Why Threat Model

Your Software is insecure

If this is the first time you’ve heard this, or you believe otherwise, you’re honestly in the wrong field. Software as good as it is, as useful as it is, as wonderfully inventive as it is, is still flawed. It’s flawed because it’s written by people, and people are prone to mistakes. Any company that runs or writes software for others to use is prone to security vulnerabilities, their software is prone to those vulnerabilities, given enough time, those security vulnerabilities will be found and that company will be exploited or customers of that company will be exploited.

There are only two types of companies: those that have been hacked and those that will be hacked

- R. Mueller, FBI Director

Mueller, said it just a couple of years ago, while at an RSA conference. Since that time we’ve seen large & small software companies get attacked. Just last week it was reported that the National Research Council in Canada operated by the federal government was the victim of a cyber attack from China.

Now I am a pretty smart guy and work in a huge tech centre, I love math, I get out and network with other IT professionals as often as I can. I hear about what this start up is doing or that start up, I hear about the great analysis model they’ve developed or how their model is going to revolutionize a particular space or way of thinking; I think to myself that’s fantastic. I then follow up my question with a question about a model of my own, I often ask: “What does your threat model look like?”. 9 Times out of 10 I am either met with a dear in the headlights look or “Our what?”.

I reminded of what George Box once said,

All Models are wrong, some models are useful.

- George Box

I bring this up, not to shoot start up, or large companies models of problems or spaces they’re trying to think & improve in, no not at all, rather I bring it up because I think the Threat Model is a useful model that is wrong. Furthermore if a threat model doesn’t play into your software model, then unquestionably your software model is wrong.

If the Threat Model is Wrong, why bother?

Just like software has it’s flaws and is going to be wrong and have bugs, so too will our models, and our threat models. However the threat model, is one of the more useful models your software & development strategies can use.

The threat model is an advanced intelligence gathering tool that, like all intelligence is fluid over the life cycle of the product/project. However that intelligence and the way developers/engineers, managers choose to use and respond to that intelligence will be vital in determining, how often, when & where your application gets attacked and what your loses are going to be. If we have to accept that eventually our software will be breached, and our organization will be breached as Mr. Mueller would say – and I believe him, the next question is what can we do about it?

I’ve never worked at an organization that didn’t have a back up disaster recovery plan of some kind, sometimes at the start up organizations I worked for it was a pretty weak one, like the Sr. Developer taking a portable hard drive home, and swapping them in the morning. As some of the larger organizations, they’ve spent millions to have 2, 3 maybe even 4 separate discreet data centres, in different parts of the country, with redundant power supplies and fast fail overs, furthermore they spend thousands of dollars every year testing these systems. The question is why, depending on who you ask, you’ll get long drawn out answers, however it boils down to one simple answer These companies have accepted that eventually they will be faced with a catastrophic disaster requiring them to employee their recovery systems. – They are acknowledging an minimizing the risk and loss

If you believe Mr. Mueller that your organization will be eventually be attack through cyber space and the code that it writes, – and I do, but your organization, doesn’t have a threat model, this begs the question why is your organization being so cavalier? I would almost be willing to be that your organization has a data back up and disaster recover mechanism of some kind if store. Similarly your organization or group probably has, a software model that’s well defined or evolving, a business plan, of some kind, to know where the business or the group is going in the future, but you probably can’t tell me much about where you’re vulnerabilities are, and if you can’t why not?

If a threat model hasn’t been developed to understand where the vulnerabilities in your software are, how do you know which are the most severe vulnerabilities? the easiest to find? the easiest to exploit? the most damaging? Organizations and business units invest a lot of money in understanding what can go wrong, form a catastrophic failure of a network connection, a data server blowing up, a fire, in a data centre. However data & disaster recovery cannot be your plan to respond to a cyber attack. Yes if that cyber attack destroys a server, records etc. Results in data theft, yes your data recovery plan may be able to recover some of that stolen data for you, but what are the thieves now doing with the stolen data? How do you know that your recovery plan is going to deal with an advanced persistent threat that’s been left behind? As good as your recovery plan might be it will never be able to retrieve stolen data back for you, furthermore it will never recover reputation, business stock, financial loss, lawsuit damages.

The only way to protect to protect the business, from a software hack is to accept that it’s going to happen, just like the business accepts that a disaster might occur. Once this acceptance has been determined, by developing a threat model of where all the threats are to the application or applications the devs, qa, managers, owners, security folks can all have a meaningful discussion on what is most at risk, what needs to be secured most, what posses the biggest loss to company if exploited, and a threat model will help you understand all this information.

Imagine if you were a general commanding an army and you knew the enemy was going to attack. Now imagine for example an intelligence agent was able to analyze your positions, tell you what was most critical what you could and could not afford to loose where you’re most vulnerable, what would you do? You’d probably shift your troops around to protect the most vital areas, perhaps your command post or your hq, you might be willing to sacrifice a position of little importance to protect a more critical position. You might stop sending a supply convey’s into risky areas, or you might determine that supply convey is critical to the the success of the operation, so you’d secure it more. You might figure out what your weakest links in your defense and attempt to better fortify them or stop defending that area. You know that you can’t defend everything, all at once against a massive attack, so you focus your efforts, most critical, most vulnerable, biggest loss. That way when the attack comes yes the attackers might get a little bit, they might be able to capture a hill, that you really don’t care about that much, you care but not as much as you care about protecting your HQ. What have you done, you’ve focused on the biggest risks, and the biggest assets you need to protect and you focused you’re efforts on protecting them. Yes, given infinite money, resources, troops you’d have liked to protect everything but you managed your risk.

Developing an effective threat model is no different, given the fluid nature of software development there are always going to be new risks, new vulnerabilities against your application(s). However an effective threat model is like receiving information from that intelligence agent. As a general, and we’re all generals of some degree in software development it focuses the efforts, on what needs to be done and where to secure the application. When the application is attacked, if all an attacker is able to do is, provide a reflective XSS attack against my website, that defaces it a little bit, I am okay with that, because they weren’t able to initiate a ddos attack, steal some information or penetrate my network through software. I’ve managed the risk, yes there was still an exploit that was vulnerable and given infinite resources, I would have fixed that too, but the best they were able to do is cause some information to pop up and they weren’t even able to cause a stored xss attack. I would call that successful, would I have been able to do that without a threat model? perhaps, but at that point it’s just guess work.

An effective threat model is also vital, because if you work at an organization like mine, which attempts to find defects early and fix them, a threat model allows security defects to be found and addressed before they even become security defects, fixing defects before they even become defects? WOW how much earlier does it get then that?

Threat models, also allow the development teams to become stronger in security, if development teams can find & identify patterns and ideas in past development that led to insecure code or items showing up in the threat model, it’s entirely possible these development teams can learn from those and address the situation differently in the future as a good forward position.

Is a threat model, a silver bullet that’s going to make your code secure? No, not at all it all depends on how everyone responds to the intelligence in the threat model. Is a vital first step to securing your code? Yes absolutely it is. Is it ever finished? No, it’s iterative just as the software it’s modeling is iterative and fluid. New features get added into the threat model, perhaps vulnerable features get removed.