The Calculus of Threat Modeling

I recently came across this article called The Calculus of Threat Modeling (however it seems to be from 2018, so definitely isn’t new).

It’s worth a read, I think, because I like how it tries to be a bit more formal in it’s approach, which is basically:

  • Threat Modeling starts by identifying security principals
  • A principal is any active entity in a system with access privileges that are in any way distinct from some other component it talks to
  • All attack surfaces occur between distinct security principals
  • All threats occur on attack surfaces

It then describes how to determine the impact of different threats so they can be prioritised, and goes through a simple example.

Things I like about this approach:

  • It focuses on access control as the core of the model of the system. For me this needs to be the core of any threat modeling approach.
  • It describes a sensible (and I’m guessing repeatable) methodology to analyse the model in order to generate threats.
  • It acknowledges that on a first pass things will be missed and a strategy is required to catch the misses (although perhaps better strategies than the one suggested exist!)

Some aspects I’m less aligned with:

  • the method to determine severity involves determining the “aggregate importance” of accessible resources, which seems like it could involve a lot of work and isn’t elaborated on (which is fine, but comes with the standard set of problems i.e. incomparable, unrepeatable).
  • the process involves identifying parts of the system that are a shared security principal, but I’m not sure the effort to do this is worth just performing the analysis as if they were different.
  • The process has the measure of a good job as the result from a penetration test, but pen-tests looks for vulnerabilities, which can still exist in a system with a great design, so that doesn’t seem like a good measure (it might tell you if you did a bad job, but isn’t an indicator of doing a good job)

I think it’s blog posts like this that drive the art of threat modeling forward, as it allows us to compare and contrast with our own approaches, and this gives our own approaches the opportunity for growth (you can see my approach here).