One of the things we've discovered is that the terms Threat, and Attack are often used interchangeably, which most often leads to incorrect interpretation of their meanings. Security, and in particularly Threat Modeling are about Risk Management in their core. So they are often used in the same conversations.
The two terms that get mixed up most often are Threat and Attack. The traditional version of Threat Modeling, where you are performing data-flow tracing through your application, is actually more about Attack Modeling, than Threat Modeling. Let's define a couple terms at this point.
- A Threat is the possibility of something bad happening. (qualitative)
- A Risk is the quantifiable likelihood of loss due to a realised Threat (quantitative)
- An Attack is when a vulnerability is exploited to realise a Threat.
So by those definitions, you can not have an Attack, or a Risk without a Threat. If there is nothing to gain, or exploit, then there is nothing to attack and you have no risk. This is part of the view from traditional security approaches where you don't have a risk, or threat if there is no asset in danger. The traditional risk management approach identified assets, and values them in order to determine the potential damage of a realised threat. This results in a defined risk.
One of the points we need to make here is that when you try to model things from an adversarial viewpoint, you are Attack Modeling, not Threat Modeling. When you start with a vulnerability, and see what kind of damage you can do, you are modeling an attack. This is how traditional 'bug hunting' "threat modeling" operates. So technically, we haven't been threat modeling at all, we've been attack modeling.Examples:
- THREAT: Getting our customer data exposed to unauthorised individuals.
- RISK: The likelihood of getting our customer data exposed is medium and if realised would result in a $5,000,000 financial loss in addition to loss of customer loyalty.
- ATTACK: Exploiting an SQL Injection vulnerability resulting in the bad guy being able to download the customer database.
It is important to remember this distinction when you are performing your security evaluations, threat modelling, and penetration testing.
The current ACE Threat Modeling methodology is all about Threat Modeling. We start by defining the threats. We then see how these threats could be realised (potential vulnerabilities and associated attacks) which allows us to implement the mitigations. Traditional 'threat modeling' started with identifying assets, then looking for vulnerabilities that could be exploited to attack those assets. This is actually Attack Modeling.
It's not that there's anything wrong with attack modeling, but from a defender's perspective you actually want to be doing Threat Modeling. Knowing these terms and how they differ will help you get the right mindset for the tasks you are performing.