When delivering a service you need to understand how robust it will be when faced with cyber attack techniques which could be used to exploit vulnerabilities.
Threat modelling is a highly technical security activity and should be conducted by cyber security specialists with input from your delivery team. Engage with your organisation’s risk management team to determine what support they can provide for your service.
Threat modelling is the follow-up activity to a threat assessment. Once you have gathered information on the motivation, intent and capability of threat actors, you should explore possible vulnerabilities and issues that might apply to your service. This will allow you to:
Threat modelling should take place during the service design and build phase as a precursor to carrying out a risk assessment. It should be repeated during the delivery lifecycle whenever there are design changes that have security implications, or when new threats that can potentially compromise your service are identified.
This is an activity performed by cyber security specialists either within your delivery team, from your organisation, or through an external consultancy.
The work of treat modelling experts should be facilitated by your Senior Responsible Officer (SRO), service owner and programme manager with input from technical and security professionals within your project.
The following steps are a description of the process that cyber security professionals will go through when performing threat modelling. This will change depending on the nature of your service and the setup of your organisation.
A series of physical or digital workshops will help you uncover the answers to two important questions; what are we working on, and what could go wrong?
These should be interactive sessions and involve the people with knowledge of the hardware, software, data assets and architecture of your service. The main areas to cover are:
Map out the service architecture using sticky notes, a digital whiteboard, or specialist threat modelling tools (such as OWASP’s Threat Dragon or Microsoft’s Threat Modeling Tool). To ensure each area is given sufficient attention, focus on subsets of components in separate workshops rather than tackling the whole architecture at once.
Highlight areas that may cause a potential security issue, considering:
- MITRE ATT&CK, MITRE D3FEND and MITRE CAPEC - used to explore possible vulnerabilities and issues that might apply to your service
- STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) - a model for exploring different threat categories
- Attack Trees - for representing the paths adversaries may use to attack your service so you can design solutions to prevent them
Once the threats have been identified, the focus of your workshops should turn to the topic of what you are going to do about them.
Your threat response will usually come in the form of security controls or measures that could be used to reduce or eliminate risks. Go through your architecture and consider:
These do not need to be complete or definitive solutions, but should include enough detail to be used when carrying out a risk assessment for your service.
For example, to partially mitigate against distributed denial-of-service (DDoS) attacks you could integrate a tool into your service that prevents likely malicious traffic from reaching your web servers. The effort to enable this control is negligible and the cost will already be included within your content delivery network (CDN). The drawbacks may be some legitimate users temporarily prevented from accessing the service, for example if they’re using a virtual private network (VPN). However this is unlikely and an acceptable consequence to guard against the security risk.
If the information from your workshops has been gathered using sticky notes or a digital whiteboard, consider the best way to convert this to an accessible format that can be distributed and used by the service delivery team who are responsible for system and security design.
You will also want to share your threat model with:
Once your service has been designed and the security controls outlined in your threat model have been included or deployed, it’s essential to revisit the outputs of this exercise to ensure that the solutions meet the identified issues.
It’s good practice to get feedback from others who were not involved in the workshops. Security professionals from other teams, other departments or the National Cyber Security Centre (NCSC) will be able to provide an unbiased view on the effectiveness and comprehensiveness of your security measures.
This should be routinely reviewed whenever there is a significant change in the service or the threat assessment. The controls identified in your initial threat model are unlikely to work forever and you should be prepared to make regular patches and fixes to operating systems and applications.
This activity is part of the ‘Manage cyber security risks’ stage of Secure by Design, which also includes:
The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.
Last update: 31 January 2024