Back Activities

Performing threat modelling

This activity must be performed during the following phases:

Alpha Private beta

Threat modelling identifies potential attack routes on a system or service.

This is important as it allows delivery teams to:

  • address emerging threats
  • better understand and articulate the risk posed to their systems and services
  • determine appropriate security controls and measures to manage risks in line with business needs
  • verify the effectiveness and adequacy of existing security controls

This improves the resilience of digital projects, services and systems throughout their lifespan.

Who is involved in threat modelling?

Teams should appoint an appropriate person to lead the threat modelling activity.

These include, but are not limited to your:

  • Information Security Officer (ISO)
  • Solution / technical architect
  • Security architect
  • Penetration tester
  • Governance, risk and consultancy (GRC) specialist consultant
  • Security consultant with experience of threat modelling

Running a threat modelling workshop is the recommended way to conduct threat modelling. Teams should follow the DfE threat modelling process and playbook to guide these workshop activities. Guidance for this is currently in development.

You should involve as many stakeholders as possible in your threat modelling workshop. This includes:

  • your development / DevOps teams
  • technical and security architects
  • your Senior Responsible Owner (SRO) / service owner

You are encouraged to use the training and guidance provided by the Cyber and Information Security Division (CISD) Security Architecture (SecArch) team to train prior to conducting threat modelling.

When should I conduct threat modelling?

You must do threat modelling during the:

  • service design and build phase
  • alpha phase, and no later than private beta phase

You also need to review threat models:

  • when it makes sense for the digital project or service and business importance
  • after a security incident
  • when the threat landscape changes, including when a new DfE Threat Assessment is released
  • when significant system changes are planned

How is threat modelling conducted?

Threat modelling involves:

  1. Documenting your system end-to-end, focusing on key components and data flow.
  2. Understanding potential system failures, component vulnerabilities and exploitation risks.
  3. Using this knowledge to mitigate threats via a variety of treatment options. For example, system redesign, implementation of proportionate security controls, or ceasing high risk activities.

We encourage you to use a recommended threat modelling approach. This should reflect the scale, complexity and importance of your digital project or service, and the technologies used.

These approaches include:

  • the STRIDE-LM (Spoofing, Tampering, Non-Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege, Lateral Movement) threat taxonomy for identifying and understanding types of threats
  • the MITRE ATT&CK framework to explore attack modelling and vulnerabilities that may apply to your service
  • attack trees for modelling attack pathways
  • the Lockhead Martin Kill chain to understand the cyber-attack lifecycle

You should analyse threats with enough details for informed, risk-based decision making.

Your team should confirm threat models as part of their SbD continuous improvement.

This is to:

  • ensure alignment to SbD principles
  • check the robustness of the threat modelling approach
  • verify the correctness of the final output

Validation should be conducted by individuals not involved in creation of the original threat model.

Further reading