This article can also be found in the Premium Editorial Download "Information Security magazine: Weight lifter: Appliances that lighten your security load."
Download it now to read this article plus other related content.
Threat modeling is the logical and systematic evaluation of every avenue of approach. You can then prioritize each avenue's relative "threat level" based on factors such as the value of the target asset, likelihood of success and cost of attack.
Threat modeling is the "show me" side of security derived from increasing C-suite skepticism regarding threats brought about by the overly restrictive recommendations of paranoid security pros. It forces auditors and architects to define more specifically what it would take to compromise a system.
Threat modeling has its roots in concepts like Bruce Schneier's attack trees, Peter Tippett's synergistic controls, Marcus Ranum's zones of risk and every strategic military defensive exercise for the past 5,000 years. These are logical approaches to identifying unique attack points to understand where the risk is and how to defend against it. A handful of solutions aim to harness the threat modeling process.
Amenaza's SecurITree uses an attack tree methodology to create attack scenarios using attacker methods and evaluating their probable success based on cost (time and resources), the required technical ability and the likelihood of catching the intruder.
Black Dragon Software's proVizor SRM calculates time-to-defeat measurements for networks, hosts and services. TTD is calculated for each of the five "A's"--authentication, authorization, accuracy, availability and audit--based on input from scanners, VA tools and Black Dragon's own body of knowledge.
Skybox Security's View uses a four-step process to identify exposures. It models the environment, simulates attacks, calculates risk and plans remediation. For example, View will determine the likelihood of a successful attack based on router ACLs, known vulnerabilities and the security measures between an attacker and target.
To be successful in today's security world, you have to get in front of the risk problem. The beauty of threat modeling is that it can help you perform "what if" scenarios, allowing you to compare and contrast defense strategies as diverse as patching systems and segmenting networks.
Threat modeling provides the means to identify the strengths and weaknesses of your defenses so you can allocate security resources in ways that make sense before an attack occurs.
About the author:
Pete Lindstrom, CISSP, is research director at Spire Security.
This was first published in August 2004