Threat Modeling – Trust Boundaries and DFD (Data Flow Diagrams)

Threat modeling is a structured approach that aims to identify and prioritize potential threats and vulnerabilities in software applications and systems¹.

The steps involved are:

1. Identifying potential attackers, their motivations, and the methods they might use to exploit vulnerabilities in a system.
2. Creating an abstraction of the system, which includes profiles of potential attackers and a catalog of threats that could arise.
3. Analyzing the software architecture, business context, and other artifacts to understand important aspects of the system.
4. Building a Data Flow Diagram (DFD) or similar representation to visualize the components, interactions, and data flows within the system.
5. Identifying security risks early in the software development life cycle (SDLC) so they can be addressed before software is deployed.

The goal of threat modeling is to document security threats to an application and make rational decisions about how to address them. It helps detect problems early, spot design flaws, evaluate new forms of attack, and maximize testing budgets by targeting testing and code review efforts¹.

It’s a proactive measure that enhances the security posture of an application or system by thinking about threats beyond standard attacks and considering security issues unique to the specific application or system being developed¹.

Attack Modeling

Attack modeling is a process used to approximate and simulate adversarial threats against a computer system or network¹. It involves creating cyber attack models that identify potential adversary techniques and attack paths. By modeling these attacks, defenders can better understand the behavior, tactics, and objectives of adversaries. This enables them to identify vulnerabilities within their environments and take steps to remediate them¹.

In the broader context of cybersecurity, attack modeling can be part of a comprehensive threat modeling process. It helps in visualizing potential attack vectors and understanding how an attacker might exploit system weaknesses.

For example, the MITRE ATT&CK® framework provides a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It’s used as a foundation for the development of specific threat models and methodologies in both the private and public sectors².

Attack modeling can also involve the use of attack trees, which provide a structured and visual representation of potential attack paths, vulnerabilities, and goals an attacker may exploit. Attack trees help organizations proactively identify and assess potential risks, prioritize security efforts, and plan robust defensive measures³

Common Cyber Attacks to consider

When conducting threat modeling, it’s important to consider a variety of common cyber attacks. Some of these include:

• Malware Attacks: These involve malicious software such as viruses, worms, trojans, and spyware that can disrupt operations, steal information, or gain access to private systems¹.
• Phishing: This is a deceptive practice where attackers masquerade as trustworthy entities in emails or other communication channels to distribute malware or steal sensitive data¹.
• SQL Injection Attacks: Attackers use SQL injection to manipulate a database through vulnerabilities in the application’s software¹.
• Ransomware: This type of attack involves malware that encrypts a victim’s files, with the attacker then demanding a ransom to restore access¹.
• Man-in-the-Middle Attacks (MitM): In these attacks, the attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other¹.
• Distributed Denial of Service (DDoS): These attacks overwhelm a system’s resources by flooding it with excessive web traffic, rendering it inaccessible to legitimate users¹.

Additionally, the STRIDE model is often used in threat modeling to categorize threats. STRIDE stands for:

• Spoofing: Impersonating something or someone else.
• Tampering: Modifying data or code.
• Repudiation: Performing actions that cannot be traced.
• Information Disclosure: Exposing information to someone not authorized to see it.
• Denial of Service: Interrupting access to resources.
• Elevation of Privilege: Gaining capabilities without proper authorization².

Understanding these common types of cyber attacks can help in creating more effective threat models and improving the security posture of systems and applications.

Trust Boundaries

In threat modeling, trust boundaries are a critical concept. They represent the points in a system where the level of trust or the security context changes¹.

For example, a trust boundary might exist between a public network and an internal network, or between two different privilege levels within an application. Identifying trust boundaries helps to understand where to apply security controls to protect sensitive data and functions from unauthorized access².

How to prepare a Threat Modeling Doc

There are several resources on the internet where you can find sample threat modeling documents and templates. Here are a few:

• OWASP Cheat Sheet Series: Offers a concise reference for threat modeling, ideal for both beginners and those looking for a refresher. It includes an overview of the process and answers key questions to guide you through threat modeling¹.
• OWASP Foundation: Provides a structured approach to application threat modeling with detailed steps and examples. This resource helps you identify, quantify, and address security risks associated with an application².
• GitHub – TalEliyahu/Threat_Model_Examples: A collection of threat models for different protocols and technologies, which can be a great starting point for understanding various threat scenarios³.
• Engineering Fundamentals Playbook – GitHub Pages: Here, you can find an example of a threat modeling document that discusses the architecture and different phases involved in threat modeling. This can serve as a reference template for creating your own threat modeling documents⁴.
• Visual Paradigm: Offers a visually appealing threat model diagram template that can be used as a sample for creating your own diagrams⁵.

These resources should provide you with a solid foundation for learning about threat modeling and creating your own documents.

Data Flow Diagrams (DFD)

Threat modeling often involves creating a diagram, specifically a Data Flow Diagram (DFD)³. These diagrams help visualize the components of a system, how they interact, and where data flows between them.

DFDs are particularly useful for identifying potential security vulnerabilities and for understanding the overall architecture of a system from a security perspective⁴.

By mapping out the data flow, entry points, exit points, and trust boundaries, teams can better identify where threats might occur and how to mitigate them⁵.