What Is Your Ideal Threat Modeling Lifecycle?

General
1

So when I started learning about Threat Modeling, the threat modeling process seemed pretty straight-forward to me with Adam Shostack’s 4 question framework.

But the deeper I get into threat modeling, the more I realize that there is a lot more detail and nuance to the question of how to actually threat model.

So my question is this.

What is your ideal “Threat Modeling Lifecycle”?

Here’s what I currently think it looks like:

  1. Build system context - review PRD and if portions of the system are already up and running, understand the overall environment (Infrastructure as Code, existing codebase, existing controls etc.)
  2. Understand threat modeling scope - figure out what we’re currently threat modeling (don’t try to boil the ocean)
  3. Understand security requirements - Do you need to comply with HIPAA? PCI-DSS? Are there some organizational security requirements?
  4. Create preparatory artifacts for threat modeling - DFD, sequence diagrams, etc.
  5. Generate threats - Answer the question of “What can go wrong”? But this can be approached from many different directions.
    1. STRIDE
    2. Kill Chains (Mitre ATT&CK framework)
    3. Abuse Stories
    4. CAPEC
    5. Identify the crown jewels and start from there (ex: Rapid Threat Model Prototyping)
    6. Identify relevant CVE’s and threat intel affecting our system
  6. Generate mitigations - For the identified threats, generate mitigations or select from available controls with appropriate guidance to team members from resources like OWASP Top 10’s and OWASP cheat sheets
  7. Generate risk register - Once threats and mitigations have been generated create the list of risks by estimating likelihood and impact (or using some other methodology), rank the risks, and assign to risks to appropriate stakeholders.
  8. Generate reports - for use by compliance, CISO, pentesters and others.
  9. Generate tests - Write tests in Gherkin, Inspec or CinC to ensure that controls and mitigations suggested by the threat modeling exercise have been applied
  10. Review penetration test or breach reports - At some point the system will get tested either by penetration testers or may actually get breached. Review these reports to answer the question “Did we do a good job” and then update the threat model - possibly going back to Step 5 if new threat info has surfaced. If a new feature is being added, the process begins all over again.

So that’s what I think the threat modeling lifecycle looks like. What does yours look like? Where can I improve my understanding of the threat modeling lifecycle?