Introduction
As the sports saying goes, “The best defense is a good offense.” The idea is to gain a strategic advantage against an opponent by anticipating their move and forcing them to be in a defensive, reactive state. The same applies to cyber security. With the age of cloud, Agile SDLCs, and ever-increasing attack surface, it has become imperative for businesses to embrace proactive security practices to effectively safeguard their assets and
systems. Often done alone, two vital approaches are Threat Modeling and Penetration Testing.
But by combining these two practices, organizations can create a powerful cycle that enhances their security
posture. In this article, we will explore the concepts of Threat Modeling and Penetration Testing and highlight
how they work in synergy together.
Threat Modeling
Threat modeling is a systematic approach to identify and mitigate potential security threats to a system. The
process typically follows the well-known Shostack 4-question model, which helps guide the analysis:
- What are we working on? | What is being built and how does it work?
- What can go wrong? | What are the potential opportunities for threats to be realized?
- What are we going to do about it? | Can suitable countermeasures be developed to mitigate the threats?
- Did we do a good enough job? | Regular evaluation and validation of the threat model to ensure that it
remains robust and effective over time.
The benefits of threat modeling are significant. It enables organizations to identify vulnerabilities early in the
development process, prioritize resources on critical assets or most at-risk assets, and implement targeted
security measures.
Penetration Testing
Penetration testing, often referred to as simply ‘pentesting’ or ethical hacking, is a controlled attempt to exploit
vulnerabilities within an organization's systems. It follows a well-defined methodology to simulate real-world
attacks and assess the effectiveness of defenses.
The penetration testing process typically includes the following steps:
- Planning and reconnaissance: Gathering information about the target systems and identifying potential
entry points. - Scanning and enumeration: Using specialized tools to scan for vulnerabilities and enumerate the exposed
services. - Exploitation and gaining access: Attempting to exploit the identified vulnerabilities and gain unauthorized
access to the system. - Post-exploitation and maintaining access: Once access is gained, testers explore the system further to
assess the extent of potential damage (impact) and evaluate the system's resilience against attacks. - Reporting and recommendations: Documenting the findings, including vulnerabilities, exploited entry
points, and recommendations for remediation.
Penetration testing serves as a crucial validation mechanism for the effectiveness of the threat model. There are inherent limitations of a pentest, however:
- Time: Testers generally only have 1-2 business weeks to attempt as much as possible. Given there is no
specific objective, they must first figure out what they’re working with systems-wise, identify the
vulnerabilities to test, develop the exploits, and test them. This can include database, network pivot, IAM,
cloud, web application, container, Active Directory, etc. So pentesters have a noticeably brief time in
which to ‘throw the kitchen sink’ at a system to find as much as possible. - Resources: pentests can be costly and as a result generally only happen once annually, which is not an
effective cadence to test system changes. Additionally, there may be only 1-2 testers assigned to the
engagement. That is a very limited number of resources to effectively test defense-in-depth. - Findings: The goal of a pentest is to find as much as possible to maximize the number of possible
remediations, but this can lead to anywhere from 30-80 findings in a single engagement. This can result in
overload for remediation teams who will never work their way through the backlog with the combination
of active alerts. - Initial Access: Most pentests do not do white box or ‘assumed breach’ testing in which they’re given
audits, network diagrams or local user access to focus their efforts. Instead, they do black box testing
which means much of that precious two-week period is spent on getting past firewalls and EDR solutions.
This tests the effectiveness of the first line of defense but does not qualitatively address second or tertiary
defenses such as RBAC, privilege levels of access, database security, and so on. - Scope: Scope is often limited for large environments. Organizations with more than 150 users and
endpoints, not including assets such as databases, servers, storage, warm and cold sites, gateways, etc.
mean the testers must pick and choose what they’re able to accomplish in their short engagement time. It
is impossible for a single pentest to identify every possible vulnerability and remediation.
The Synergy of Threat Modeling and Penetration Testing
The true power lies in the combination of threat modeling and penetration testing in a continuous cycle. Some
benefits of this integrated approach include:
- Early identification of vulnerabilities: Threat modeling helps focus penetration testing efforts on critical
assets, maximizing the efficiency of the testing process. The pentest, in turn, validates vulnerabilities
identified through threat modeling alone and provides valuable insights into the system's overall security. - Validation of mitigation strategies: Penetration testing also validates and verifies the effectiveness of
mitigation strategies developed during the threat modeling phase, ensuring they hold up in real-world
scenarios. - Continuous improvement: The feedback loop created by penetration testing results informs and improves
the threat model, allowing for ongoing enhancements to the organization's security posture.
Integration and Collaboration
To fully leverage the combined power of threat modeling and penetration testing, collaboration between
threat modelers and penetration testers is essential.
A. Assumed breach and defense-in-depth:
Collaboration embraces the concept of "assumed breach," acknowledging that adversaries may already
be present within the system. This approach ensures that the organization's defensive strategies are not
solely focused on preventing initial access but also on detecting and mitigating threats beyond the
perimeter.
B. Effective communication and information sharing:
Close collaboration between threat modelers and penetration testers facilitates the influence of secure
design decisions and the validation of proposed countermeasures. By sharing knowledge and insights,
both teams can enhance their understanding of the system and strengthen security measures.
C. Integration into the software development lifecycle:
By incorporating threat modeling and penetration testing into the software development lifecycle,
organizations can achieve several benefits. They can save costs by identifying vulnerabilities early, save
time by proactively addressing security concerns, and expedite remediations by focusing efforts on
specific areas rather than reviewing extensive code.
Conclusion
Combining threat modeling and penetration testing creates a powerful symbiosis that strengthens a system’s
overall security posture. By leveraging the insights gained from threat modeling and validating them through
penetration testing, organizations can identify vulnerabilities early, implement effective countermeasures, and
continuously improve their security defenses. Embracing collaboration between threat modelers and
penetration testers and integrating these practices into the software development lifecycle leads to more
robust and resilient systems.
About the author: Maril Vernon is a Senior Application Security Architect supporting the CMS Threat Modeling Team
Threat Modeling helps teams identify weaknesses and vulnerabilities before their Penetration Test