threat modeling, and
The main steps of the method are
Identify the system to be threat-modeled.
Apply Security Cards based on developer suggestions.
Remove unlikely PnGs (i.e., there are no realistic attack vectors).
Summarize the results using tool support.
Continue with a formal risk-assessment method.
The initial steps in the hTMM are as follows:
Identify the system you will be modeling. Execute Steps 1-3 of SQUARE or a similar security requirements method, e.g.
Agree on definitions.
Identify a business goal for the system, assets, and security goals.
Gather as many artifacts as feasible.
Create a large initial set of possible threats by applying Security Cards in the following way:
Distribute the Security Cards to participants either in advance or at the start of the activity. Include representatives of at least the three following groups of stakeholders:
system engineers/developers, and
You may find that within each of those categories, there are multiple distinct perspectives that must be represented. Other relevant stakeholders can be included, as well.
Have the participants look over the cards along all four dimensions: human impact, adversary's motivations, adversary's resources, and adversary's methods. To familiarize themselves with the type of information on the cards, have participants read at least one card from each dimension, front and back.
Use the cards to support a brainstorming session. Consider each dimension independently, and sort the cards within that dimension in order of how relevant and risky it is for the system overall. Discuss as a team what orderings are identified. It's important to be inclusive, so do not exclude ideas that seem unlikely or illogical at this point in time.
As you conduct your brainstorming exercise, record the following:
If your system were compromised, what assets, both human and system, could be impacted?
Who are the personae non gratae who might reasonably attack your system and why? What are their names/job titles/roles? Describe them in some detail:
What are their goals?
What resources and skills might the PnG have?
In what ways could the system be attacked?
For each attack vector, have you identified a PnG (or could you add a PnG) capable of utilizing that vector?
After the data in Step 2 has been collected, you will have enough information to prune the listed attacks, based on which have PnGs that are unlikely, and which have no realistic attack vectors could be identified. Once this is done, for the remaining attacks:
Itemize their misuse cases. This expands on HOW the adversary attacks the system. The misuse cases provide the supporting detailed information on how the attack takes place.
Summarize the results from the above steps, utilizing tool support, as follows:
Actor (PnG): Who or what instigates the attack?
Purpose: What is the actor's goal or intent?
Target: What asset is the target?
Action: What action does the actor perform or attempt to perform? Here you should consider both the resources and the skills of the actor. You will also be describing HOW the actor might attack your system and its expansion into misuse cases.
Result of the action: What happens as a result of the action? What assets are compromised? What goal has the actor achieved?
Impact: What is the severity of the result (high, medium, or low)
Threat type: (e.g., denial of service, spoofing)
After the preceding steps are done, you can continue with a formal risk assessment method, using these results, and the additional steps of a security requirements method (such as SQUARE), perhaps tailoring the method to eliminate steps you have already accounted for in the threat modeling exercise.
Steps 1 and 5 are activities that precede and follow the bulk of the threat modeling work. We felt it was necessary to include these, to understand where hTMM fits into lifecycle activities, specifically security requirements engineering.
In summary, the hybrid threat modeling method (hTMM) combines