Designing Secure Architectures with Threat Modeling

Prioritize system security in the early design process, to identify weaknesses before they are baked into the system.

Security is a Key Architecture Facet & important step in the System Design Process

Cyber-security risk arises from vulnerabilities that are exploited by threats to achieve certain goals, such as stealing confidential data or installing malware.

A system contains assets which include, functionality its users depend upon, and data accepted, stored, manipulated, or transmitted by the system. The system’s functionality may contain defects, which are also known as weaknesses.

• If these weaknesses are exploitable, meaning if they are vulnerable to external influence, they are known as vulnerabilities, and exploitation of them may put the operations and data of the system at risk of exposure.

Goal of the attacker is mainly to gain access to assets(functionality or data) which are confidential and valuable.

Key Security Terms and their Relationship

It is important to prioritize system security in the early design process, to identify weaknesses before they are baked into the system. This is where Threat Modeling process comes to our aid.

Threat Modeling Goals

Threat modeling is the process of analyzing a system to look for weaknesses that come from less-desirable design choices.

Threat-modeling methods are used to create

• an abstraction of the system, to identify the interaction between components and data flow between them.
• profiles of potential attackers, including their goals and methods
• a catalog of potential threats that may arise

Goals of the threat modeling process are illustrated below

Goals of Threat Modeling

Threat Modeling in 5 steps

Threat modeling includes 5 steps illustrated below. We will go through the activities involved in each of these steps in the following sections.

STEP 1 : Define Scope and Requirements

In the physical world when the architect designs a structure, for example a bridge, he has to take into consideration factors like what the bridge will be used for or what is the location.

For example a narrow bridge used only by small vehicles built over a small distance will not need to bear huge weights compared to a long distance bridge used by heavy vehicles.

Similarly security requirements depend on what is being defended(system) against what(threats).

Defining the Scope is an important step, for example a stock trading system will be more complex with multiple modules. This can be an iterative process.

Sources of data for defining scope include

1. Development and Release process : example iterative or Agile process
2. Components and Services : Monolithic application with tight coupling or REST based services.
3. Team/Organizational Boundaries
4. Technology Consideration : legacy systems vs modern web applications.

STEP 2 : Threat Modeling Diagrams

Threat modeling diagrams provide a break down of your application to identify 3 important security aspects namely, trust boundaries, data flows, entry and exit points.

Let us examine these 3 security aspects

1. Trust Boundaries

Trust boundaries represent the change of trust levels as the data flow through the application. They intersect data flows and indicate attack surfaces where an attacker can interject.

Some example trust boundaries are:

• A perimeter firewall.
• The boundary between the Web server and database server.

Once identified trust boundaries can be mapped to access control, authentication, and authorization

2. Data Flows

Data Flows identify the flow of data within the system, to external systems and how the data is persisted.

Pay more attention to

• Data flow across trust boundaries and how that data is validated at the trust boundary entry point.
• Sensitive data and how it flows through your system, moves over the network, and how it is persisted in storage to ensure proper encryption at each stage.

3. Entry and Exit Points

Entry points include entry to the application like front-end web application and also the entry to internal system components. Exit points identify where application sends data to external systems.

Types of Threat Modeling Diagrams

Threat Modeling Diagrams include flow diagrams, attacker trees and fish bone diagram.

Flow Diagrams for Threat Modeling

Attacker Trees

Attacker Trees define the attackers goal as root node and further divide it to define the sub-goals as nodes.

Process workflow for creating attacker trees can be visualized as below.

Creating Attacker Trees workflow

A sample scenario of an attacker attempting to tamper data can be created as below.

Fish-bone diagram

Fish-bone diagram identifies primary and secondary causes of threats.

STEP 3 : Identify Threats with Threat Modeling Frameworks

There are well established threat modeling frameworks for identifying threats, we examine 2 of the well known frameworks — STRIDE and PASTA in this article.

No particular methodology can be recommended across all applications. Some methodology will work successfully for particular projects and teams, or for specific technologies or compliance requirements, and yet will completely fail in others.

STRIDE and Associated Derivations

STRIDE was Invented in 1999 and adopted by Microsoft in 2002. It has 2 variations STRIDE-per-Element and STRIDE-per-Interaction.

STRIDE

STRIDE framework and mnemonic was designed to help identify the types of attacks, summarized as below.

STRIDE-per-Element

Certain threats are more prevalent with certain elements of a diagram. For example, a data store is unlikely to spoof another data store.

STRIDE-per-Interaction

In reality, threats don’t show up in a vacuum. They show up in the interactions of the system, an example is shown below.

PASTA

Process for Attack Simulation and Threat Analysis(PASTA) is a risk- centric threat-modeling framework containing 7 stages, each with multiple activities, illustrated below.

PASTA stages and activities

STEP 4 : Mitigate Threats

Suppose you have identified the threats using STRIDE, lets see how we can find mitigation techniques for the threats under the first mnemonic S i.e. Spoofing.

Spoofing threats against code include faking the program on disk or in memory, squatting or splicing a port, or spoofing a remote machine.

Authentication techniques are used to mitigate spoofing threats, which include

1. Authenticating machines : Methods like SSH or HTTP Digest or Basic authentication
2. Authenticating files or messages : digital signatures or hashes
3. Authenticating people : Methods like password or bio-metrics.
4. Maintaining authentication across connections using cookies

Step 5 : Validate the Threat Model

This is done by testing and ensuring the threats identified are mitigated and the fixes work as expected. Test techniques like penetration testing are used.