An Introductory Guide to Threat Modeling from Nova Leah 

What is Threat Modeling?  

Threat modeling is a method used for identifying security objectives, risks, and vulnerabilities across a system, and then defining countermeasures to prevent, or mitigate the effects of, threats to a system throughout its lifecycle.  

A threat model is a structured representation of all the information that impacts the security of an application. In essence, a threat model is a view of an application and its environment through the lens of security. Threat modeling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes. 

As part of the risk assessment, FDA recommends that threat modeling be performed throughout the design process and be inclusive of all system elements. To achieve maximum benefit, a high-level threat model should be defined in the planning phase, and then refined throughout the product life cycle.  

As more details are added to the system, new attack vectors are created and exposed. The ongoing threat modeling process should thus examine, diagnose, and processes should be put in place to mitigate these threats. In this way threat modeling provides a blueprint to strengthen security throughout the product life cycle, thereby ensuring the safety and effectiveness of medical devices. 

MITRE’s Playbook for Threat Modeling Medical Devices

For years, FDA has recognized the value of threat modeling as an approach to strengthen the cybersecurity and safety of medical devices. To increase knowledge and understanding of threat modeling throughout the medical device ecosystem, FDA engaged with MITRE, the Medical Device Innovation Consortium (MDIC), and Adam Shostack to conduct a series of threat modeling bootcamps and develop a playbook based on the learnings from those bootcamps. 

The resulting playbook discusses best practice for applying modern threat modeling techniques within the medical industry. The playbook can be viewed in full here.  

A Simple 4 Question Framework for Implementing Threat Modeling  

Threat modeling is intended to be a systematic and repeatable method of identifying cybersecurity threats and identifying processes for mitigating those threats. The threat modeling process can be broken down into four key questions. This Four Question Framework was developed by Adam Shostack as part of the MITRE Playbook and is intended to add structure to the threat modeling process. This framework is detailed in full within the MITRE Playbook.   

The four questions run as follows, with extracts provided from the MITRE Playbook itself: 
 

1. What are we working on? 

“To help answer the first question, this section focuses on structured brainstorming and modeling techniques for diagramming medical devices that are being threat modeled. While unstructured brainstorming can certainly be productive, using a more structured approach can help identify gaps in an understanding of the system that might not be apparent with a more ad-hoc approach. More importantly, using a structured methodology can make it easier to share results with others who are also familiar with these techniques.” 
 

2. What can go wrong? 

 In the MITRE Playbook, “the techniques and approaches highlighted are intended to help organizations avoid common pitfalls that occur during the threat modeling process. The Playbook focuses on structured threat modeling techniques and will minimize asking threat modeling teams to “think like an attacker.” Thinking like an attacker is a loaded phrase that often comes up in threat modeling discussions and revolves around the idea of defenders trying to get inside the mind of attackers and predicting what strategies those attackers are going to follow.” 

3. What are we going to do about it? 

“At this point in the threat modeling process, the question of “what are we going to do about it?” is better understood as “how do we manage the risk from the threats we have identified?”. It is tempting to focus on defensive techniques. For example, if there is a threat “X”, then apply solution “Y” to mitigate it. But threats are continuously evolving, and the systems being developed all have their unique features. Therefore, this Playbook will instead focus on the broader problem that frequently pops up in threat modeling: the silent acceptance and transferral of risk. Overall, there are four main strategies for addressing threats; eliminate, mitigate, accept, transfer.” 
 

4. Did we do a good job?  

“The question “Did we do a good job?” serves two purposes. The most immediate impact of this question is to ask, “Is the current threat modeling task complete?” While threat modeling is a continuous process and is most effective when updated and refined over the lifetime of a product, there is a time to finalize documentation. The second, longer term goal of this question is to ask if a threat modeling process is working as desired, or whether there can be improvements made. The challenge involves identifying where and how to receive feedback on the effectiveness of threat modeling processes.