Threat Modeling in Layers

Much like great dips, threat models come in layers and are best when shared with friends.

Threat modeling has been enabled by many different frameworks which generally include the process of scoping, assessment of threats (in some structured process), review of controls, and assessment of effectiveness. A good example of this is Shostack's Four Question Frame for Threat Modeling. This method, in my opinion is the most concise method to instruct new practitioners in the art of modeling threats. Recapping those four questions for those unfamiliar with this science provides the following:

Questions to guide us during threat modeling -

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good job?

These questions are versatile and can be adapted to almost any situation. This adaptability makes them broadly relevant and engaging, as they align with our natural instincts and inquiries. Who hasn't seen the aggresive neighboorhood dog and considered the possible scenarios? Who hasn't been hiking in the woods and confidentially determined that they don't have to be the fastest runner, they just can't be the slowest in the event of a bear attack?

Frameworks like this are a valuable high level process for guideing threat modeling but could use some supplementation in areas like system representation.

ENTER THE THREE LAYER THREAT MODEL!!!

Layer 1 - Environment

Answers the question - What environment is this applicaiton or service hosted in?

• This layer represents the environemnt that this system is currently be housed in. This is the fundemantal layer in all threat models.

• Environmental layers can make tremendous templates to aid in further threat modeling scale because they could be the backbone of each an every threat model since all items exist in some environment.
• It is possible that if an organization maintains several threat models, they could pursue a single environmental threat model and then only add incremental threats to infrastructure in future layers.
• Example: Application is hosted in AWS, GCP, or Azur

Layer 2 - Infrastructure

Answers the question - What type of infrastructure is used within this environment?

• Infrastructure layer includes components that provide the technical capability of the services or functions of this application or system.
• Templates in this layer could include practical groupings or approved architectural representations for 3-tier web applications, container services, and microservices.
• Examples: Firewall, Load Balancer, Microsoft Entra, S3 Bucket

Layer 3 - Functional

Answers the question - What function does this system provide?

• The functional layer includes the key functions that differentiate this system from any other system of similiar infrastructure and environment
• Templates in this layer are more complex because the functions and functional requirements are very high
• Examples: File Processing for new patients, processing of financial data, login process

Conclusion

This approach will not solve or meet the needs of all organizations but it does help in reducing the complexity or activation energy needed to kick-off an effective system representation during threat modeling.

For more information about 3 Layer Threat Models, check out this GitHub repo - https://github.com/Jayarr03/3_Layer_Threat_Model