SEC01-BP07: Identify threats and prioritize mitigations using a threat model

Use a threat model to identify and maintain a list of security threats. Prioritize your threats and adjust your security controls to prevent, detect, and respond. Revisit and reprioritize regularly.

Implementation guidance

Threat modeling is a structured approach to identifying, quantifying, and addressing security threats to your workload. By creating a threat model, you can systematically identify potential threats, assess their impact, and prioritize mitigation efforts based on risk.

Key steps for implementing this best practice:

1. Establish a threat modeling process:
   • Select a threat modeling methodology (e.g., STRIDE, PASTA, OCTAVE)
   • Define the scope of your threat modeling activities
   • Identify key stakeholders and their responsibilities
   • Establish a regular cadence for threat modeling activities
2. Identify potential threats:
   • Document your system architecture and data flows
   • Identify trust boundaries within your system
   • Brainstorm potential threats using your chosen methodology
   • Consider both internal and external threat actors
   • Review industry-specific threat intelligence
3. Assess and prioritize threats:
   • Evaluate the likelihood of each threat
   • Assess the potential impact of each threat
   • Calculate risk scores based on likelihood and impact
   • Prioritize threats based on risk scores
   • Consider business context when prioritizing
4. Develop mitigation strategies:
   • Identify security controls to address each threat
   • Categorize controls as preventive, detective, or responsive
   • Evaluate the effectiveness of existing controls
   • Identify gaps in your security controls
   • Develop a plan to implement additional controls
5. Implement and validate controls:
   • Deploy security controls according to your prioritization
   • Test the effectiveness of implemented controls
   • Conduct regular security assessments and penetration tests
   • Update your threat model based on testing results
6. Continuously review and update:
   • Regularly revisit your threat model
   • Update the model as your system evolves
   • Incorporate new threat intelligence
   • Adjust priorities based on changing business needs
   • Refine your security controls based on new information

Threat modeling methodologies

STRIDE

STRIDE is a threat modeling methodology developed by Microsoft that categorizes threats into six types:

• Spoofing: Impersonating something or someone else
• Tampering: Modifying data or code
• Repudiation: Claiming to not have performed an action
• Information disclosure: Exposing information to unauthorized individuals
• Denial of service: Denying or degrading service to users
• Elevation of privilege: Gaining capabilities without proper authorization

PASTA (Process for Attack Simulation and Threat Analysis)

PASTA is a risk-centric threat modeling methodology with seven stages:

1. Define objectives
2. Define technical scope
3. Application decomposition
4. Threat analysis
5. Vulnerability analysis
6. Attack analysis
7. Risk and impact analysis

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

OCTAVE is a risk-based strategic assessment and planning technique for security that focuses on:

• Identifying critical assets
• Identifying threats to those assets
• Identifying vulnerabilities
• Developing security strategies

Threat modeling tools

OWASP Threat Dragon

OWASP Threat Dragon is a free, open-source threat modeling tool developed by the OWASP community that provides:

• Visual threat modeling: Create threat models using intuitive drag-and-drop interfaces
• STRIDE methodology support: Built-in support for STRIDE threat categorization
• Collaborative features: Enable team collaboration on threat modeling activities
• Multiple deployment options: Available as web application, desktop application, or integrated into development workflows
• Template library: Pre-built templates for common application architectures
• Export capabilities: Generate reports and documentation from threat models
• Integration support: Integrate with development tools and CI/CD pipelines

Microsoft Threat Modeling Tool

Microsoft’s free threat modeling tool that provides:

• STRIDE-based threat identification
• Built-in threat and mitigation knowledge base
• Integration with Microsoft development tools
• Automated threat generation based on system design

Commercial Tools

Various commercial threat modeling tools offer advanced features:

• IriusRisk: Enterprise threat modeling platform with automation capabilities
• ThreatModeler: Collaborative threat modeling with compliance frameworks
• SD Elements: Security requirements and threat modeling platform

Implementation examples

Example 1: Threat modeling for an API-based web application

Code snippet hidden for website display

CODE SNIPPET WILL BE PROVIDED SOON –>

Code snippet hidden for website display

Example 2: AWS-specific threat model documentation

Code snippet hidden for website display

CODE SNIPPET WILL BE PROVIDED SOON –>

Code snippet hidden for website display

AWS services to consider

Amazon GuardDuty

Provides intelligent threat detection for your AWS accounts and workloads. Continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.

AWS Security Hub

Provides a comprehensive view of your security state in AWS and helps you check your compliance with security standards and best practices. Aggregates, organizes, and prioritizes security alerts from multiple AWS services.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Helps you maintain compliance with security standards and best practices through continuous monitoring.

Amazon Detective

Makes it easy to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Automatically collects log data from your AWS resources and uses machine learning to create a unified view.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

AWS WAF

Helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. Gives you control over how traffic reaches your applications.

Benefits of threat modeling

• Proactive security: Identifies and addresses threats before they can be exploited
• Risk-based approach: Focuses security efforts on the most significant risks
• Efficient resource allocation: Prioritizes security investments based on risk
• Improved security awareness: Builds security knowledge across the organization
• Better architectural decisions: Influences system design to address security concerns early
• Regulatory compliance: Helps meet compliance requirements for risk assessment

Related resources

Related Resources

• AWS Well-Architected Framework - Identify threats and prioritize mitigations using a threat model
• How to approach threat modeling
• OWASP Threat Modeling
• OWASP Threat Dragon - Free, open-source threat modeling tool
• AWS Security Reference Architecture
• How to build a multi-Region threat detection strategy with Amazon GuardDuty