Building a Secure Cloud: An Introduction to Threat Modelling

An annoying fact about the bad things in life is that they tend to come when you least expect them and in a form that you didn’t even know existed. In life, this is often just a way to rationalize the unpredictability of fate but what about when it comes to security breaches in cloud computer systems?

Complex online systems that contain valuable data and resources are a juicy target for malicious attackers across the globe, who will work around the clock to find weaknesses in your security — or at least that’s how it feels when you’re trying to keep it secure. The chances are that any such vulnerabilities hackers discover will exist precisely in those least expected places, and that’s because it’s the gaps in your thinking that cause the vulnerabilities.

As you can probably guess, this is where Threat Modelling comes in.

Where did Threat modelling come from?

Threat modelling emerged in the late 1990s and early 2000s as a response to the increasing complexity of software systems that had made it challenging to identify and address security risks. As cyber-attacks became more sophisticated and frequent, it became clear that a reactive approach to security was not enough. Proactive measures were needed to identify and mitigate potential security risks before they could be exploited.

Additionally, the adoption of agile development methodologies also posed challenges for traditional security approaches, with their emphasis on rapid iteration and continuous delivery. Threat modelling offered a flexible and iterative solution that could be integrated into the agile development process.

Lastly, the rise of security standards and data protection legislation (such as GDPR and CCPA) also made it even more important for organizations to adopt more rigorous and proactive approaches to security and meant that a systematic approach was a necessity rather than just something to be aimed for.

How does Threat Modelling Work?

The secret of good threat modelling is to be comprehensive and to involve all stakeholders.

Scot Raney, Senior Security Architect, AWS

Obviously, the theory is great — but how does it work in reality? Whilst there are subtle variations in approach, most teams use the following general steps:

1. Review your system
   Identify assets, actors, entry points, components, use cases, and trust levels. If you have an Architecture Diagram for your system it will be very useful here and, if you don’t have one, make one. Analyse your system's architecture, data flows, and components to understand its attack surface.
2. Identify potential threats and vulnerabilities
   With your analysis complete, you can start to identify potential threats, such as unauthorized access, data breaches, or denial of service attacks.
3. Rank the threats
   The next step involves ranking these threats based on their potential impact and likelihood, either by a points system or simply shuffling a list.
4. Design countermeasures
   Once the threats are prioritized, countermeasures and security controls are designed and implemented to address them effectively. These countermeasures can include access controls, encryption, intrusion detection systems, and robust authentication mechanisms.
5. Regular reviews
   Regular reviews and updates to the threat model are essential to account for evolving threats and changes in the system.

A nice, little list of Use Case scenarios

To have a meaningful affect, each of these steps must be integrated into your regular practice, such as the core processes of Agile software development. In everyday life, threat modelling can manifest itself in several ways and some specific problems it solves include:

• New Project or Feature: When starting a new project or developing a new feature, threat modelling can help identify potential security risks early on. It ensures that security concerns are considered from the beginning and integrated into the development process.
• Legacy System Assessment: Threat modelling is beneficial when working with legacy systems that might lack proper security measures. It helps identify vulnerabilities and provides insights into areas that need improvement, allowing teams to prioritize security enhancements.
• Compliance and Regulatory Requirements: Many industries have strict compliance and regulatory requirements related to security. Agile threat modelling assists in identifying and addressing security gaps to meet these requirements, avoiding potential legal and financial consequences.
• Third-Party Integrations: When integrating third-party components, APIs, or services, threat modelling helps assess the security risks associated with these integrations. It ensures that potential vulnerabilities or weaknesses in the third-party systems are identified, and appropriate security measures are taken.
• DevOps and Continuous Deployment: Agile threat modelling fits well within DevOps practices and continuous deployment environments. It helps teams incorporate security measures into their automated pipelines, ensuring that security is considered throughout the software delivery process.
• Security Education and Awareness: Threat modelling serves as an educational tool for development teams. It helps them understand different attack vectors, security best practices, and the impact of various vulnerabilities. This increased security awareness fosters a proactive security mindset within the team.

Problems to watch out for with Threat Modelling

Threat modelling is not a silver bullet. It can help you identify potential threats, but it cannot guarantee that your system will be secure. You still need to implement appropriate security controls.

Michael Howard, Principal Security Architect, Microsoft

1. Time and resources: Threat modelling requires significant time and resources to conduct a thorough analysis of the system, identify potential threats, and design appropriate countermeasures. This can be challenging, particularly in agile development environments with tight timelines.
2. Too big a task: The initial stages can be intimidating at first, especially for less experienced teams. It’s easy to imagine enemies that have almost magical hacking powers and limitless resources and not know where to begin.
3. False sense of security: To the other extreme, more seasoned groups might become overconfident that all bases have been covered just because they have a nice long list of threats in front of them.
4. Analysis and insights go out of date: Likewise, productive modelling sessions in the early stages of a project might serve to breed a sense of complacency that ignores emergent dangers, or vulnerabilities that arise from changes to the system.

Tips and Solutions for better threat modelling

Break it into chunks

Breaking the workload down into features rather than attacking the whole lot with a single model makes the process much less intimidating and, according to the AWS Security Blog, it has a few benefits:

1. More granular tracking of progress
2. More detailed threat models
3. Threat model can be used as a dependency for other features with same component
4. Single threats maybe have multiple mitigations
5. Unmitigated threats block the feature but not the workload

Do evil brainstorming.

In his piece on “Agile Threat Modelling”, Jim Gumbley talks about Evil brainstorming which, as you probably guess, is just like regular brainstorming but involves adopting an “evil” persona and imagining ways that hackers might exploit weaknesses in your system. And then you write them on sticky notes, which real hackers often forget to do. This “devil’s advocate” approach helps to achieve the vital shift to thinking like an attacker rather than as a defender, and hopefully it can be great fun along the way.

Reflect and keep improving

"Don't be afraid to iterate on your threat model. As your system changes, so too will the threats that it faces... Threat modelling is an ongoing process. It's important to revisit your threat model on a regular basis to ensure that it is still accurate." - AWS Security Blog

All the best texts on Threat Modelling stress the importance of one thing above everything else that is the secret to great Threat Modelling: Review, keep reviewing and keep improving. Alongside the very basic advice of “Better to do it badly than not at all”, the experts are unanimous in the belief that learning and adapting are the most fundamental and important skills in keeping your system secure.

Build it into your processes

By extension, the best way to make sure of improving your security is to build it into your processes and to turn Threat Modelling into a regular habit. All fixes identified in your meetings and your individual work should be added to your backlog so that nothing slips through the net, and “Little and often” is a good maxim that ensures that your attitude to security will be thorough and robust.

Further Reading

1. How to approach threat modelling, AWS Security Blog
2. A Guide to Threat Modelling for Developers, Jim Gumbley