What is Threat Modeling? | Guardsquare

Last year, global cyberattacks increased by 38% when compared to 2021. As the threat landscape grows, we’re also seeing an evolution in threat actors. Overall, actors are more agile and sophisticated, exploiting vulnerable mobile applications across nearly every industry. A mobile application and its endpoints are a critical and vulnerable aspect of an organization’s entire system. To protect applications and their larger infrastructures from these threats, it’s important to implement threat modeling.

What is threat modeling?

Threat modeling is based on the fundamental concept that you cannot defend or protect against what you don’t understand. Threat modeling enables you to properly understand the overall threat landscape your systems are facing, not just mobile threats, but how these threats could impact your API endpoints and backend infrastructure. Leveraging this understanding can help you develop the appropriate mitigation strategy. Companies use threat modeling to optimize a mobile application’s security by identifying security objectives and vulnerabilities and mitigating their effects. In other words, threat modeling helps you think like an attacker and gain a better understanding of how malicious threat actors can take advantage of your app’s vulnerabilities and exploit them. While the purpose of building a threat model is clear (better understanding of the threat landscape and the specific ways it can affect your app) there are many ways to approach the process of threat modeling.

What happens if I don’t create a threat model for my app?

It’s difficult to properly secure your app without an in-depth understanding of potential threats and how they’ll interact with your mobile application. Failing to practice threat modeling can expose your application (and organization) to greater cyberattack risk, loss of revenue, and negatively impact your brand reputation. In fact, between 2021 and 2022, the median cost of a single attack (e.g., breach, malware, ransomware attack, etc.) rose more than 29%. Additionally, the Hiscox Cyber Readiness Report from 2022 also states that 47% of all U.S. businesses suffered a cyberattack in some form or another during the past year. Mobile app security should be a priority for every developer and their teams, and threat modeling is a perfect foundation for building your app’s security strategy.

With a better idea of what you stand to lose without threat modeling, let’s take a deeper look at its benefits, the basics of building a threat model, and how to choose the right one for your mobile app.

Benefits of threat modeling

We know what happens if you fail to implement threat modeling, but what are the benefits? Planning a security strategy based on an in-depth understanding of the threat landscape and how it affects your app offers the following:

Compliance

It’s nearly impossible to comply with internal and external requirements without evaluating and mitigating threats. Compliance is particularly important in highly regulated industries like healthcare and financial services, but mobile applications across every industry can benefit from internal regulations that help prevent misconfigurations and other vulnerabilities that lead to serious security issues.

Planned vs. retrofitted security

Imagine you’re building a home and want to properly secure it. Analyzing potential threats to your home (e.g., flood, fire, earthquake, etc.) before you begin to build can help you construct a more secure home from the ground up. Applying security measures to your home after it’s built is more difficult — like trying to reinforce a foundation after the home is complete. In the same way, threat modeling lays out a plan for securing your app before it’s built, allowing you ample opportunity to build in security features as you develop, instead of when the app is complete, which can take considerable time and money.

Reduction of attack surface

Threat modeling helps reduce your app’s attack surface. Considering how potential threats can affect your mobile app prior to development can help you identify the components of your app that need to be protected and those that do not. To revisit our home metaphor, threat modeling tells you that you need to fortify your front door, while a second story window doesn’t require as much protection.

How to build a threat model

Threat models are meant to catch both malicious events (like tampering or reverse engineering) and incidental (like an unsecured SDK). Implementing threat modeling at the beginning of the development process is a great example of how shifting left can help lower cybersecurity costs.

OWASP Four Question Framework

The Open Worldwide Application Security Project (OWASP) recommends beginning the threat modeling process with a Four Question Framework:

• Question 1: What are we working on?
• Question 2: What can go wrong?
• Question 3: What are we going to do about it?
• Question 4: Did we do a good job?

How you and your team answer these questions can help guide you to a suitable threat modeling method. Regardless of the method you choose, OWASP recommends that your threat model include the following three components: documentation of data flows, documentation of potential system threats, and documentation of security controls.

Popular threat models

Once you’ve considered the framework questions, looking at popular threat models and considering how effectively they help you answer the framework questions can help you decide which model is best for your app. Here are some of the more popular threat modeling frameworks.

• STRIDE: STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. The model’s categorization of threats makes it easier for users to approach mobile app security systematically and ensure that major security vulnerabilities are covered.
• Trike: Trike is a threat model that operates from a risk management perspective and focuses on security auditing.
• VAST: VAST stands for Visual, Agile, and Simple Threat. This model covers security threats across the entire software development lifecycle in three key areas: automation, integration, and collaboration.
• Attack Trees: Attack trees are one of the oldest threat models. Attack trees are diagrams that show system attacks in the form of a tree. In this tree, the root is the goal of the attack (e.g. stealing user data) and the leaves are the ways an attacker can achieve that goal.
• CVSS: CVSS stands for Common Vulnerability Scoring System. Developers using this threat model document the principal characteristics of a vulnerability and score them based on severity. Those scores are translated into a level of risk (low, medium, and high) which helps them prioritize their security strategies.
• PASTA: PASTA stands for Process for Attack Simulation and Threat Analysis. This threat model is also focused on risk and is broken down into seven stages which not only helps you analyze threats, but also contextualize them in terms of how they affect the overall organization.

How do I choose the right threat model for my app?

Choosing the right threat model for your app can be a confusing process. Even after you answer the OWASP framework questions, or consider the models that can help you answer the questions best, it still may not be clear which model you should pursue. It’s helpful to remember that you don’t need to choose just one model. Attack trees for example, are often used in concert with other threat models because they offer a simple way to visualize threats.

Choosing a threat model by focus areas

In addition to using more than one threat model at once and answering the framework questions, you should also consider the focus of each threat model. Threat models usually fall into one of three buckets: asset-centric, attack-centric, or software-centric.

• Asset-centric: A threat model that focuses on the system’s assets. For example, Trike ensures the assigned level of risk for each asset is acceptable to stakeholders.
• Attack-centric: A threat model that focuses on attackers. This refers to models like VAST, which provide operation and application teams insight into how attackers view your system.
• Software-centric: A threat model that focuses on systems or software. STRIDE is a great example of a software-centric threat model. It focuses on producing a full breakdown of processes, data stores, data flows, and trust boundaries in a system.

Choosing a threat model by mobile app industry

After evaluating threat modeling focus areas, you may want to consider each methodology’s ability to scale, its report-generating capacity, your gauge of effectiveness, and the desired outcome. Factoring in the biggest vulnerabilities in your mobile app’s industry can also help you choose the right threat model.

• Ex. 1 Gaming apps: gaming apps are often susceptible to piracy and cheating. STRIDE, then, could be a good threat modeling option as it deals with tampering (where attackers modify components of your code) and elevation of privilege (where attackers grant themselves additional privileges).

  Attack Trees could also be effective as they could help your team visualize the paths that attackers would follow in your app. For example, if they’re looking to reverse engineer your app, you’d build a “tree” with that particular attack goal as a root and the possible paths as branches.

• Ex. 2 Financial services apps: Financial services apps are susceptible to application repackaging, cloning attacks, weak encryption, and insecure data storage. STRIDE would be an effective model here as well, as it deals with information disclosure.

  PASTA would also work. It leverages threat data to support prior threat patterns and has a focus on probability of attack and impact of compromise, which is key when dealing with PII.

• Ex. 3 Healthcare: mHealth apps often have unencrypted communication methods, sending personal data through unsecured communication channels to the server. For these types of apps, the STRIDE framework is actually recommended by the FDA, which requires regulatory approval for some mHealth apps.

Threat modeling and tools

Once you’ve selected a threat model and identified the threats most pressing to your mobile application, you’ll want to choose security solutions that can help resolve and remediate the potential threats facing your app. Your chosen tools should: offer scalability, automate your selected framework’s security suggestions (e.g., STRIDE, VAST, PASTA, Trike, etc.), and layer your app’s security. After all, the threat landscape is broad (and it’s growing); you’ll want to ensure that your app has every possible advantage to protect against attackers.

Moving forward with threat modeling

Threat modeling is a crucial part of developing mobile applications. It positions you to think as an attacker, which helps protect your app against current risks. An effective threat model also establishes processes to identify patterns/trends to help you protect against future threats.

Perhaps the most important benefit is planned security. Building a threat model at the beginning of the development process can save time, protect your app during and after the development process, and help you avoid penalties, fines, and other negative consequences of cyberattacks or exploited vulnerabilities.

Executive Summary (TL;DR)

• Threat modeling is crucial for mobile apps as it helps developers and security specialists identify objectives and vulnerabilities and then define countermeasures to prevent or mitigate the effects of threats to the system.
• There are multiple threat models to choose from, and selecting the right model depends on your security/risk focus (attacks-centric, software-centric, asset-centric) and other factors like your app’s industry.
• Implementing an effective threat model can protect your app against current risks, future threats, and ensure that your app remains compliant, internally and externally.