Threat Modeling Fails In Practice
Would be interested in readers thoughts on Ian G’s post here:
Shostack + Friends Blog Archive
8 comments on "Threat Modeling Fails In Practice"
Comments are closed.
Would be interested in readers thoughts on Ian G’s post here:
Comments are closed.
I completely agree with the premise of the article. I’m skeptical that threat modeling provides any real value, especially given the effort. I would state the argument against threat modeling more directly: threat modeling describes possibilities, not probabilities. The threat modeling approach tries to predict what the enemy will do, and even experts are only slightly better than random chance at predicting the future. (http://www.freakonomics.com/2011/09/14/new-freakonomics-radio-podcast-the-folly-of-prediction/) Humans are hardwired to imagine and invent new threats, so given an opportunity to do so, they do. Threat modeling fails because we end up fighting an imaginary threat.
If we actually modeled the threats, their motivations, and their current techniques; what is likely, rather than playing the “what if” guessing game, threat modeling might be useful. Although such a change would make threat modeling reactive, the evidence we have suggests that’s the best we can do.
I however do not agree with what is being said about threat models in the article (and previous commentator). To me it seems as if it’s assumed(or suggested) that we constantly have to come up with new threats, that is not the case.
To me threat modelling fills a valid purpose if used correctly, namely to deal with known and established threats. There are a plethora of possible threats depending on what type of system, or process you are analyzing, implementing or developing.
Assuming you have a pre-established database of threats it can be a most excellent way of ensuring that you’ve appropriately dealt with these potential issues when developing a new system, or implementing a new process.
The use of a threat database can “force” developers, and management alike, to address problems that occur in real life and that really should be avoided. It’s a way of ensuring that you’ve covered common pitfalls for your particular type of system, or process.
The threat modelling does not, and should not, deal with probabilities, those are dealt with in the risk analysis when you attempt to factor in things such as vulnerabilities, threat-agents (motivation, resources etc). The threat model’s purpose is to ensure you’ve erected a solid foundation.
That’s part of the reason of why I don’t agree with the article. I also think the author is careless with the usage of the various words involved giving rise to even more confusion as to what we are actually talking about.
If the author had spent a few sentences on defining the terminology it would have helped; I still think his basic argument is incorrect.
@John,
Sounds reasonable, but: how often do we really know probabilities in information security, how often do we know them beforehand, and how often do our design decisions change probabilities in a perfectly predictable way? My answer – which I would be happy to see corrected with sufficient evidence – to these questions is: almost never. If we are honest with ourselves, more often than not we have not the slightest idea whether applying a security mechanism/control/measure will make us more secure in the end or not. Add password authentication to a service – congratulations, you just increased the risk of your users losing their “web password” in a breach.
I’d love to see more risk modeling, but I firmly believe that we are incapable of doing it with a rather small number of exceptions.
Also want to add that I find it somewhat humorous that a site named financialcryptography presents an invalid certificate for identification. Is that intentionally?
@ Christopher
yes, it is intentional. The certificate is valid, your browser however does not recognise the certification authority which is called CAcert. If you add CAcert’s roots into your browser you’ll find your browser now reports it as valid.
The “intentional” point is that there is a big difference between what your browser says is “valid” and other things that are discussed on this blog and others… But yeah, it’s a sisyphean point of little value.
@ Christoffer:
I agree that threat modeling *may* be useful if you have a pre-established database of threats, based on real-world threat intelligence. I haven’t seen threat modeling done this way; I think it’s more typical for developers or infosec to invent threats based on speculation or guesswork.
I disagree that threat modeling should not deal with probable threats, as setting aside likelihood forces you to address ALL possible threats (impossible), or some subset of possible threats. If we shouldn’t choose which possible threats based on likelihood, or better yet, risk, then how do we choose? Furthermore, I don’t think threat modeling is the right way to define a secure foundation – that should be done with well-defined security requirements.
@ Sven:
Historically, we haven’t know probabilities, due to the lack of data you cite. However, I think we are starting to see data that can help, including the threat intelligence programs at Verizon, Microsoft, and Symantec. I do think we’re starting to get enough useful data to start building libraries that include methodologies that could be used for threat modeling, but as you say, that may be a ways off.
John,
Not to myopically focus too much on one aspect of your reply but I’d offer that “not knowing probabilities” is more of a result of a Fisher (frequentist) view of statistical methods being the only tool many know, and, the model vs. data mini-paradox/catch-22 we find ourselves in that prevents all but the most basic analysis.