Introducing Enhanced Threat Modeling at ACTIVECYBER
Threat Modeling is used to identify threats to a system within its environment, evaluate the risks of those threats, and find mitigations for those threats. It is a process that involves modeling the system visually, enumerating and rating the applicable threats, finding mitigations, and applying and testing those mitigations.
The Threat Modeling Process
The threat modeling process typically follows a simple set of steps:
· Model System Visually
· Enumerate Applicable Threats
· Propose and Discuss Mitigations
· Repeat steps 1-3 to revise
· Rate the Threats
· Apply and Test Mitigations
Creating a Visual Model
The threat modeling process typically begins by creating a Data Flow Diagram (DFD). True to its name, a DFD shows how data flows through the system. This diagram is used to illustrate where threats may be located, but a DFD does not actually show the threats themselves.
Here is a simple example of a DFD:
In our example DFD, we show a restaurant’s mobile application sending a review for the NYC location to an API, which then inserts the data into a database. Details about the review are returned as an indicator of success.
Enumerating Threats
The most common methodology used for threat modeling is called STRIDE. STRIDE is an acronym that stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. These are six categories of threats that are used to create the threat model.
Spoofing
To spoof is to imitate the identity of another. Spoofing threats are any type of threat that exists when a system does not properly verify the identity of an entity that it communicates with, such as a person, application, or service.
Using our example application of a restaurant app that allows users to post reviews, a spoofing threat may exist if the application does not properly authenticate users. If, for example, there is a single API key and no user auth token presented to the API from the mobile application, then any user would be able to post a review as any other user. Mitigating this threat involves ensuring that users are properly authenticated with every API call.
Tampering
To tamper with something is to alter it in a way that interferes with the intended function of that thing. Tampering threats occur when it’s possible for a user to change something, such as data being input or a binary, and take advantage of the fact that the application is not built to expect that change.
Using our example application, a tampering threat may exist if user input is concatenated into a SQL insert statement, allowing for a SQL injection attack. A mitigation for this would be to use parameterized queries instead of concatenating user input into an insert string.
Repudiation
Repudiation is the ability to deny something. A repudiation threat occurs when it’s possible to cause an application to be unable to know details about whether something occurred, such as an attack that prevents logging.
Using our example application, a repudiation threat would be the lack of logging itself. If an attacker’s actions are not being logged, it may be difficult to determine what occurred. A mitigation for this is to ensure that proper logging is in place.
Information Disclosure
Information disclosure is when private information is released to those that should not be able to access it. An information disclosure threat exists when an application does not adequately protect data from view by users.
Using our example application, an information disclosure threat would exist if the API returned information needed for internal use, but that was unnecessary for the mobile client to function, such as sensitive data about the user that wrote a review. If the mobile client did not display that data, but a user could still see it by examining the traffic between the API and mobile application, then it would be information disclosure. A mitigation for this example threat would be to ensure that the API does not return unnecessary sensitive data.
Denial of Service
A denial of service is when something is prevented from functioning. A denial-of-service threat exists when an application or information becomes inaccessible due to the actions of a threat actor.
Using our example application, a denial-of-service threat would exist if the API was unable to handle a large number of requests from many IPs. These types of distributed denial of service threats are mitigated using services like Cloudflare to protect an application.
Elevation of Privilege
Elevation of privilege is when someone or something can perform an action that would typically require a higher level of permissions. An elevation of privilege threat exists when an application fails to prevent unauthorized users from performing sensitive actions.
Using our example application, an elevation of privilege attack would exist if any user could delete a review, for example by changing the username on their request to admin. A mitigation for this attack would be to ensure that authentication tokens are checked before performing admin actions.
Rating Threats
Similar to how the STRIDE standard exists for enumerating threats, the DREAD standard exists for rating threats. The DREAD acronym stands for: Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability. Each threat is rated on a scale of 0 to 10 for each of these and then the final score is the mean of these scores.
Damage Potential: What is the potential for damage, both financially and to the company’s reputation?
Reproducibility: Can the threat be reproduced consistently?
Exploitability: Is the vulnerability easy to exploit or are there are available tools to do so?
Affected Users: What percentage of the userbase would be affected if the threat were to be taken advantage of?
Discoverability: How easy is it to discover the vulnerability?
While this approach is detailed and considers many factors, it is more time consuming to use. Many companies prefer the simple Bug Bar approach of rating a threat’s impact: Low, Medium, High, Critical since these fit in nicely with their existing ticketing systems.
Mitigations
Selecting a mitigation for a threat is highly dependent on what the threat itself is. Generally, a good threat model will suggest some possible strategies for mitigating a threat. These mitigations tend to involve design changes to prevent a threat, changes allowing for better detection of the threat, and strategies for damage control in the case a threat is actualized.
How ACTIVECYBER Can Help
ACTIVECYBER’s Threat Modeling services empower organizations to proactively identify, evaluate, and mitigate potential risks within their systems. Using a structured approach rooted in proven frameworks like STRIDE and DREAD, we help your team uncover vulnerabilities and implement effective safeguards before they become critical issues.
What sets ACTIVECYBER apart:
Tailored Threat Modeling: Our experts work closely with your team to develop comprehensive threat models specific to your systems, using visual data flow diagrams and real-world scenarios.
Proactive Risk Mitigation: By identifying vulnerabilities early, we help prevent costly breaches, ensuring your organization remains secure and compliant.
Hands-On Guidance: From visual modeling to mitigation testing, ACTIVECYBER guides you through the entire process, offering actionable recommendations that align with your business objectives.
Scalable Solutions: Whether you’re a small team or a global enterprise, our Threat Modeling services scale to meet your needs, integrating seamlessly into your existing cybersecurity program.
By partnering with ACTIVECYBER, you gain access to a team of seasoned professionals dedicated to helping you build robust, threat-resistant systems. Let us help you transform your security posture, reduce vulnerabilities, and protect what matters most.
Contact us today to learn how our Threat Modeling services can strengthen your organization’s defenses.
