Threat Modeling with the D3FEND Ontology & D3FEND CAD

A simple three-step process to model your system, threats, and design countermeasures.

Background

There is no shortage of methodologies, mental models, frameworks, or tools to help model threats against systems. Some focus on physical threats, some on cyber threats. Additionally, we see significant diversity in the individuals analyzing threats against systems, each with their own somewhat unique approach.

We believe the D3FEND Ontology can unify these different contexts for threat modeling activities and normalize the elements represented in various models and tools. You cannot compare one threat model to another if none of their elements share a common ontological foundation. Our goal is that the D3FEND Ontology works with existing methodologies and tools to help unify the content being produced.

While our work toward interoperability continues, we see D3FEND CAD users using CAD to build threat models for systems. Therefore we are providing a simple methodology skeleton which walks you through basic threat modeling with D3FEND.

Thus, whether you are a security architect, systems engineer, IT security professional, or dedicated threat modeling professional, we hope you can see where your current methodology would plug into this simple process.

Basic Threat Modeling Process

We use a simple three-step process with the D3FEND Ontology to model a system, generate threat scenarios, and begin designing countermeasures.

In the diagram below, “link to” labels indicate where one modeled element (event, artifact, action, etc.) should be connected to another along a path in your D3FEND CAD graph.

Step 1. Model what is important

Model the important technology and associated processes in your system in the context of your organization’s mission (corresponding to Steps 1.1 and 1.2 in the diagram below).

Note: there are many different methods for identifying a starting point for which technology systems are important; we are not prescribing a particular process for that.

Step 2. Model the problems

Select and model an attacker prototype and their specific access to your system’s interfaces and connectivity to the artifacts identified in step one. Depending on your perspective, you might first sketch the attacker’s kill chain (Step 2.3) and then connect it to system artifacts (Step 2.2), or start from the artifacts and work toward a kill chain; the key is to link them along a realistic path.

Note: the goal here is to identify realistic attacker pathways through your system, and how they can connect to and potentially negatively affect the technology and processes modeled in Step 1.

Step 3. Improve your system design

Select and model security countermeasures which apply to the chain (information pathway) of artifacts identified in steps one through two.

Note: finally, with realistic graphs of artifact chains, design and prioritize your countermeasures to defend your mission-critical processes and technologies from attack.