Have you ever wondered how easy your Threat Modelling job would be with the right tools?
This article provides ThreatModelling Tools to help you threat model efficiently. Tooling can help threatmodelling in several ways. It can help you create better models or createmodels more fluidly. The right tools can help you to remember to engage in varioussteps, to provide assistance performing those steps. Tools can help create amore clear or even beautiful threat modeldocument(s).
In some cases, tools also can act as a constraint. You may find yourselfstymied by usability issues, such as fields you’re unsure how to fill outcorrectly. Or you might see that a toolcramps your style. Some trade-offs are unavoidable as tolls are created, so this article starts withgeneral tools that are useful in threat modelling, and then progress to morespecialised tools.
This article starts by describing some generally useful tools and how to applyand how to apply them to threat modelling. I will then explore and provide someuseful information about open sourcetools that are available, followed by commercial tools.
Generally Useful Tools
In this section, I discuss tools that are not specialised for threat modelling but can be tremendously useful. It covers more of the more valuable tools. It includes a few of the more valuable tools to encourage you to think about the tools you already use and which you are familiar.
I cannot imagine threat
modelling without a whiteboard. There is
no technology I have ever used that has the immediacy, flexibility, and
usability to a group than a whiteboard when iteratively drawing system
architecture. Whiteboards also have the advantage of transience – drawing on
paper isn’t the same. On a whiteboard,
no one tries to correct details such as a line not being connected properly, so
the discussion can be focused on how the
For geographically dispersed teams, a webcam focused on a whiteboard may work, or you may have “virtual whiteboard” technologies that work well for you. Either way, a whiteboard is an indispensable tool for threat modelling.
2. Office Suites
Microsoft Office contains
several tools that are very useful in threat modelling. Word is an excellent tool for recording threats in free
form. What to file depend on the approach
you have chosen. Excel can be used for
issue tracking and status. Visio is excellent
for turning whiteboards into more precise documents. Of course, Office is one
of several suites with word processing, spreadsheet, and drawing functionality.
The only caveats would be the limitations of the tools. The document tool
should be more than just text-a feature such as embedded images is extremely
useful, Similarly, use a vector drawing tool that enables you to move symbols
as symbols. Automatic connector management is also beneficial, and of course,
this feature is not confined to Visio alone.
To state the obvious, Microsoft Word, Excel, and Visio is commercially licensed tools.
Whatever bug-tracking system you use should also be used to track threats. A good bug from threat modelling can take many forms. The form you use will influence how you title and discuss bugs, and there is no universally right way to approach it. (Remember, the right way is the way that works best for you and your organisation.) The title could express any of the following:
- The threat itself: Here the bug title is of a form such as “an attacker can threaten the component” or “the component is vulnerable to threat” An example, “the front end is vulnerable to spoofing because we use reusable passwords”.
- The mitigation: Here, the bug tracking title is a form such as “the component needs mitigation”. Example, “the front end needs to run only over SSH.” Equally, in the text of the bug, you should also explain the imminent threat.
- The need to test mitigation: This is how you can title a bug, if someone on your team says, “the front end isn’t vulnerable to that.” Rather than absorb time in the meeting to discuss or check the threat, file a bug, “Test front-end vulnerability to threat” and ensure that there are functional tests for the bug.
- The need to validate an assumption: These bugs are captured and recorded to ensure that someone follows up on an assumption you discover while threat modelling, on which you depend for a security asset. The bug should have a title such as “security depends on assumption A” or “security property X of component Y depends on assumption Z.” For example, “Security depends on the assumption that no one would ever find the key in the fake rock that looks exactly like the rocks our last housed.”
- Other tracking items: You should treat the other things like suggestions, not a form into which all bugs need to fit. If you find something worth tracking, file a bug.
When tracking security bugs
from threat modelling, there are a few fields that can make running queries and
analysis more reliable. These include whether the bug is a security bug, whether it’s a “stop ship,” and how the bug was found ( for example, threat modelling,
fuzzing, code review, customer report).
The right fields to use for bug filing will depend in large part on the queries you want to run, which of course depend on the questions you want to ask. Some questions you might want to ask to include the following:
- Do we have any opensecurity bugs?
- Do we have any openthreat modelling bugs?
- Do we have anyhigh-severity threat modelling bugs left to fix?
- How many risks are we transferring to end users inthe security operations guide or via warning dialogues?
- What department head hassigned off on the most significantbusiness risk? Which department head has signed off on the most risks.?
There are a variety of open-source tools for threat modelling available. Then open-source tools illustrate some of the challenges in creating a high-quality threat modelling tool.
There are two tools named
TRIKE. The first was a desktop tool,
developed in Smalltalk. The tool is no
longer being actively maintained, and
TRIKE is now implemented in a
spreadsheet. According to the documentation, it works best in Excel 2011 for
Macintosh (TRIKE 2013). TRIKE is sometimes
referred to as “OctoTrike.”
TRIKE does not fit cleanly into the four-stage framework for threat modelling. The TRIKE spreadsheet contains 19 pages, which are grouped as follows: one overview, seven main threat pages (actors, data model, intended actions, connections, protocols, threats, and security objectives), four record-keeping pages (use case index, use case details, document index, and development team) and seven reference sheets (actor types, data types, action, network layers, meaningful threats, intended response, and guide words.) As of the writing of this article, the help spreadsheet appears to be a reference document, not an introduction of the system.
SeaMonster is an Eclipse-based attack tree and misuse case tool that was developed by students at the Norwegian University of Science and Technology. It appears to have been abandoned since 2010 (SeaMonster, 2013). However, the code is still available.
5. Elevationof Privilege
Elevation of Privilege (thegame) is designed to be an easy way toget started with threat modelling. This tool works by inviting individuals toparticipate in a game. The game consists of 74 physical playing cards in sixsuits, named for the STRIDE threats, with most suits having cards 2 throughAce. Two suits have fewer cards to avoid redundant threats, and it was challenging to find broadlyapplicable threat instances that were easilyexplained on a card. Each card hasa specific example of STRIDE threat. Forexample, the 6 of Tampering reads “Anattacker can write to a data store your code relies on.”
The Elevation of Privilege files can be downloaded from http://www.micosoft.com/sdl/adopt/eop.aspx. Before startingElevation of Privilege, participants or the game organiser create a diagram ofa system being modelled. Players thencome together for a game. The gameorganiser explains the rules of the game, and may ask players to “put theirscepticism on hold.” The game starts by dealing out the deck and is then structuredinto turns. Once play has gone once around the table, the hand ends. The playerwho played the highest card wins the hand. The highest card is either in thesuit that was led or, if a card in theElevation of Privilege suit card was played the highest card played from EoPplayed wins the hand. (All Elevation of Privilege threat cards are higher ranked than the suit that was led, and the onlyElevation of Privilege cards can win when someone leads in another suit). Playersget the point for connecting a threat ontheir card to the diagram with a “buggablethreat,” and a point for winning the hand by playing the highest card either inthe suit that was led or in EoP. Any EoPcard trumps the suit that was led. To encourage creativity, each card says, “Youhave invented a new threat,” and the threats areencumbered on cards included in the pack. The game ends either when timeallocated has elapsed or when all the cards have been played — the winner of the game the player with most points.
A buggable threat is one a teamidentifies and is willing to file a bug for.It ’s a simple and implicit element ofmost software development. Some teams may find it more helpful to ask, “wouldwe add that to the backlog?” However, you want to approach it (in the contextof the game), you want an understandable and shared bar to test threats, so youfocus on finding the good ones. Games are less threatening than “serious” work,and they provide structure and hints to the beginner, enabling new players tofind a threat based on the cards in their hand. The game is also intended tohelp players find a flow state,
Microsoft makes the files (source and PDF) available under a Creative CommonsBY-3.0 licence, allowing you to take it, modify it, create derivative works, and even sell it if you want.
Here are a few commercially available threat modelling tools. I have mentioned a few commercial tools as examples, but caveat emptor.
ThreatModeler from MyAppSecurity.com is a defence-oriented tool based on data elements, roles, and components. It uses a set of attack libraries, including the MITRE CAPEC, the WASC threat classification, and others. The tool generates attack trees with the component as the root, requirements that can be violated as the first level of subnode, and then threats and attacks as the remaining layers. According to the documentation, ThreatModeler is intended to be used by architects, developers, security professionals, QA professionals, or senior executives. ThreatModeler requirements Windows.
Corporate Threat Modeler from
SensePost is a tool built to support a methodology designed after an analysis
of the strengths and weaknesses of some
threat modelling approaches. Those approaches included threat trees and
OCTAVE, a US-CERT-originated system for
threat modelling, a business (White, 2010). The analysis also looks at
Microsoft’s SDL. Threat Modelling, Tool v3, and the Microsoft “ITInfrastructure
Threat Modelling Guide,” (McRee, 2009) which shows how to use
STRIDE-per-element to threat model IT infrastructure.
The Corporate ThreatModeler was explicitly designed for consultants. Insofar as it was developed with an explicitly stated target user (not “everyone”), it is one of the most exciting tools on the market. The approach starts with an architectural overview and then applies a somewhat complex risk equation. To start test driving the tool it is free to download by visiting http://www.threatmodeler.com
SecureITree is threat risk software from Amenaza Technologies, which was launched in 2007 to positive reviews (SC Magazine, 2007). The product seems like a great thought through for constructing, managing and interpreting threat trees. It contains not only the ability to maintain trees but a set of ways to filter those trees. Each node in the tree has behavioural/capability indicators: a cost to execute, noticeability, and technical ability. It also has an impact/attacker benefit indicators of attacker gain and victim loss, along with stored notes for a node or subtree. You can filter the tree based on a given attacker ability. SecureITree comes with a library of threat trees, which is likely to help its customers get to the exciting part of the threat modelling work faster. SecureITree also includes some excellent screencast-delivered training (Ingoldsby, 2009). The tool runs on Windows, Mac, and Linux. You can download the tool here: https://www.amenaza.com/
If you are using threat trees at a research institution, the Little-JIL software may be helpful. “Little-JIL is a graphical language for defining processes that coordinate the activities of autonomous agents and their use of resources during the performance of a task.” It has been used for creating an elections process model and a set of fault trees for that model (Simidchieva, 2010). The full fault trees are available as a graphical model. The software used to create and process the models may be freely used at research institutions (Laser, undated). You can read more about Little-JIL process definition language here: https://bit.ly/2SwZpp5
10. MicrosoftSDL Threat Modelling Tool
To date, Microsoft has shippedat least four families of threat modelling tools. They are the Elevation of Privilege card game, theSDL Threat Modelling Tool v3, the Threat Analysis and Modelling Tool, and theThreat Modelling Tool v1 and v2.1 was the project lead for Elevation of Privilege and the SDL. Threat Modelling Tool v3 and3.1. The currently available SDL Threat Modelling Tool is (or has been)available free from Microsoft.
The SDL Threat Modelling Tool v3 was designedin reaction to the complexities and usability issues encountered when engineerswho were not threat modelling experts tried to use the older tools. It was thefirst tool designed around the four-stage framework. The tool has four primary screens, designed around the tasks thatnaturally fit together: Draw diagrams, Analyse Model, Describe Environment, andGenerate Reports. The draw model screen, shown in Figure 1-1, includes both thecapability to draw diagrams with aconstrained Visio stencil set and a diagram validation section with heuristics. The Analyse Model screen shown, shown inFigure 11-3, is automatically filled out with threats according to STRIDE-per-element.
Each threat instance contains a set of guiding questions to help engineersthink through the threat and an area to recordthe threat, mitigation, to track whetherwork on the threat is complete, and tofile a bug. The Describe Environment screen is something of a catch-all to follow assumptions, external notes and thecontext of the threat model. The Reports Screen includes an all-up report; an open issues report a list of bugs, and a diagrams-only report intended tofacilitate printing. The tool also contains a manual, a sample threat model(for the tool itself), and a gettingstarted guide, all accessible via the Help menu.
The default diagram is present in the tool because human factor testing hasshown that a blank screen sometimes stymies lessexperienced threat modellers. Providing that group with a starting diagramserves two purposes. One, it demonstrates what isexpected in that space. Two, rather than needing to create a diagram, a novice can modify what’s alreadythere, which is an easier task.
One feature worth mentioning from Figure 1-1 is the Help menu. Generally, helpis a menu option that software engineers ignorebecause they believe they are too smart to need to read what they expect willbe a poorly written help file.
The Analyse Model screen shown in Figure 1-2 has two lower panes. The upper pane is a list of model elements and the threatsassociated with them — the bottom pane populated with the threat properties ofthe element.
There is also a command link to“Certify that there are no threats of this type.” The last element on thescreen is where the threat modellerdescribes the threat impact, and how it will be mitigated. Most of that is done in two large text entry boxes, butthere is also a finished check box, a “file bug” command link, and a completionbar. There is also an Add Threat command link in case someone discovers anadditional tampering threat against the results data flow.
The bug filing is intentionally abstractedinto an API, and the tool ships with sample code to connect to a variety of bugtracking systems or allow you to connectto whatever you use.
The SDL TM Tool v3.1 series is a free download from Microsoft at (www.microsoft.com/security/sdl/adopt/threatmodelling.aspx), and it requires Visio 2007 0r 2010 to work. The tool is compatible with Visio 2010 evaluation version. A newer version of this tool may become available; please check Microsoft website for further information.
There are a wide variety of tools available forThreat Modelling. General-purpose tools such as whiteboards and bug-tracking systemscan be beneficial, and tools such as wordprocessors, spreadsheets, and diagramming tools can be used to help you threatmodel. Also available are a variety of specialised threat modelling tools. Microsoft has shipped several of these free,including Elevation of Privilege andthe SDL. Threat Modelling Tool, and you can find other commercial andopen-source tools that may aid your efforts. There is also demand for tools that can automate model creation or threatidentification, although such tools may comeat a high price if they appear to find threats while missing new threats or areused too late in the development process.