Everyone knows information security is important: from tuning web application firewalls, to ensuring we have a disaster recovery plan, to deploying vulnerability scanning. But one thing technology leaders need to ask themselves is, “what are the threats we face?”
Threats can come from a variety of sources, both internal and external. The news is filled with tales of hackers breaking into financial institutions, DDoS attacks on credit card companies, and data breaches due to poor software configuration.
These days, it is imperative to understand your threat landscape. Who are the actors? What does your company’s threat surface look like?
At Modus, this is a question that often presents itself when architecting a client’s application solution or aiding in building out infrastructure and DevOps pipelines. After recognizing this need in many such engagements, the team knew that Modus needed to provide our customers with a comprehensive methodology for understanding risks and how to mitigate them. Modus Security was born. The product is our proprietary methodology for analyzing what tactical and strategic items exist that customers need to address and creating actionable execution plans for remediation.
A Multi-Phased Approach
The Modus threat modeling process uses several iterative steps that start with a discovery stage and ends with a final presentation. You can see what this looks like in the following diagram:
As each stage is completed, a set of documentation is generated and milestone meetings are conducted to communicate our interim findings. We’ll now go through each of these stages and explain how they work.
Phase 1: Due Diligence and Discovery
Due diligence comes first but has its origins in other engagements Modus has conducted over the years.
This process will be familiar to many in technology. Platform migration and system re-architecting projects for customers typically begin with a discovery phase. During this stage, consultants discover what technologies are in play, how processes are implemented, and who is responsible for owning each of the platforms.
With this view of the current landscape, the engagement moves forward with recommendations on improvements, whether that be in Quality Assurance, microservice architectures, or DevOps CI/CD pipelines. This investigation often turns up security holes, for instance, it could be static analysis missing for the CI process or outdated NACL configuration thanks to unmaintained infrastructure scripts.
In this phase, we understand not just what tools and technologies are in place, but how a customer addresses security, threats, and risk. This phase then helps to drive our team of experienced engineers and DevOps personnel towards areas of a customer’s system that require deeper dives and threat modeling.
Phase 2: Threat Modeling
Due diligence directly feeds into the next step: modeling threats. Threats consist of both the threat actor (who poses a risk to you) as well as a threat itself (what types of attack can be expected). There are in fact many methodologies out there to try and understand these two components, including:
- PASTA (Process for Attack Simulation and Threat Analysis)
- VAST (Visual, Agile, and Simple Threat modeling)
- STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of privilege)
- OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
Additionally, numerous tools, some free and open-source, and other enterprise-grade exist to aid in diagramming this process. This includes OWASP Threat Dragon (https://owasp.org/www-project-threat-dragon/), a free tool, and ThreatModeler an enterprise-grade application that implements the VAST methodology (https://threatmodeler.com/).
Modus helps the customer not only figure out what process meets their needs but also get started with the modeling itself. Our findings from this phase not only inform the deep dive investigations but feedback into the due diligence documentation.
Phase 2: Application and Infrastructure Deep Dives
Conducted in parallel to threat modeling, application and infrastructure deep dives help uncover tactical issues in infrastructure and source code. Whether it be production passwords accidentally committed to source code repositories or out of date dependencies, the client can expect a comprehensive list of threats and vulnerabilities found; which are then turned into an actionable backlog.
As this phase evolves, Modus consultants often find larger systemic or strategic issues. These are documented alongside the tactical items in order to provide suggestions for larger projects ranging from infrastructure upgrades to deploying new security tools.
Phase 3 – Security Recommendations
In Phase 3, strategic items that were identified in phase 2 are compiled, along with context and recommendations for remediation. These items are ideally addressed as longer-term projects with dedicated teams. In many instances, addressing the larger problem can also fix the tactical items at the same time. After identifying the issues, Modus security engineers are uniquely positioned to help address those threats.
The documentation presented in this step will allow customers to consider where to direct resources both short term and long term.
Phase 4 – Summary and Risk Assessment
At the end of a threat modeling process, our customers have an understanding of the threats they face, a backlog of items to address, and recommendations for addressing larger risk-related items. We’ll provide an executive summary with risk assessment and conduct a final presentation for the team to help close things out.
Armed with this knowledge, they can then plan next steps to address their threat surface as part of their software development lifecycle.
Conclusion
Modus Security aims to not only provide the high-level overview of where problems lie, but also provide an actionable backlog of tasks for our customer’s teams to work on. At the end of the engagement, every customer should be able to answer the question: “what’s your threat surface?”
