Top threat modeling tools, plus features to look for

How to select a threat modeling tool

Before laying out a foundation for threat modeling, involve top managers from both the business side and technology side. Business managers should identify the assets considered most important. IT staffers should discuss the technology needed to support those assets, highlighting the most critical risks, threats and vulnerabilities.

Key criteria underpinning the evaluation and selection process should include identifying the following:

• The business requirements, goals and operational objectives to protect from security threats.
• The desired results and outputs from the threat modeling tools, for example, reports, analyses, assessments, visual diagrams and recommendations.
• Situations where risks, threats and vulnerabilities are present and need protection from malicious attacks.
• How to address and define appropriate countermeasures to mitigate identified threats and vulnerabilities.
• How to test and validate the performance of the selected application.
• How to integrate the selected system into other threat initiatives within the organization.
• Licensing, pricing, training and maintenance options to make fair and accurate comparisons.
• Actions to take now that increase protection from future threats.

One tactic is to use a model, such as the software development lifecycle (SDLC), to help select a threat modeling tool. In many cases, the tool deployed protects a specific application or system. SDLC components -- planning, requirements, design, development, testing, deployment and maintenance -- can serve as an important framework. Ideally, the software should support each SDLC process.

How to implement a threat modeling tool

The process of using a threat modeling tool is straightforward. Once the tool has been obtained, unpacked and installed, review the instructions for getting started, then perform the following steps:

• Gather threat data from prior risk analyses, historical data and operational experience.
• Create a model of the system architecture and security infrastructure using models available from the tool.
• Use the tool to identify potential threats and vulnerabilities based on the model used.
• Identify actions that can respond to and mitigate the impact of identified threats. Also identify ways to address vulnerabilities and make changes to the overall security infrastructure.
• Document the recommendations and generate reports for subsequent review by security teams and senior management.
• Use the tool to perform ongoing design changes and modifications to the security infrastructure based on the tool's recommendations.

Features to look for in threat modeling tools

Consider the following important features and benefits that any threat modeling tool should offer.

Ease of data input

Depending on the system analyzed, consider how data is entered into the tool. Attributes should include system design, architecture, input/output characteristics and security features, as well as compliance factors if the system is subject to one or more regulations. The ability to upload visuals, such as data flow diagrams (DFDs), is a plus. Data input could also be in the form of questionnaires.

Asset identification

This feature gathers all available data and organizes it for subsequent analysis and threat model development.

Available threat intelligence in the system

Verify if sources of threat intelligence, such as Mitre Corp.'s ATT&CK and Common Attack Pattern Enumerations and Classifications repositories of threat actor data and techniques, can be embedded in the tool.

Threat identification

Using data contained in the product as well as external threat data, this function identifies potential asset threats, including malware, phishing and ransomware attacks.

Vulnerability identification and assessments

This function analyzes available infrastructure data to identify potential system and network vulnerabilities.

Identfication of potential attack surfaces

An important output of vulnerability analyses is the identification of the overall attack surface and the areas of the infrastructure most likely to experience unauthorized access attempts and cyberattacks.

Comprehensive operational threat dashboard

Look for a dashboard that provides a highly detailed and interactive view of the system's activities and tracks all available threat information.

Mitigation and countermeasures dashboard

Ensure the tool can display mitigation and countermeasure recommendations, for example, security modifications, code changes or other actions. This capability should interact dynamically with the threat dashboard.

System engine embedded with various rules

If adherence to various standards and regulations is required, determine if the system can map security actions with the appropriate compliance requirements.

Scalability

The ability to expand or contract capabilities is an important consideration. The tool should be able to deliver additional processing power for complex analyses.

Linkages and integration with existing production environments

Connections between threat modeling tools and associated production elements enable security teams to tap real-time modeling capabilities using active performance data. Linkages to operational support tools, such as Jenkins and Jira, ensure threat model outputs are based on real data.

Reporting

The presentation of actionable information -- whether on a dashboard or printed report -- is essential. Senior management and other interested recipients, such as business unit leaders, should be able to easily read the results and understand how threats are addressed.

Maintenance and support

Choose a tool that's easy to manage and maintain and that supports embedded system performance and status readouts that keep administrators informed. In the event of a malfunction, administrators should be able to receive information about the issue and implement remedial measures. Security teams should also be able to periodically test the product and patch it as needed.

Important threat modeling tools to evaluate

Following are  tools organizations might consider when selecting a threat modeling tool.

CAIRIS

CAIRIS, short for Computer Aided Integration of Requirements and Information Security, is a comprehensive open source threat modeling tool available since 2012.

• System: Web-based tool that operates in a variety of environments, including Ubuntu, Mac, Windows and Linux. It also works as a Docker container.
• Features: Creates attacker personas that detail potential threat actors. Its 12 system views represent both risk and architectural perspectives. It identifies attack patterns and provides insights into attack mitigations. Threat models can be presented as DFDs. 
• Performance: While highly efficient, there are reports of slow system information input.
• Support: Online documentation, demos and tutorials.
• Pricing: Free.

Cisco Vulnerability Management

Formerly Kenna.VM, Cisco Vulnerability Management reports on an application's risk status using a variety of metrics.

• System: SaaS tool that is available in two plans: Advantage and Premier.
• Features: Examines data to generate real-time threat intelligence and recommended actions from a risk perspective. The tool integrates with numerous platforms, including Pliant, Snyk, NorthStar Navigator and Axonius.
• Performance: Uses a proprietary algorithm in its calculations, gathers data from more than 19 threat intelligence feeds, has rigorous data entry requirements and provides a variety of reports.
• Support: Basic and expanded support available.
• Pricing: Subscription is based on usage. A free trial is available.

IriusRisk

IriusRisk uses AI to perform risk analyses and create threat models of a software application during the design phase.

• System: SaaS and on-premises deployments available.
• Features: Uses a questionnaire to collect data and generates a threat list using a rules engine that links with tools such as Jira and Azure DevOps Services. Files from Microsoft Threat Modeling Tool can be imported into IriusRisk. It supports OCTAVE, PASTA, TRIKE and STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) approaches.
• Performance: Easy to use.
• Support: Via email and a ticket system.
• Pricing: Free Community and license-based Enterprise subscriptions available.

Microsoft Threat Modeling Tool

Microsoft Threat Modeling Tool is open source software built on the STRIDE methodology. It is a component of the Microsoft Security Development Lifecycle.

• System: Windows-based desktop or laptop application.
• Features: Creates threat models using DFDs; supports systems running under Windows and Microsoft Azure cloud services; generates a variety of reports. It integrates with IriusRisk and Black Duck Seeker.
• Performance: Provides a cost-effective starting point for launching a threat modeling initiative.
• Support: Via Microsoft, various user forums and documentation available.
• Pricing: Free.

OWASP Threat Dragon

The open source, cross-platform Threat Dragon threat modeling tool was developed in 2016 by OWASP.

• System: Web-based and desktop application.
• Features: Creates DFDs that feed into a rules engine that delivers threat lists, recommendations and other reports. It supports STRIDE and LINDDUN (linking, identifying, nonrepudiation, detecting, data disclosure, unawareness, noncompliance) models. The product intewgrates with several platforms, including Kiuwan Code Security; Jit DevSecOps; Amazon Q Developer, formerly CodeWhisperer; and EthicalCheck.
• Performance: Easy to use with a variety of features.
• Support: Documentation, plus an active user community for troubleshooting.
• Pricing: Free.

SD Elements

SD Elements from SecurityCompass offers a smooth translation of policy into procedure through a variety of threat modeling features and resources that automates the identification of threats and countermeasures.

• System: SaaS or on-premises deployments available.
• Features: Uses surveys to gather data and identify vulnerabilities and mitigations. Extensive reporting and testing capabilities. Supports important standards, including ISO 27001, OWASP and NIST Special Publications 800-53 and 800-30.
• Performance: Efficient, once the learning curve is completed.
• Support: Via Security Compass, support that spans all phases of a project, from installation to training and management.
• Pricing: Based on usage.

Splunk Enterprise Security and Splunk Security Essentials

Splunk Enterprise Security is a threat detection, investigation and response platform that uses a broad range of tools and resources, including AI and machine learning, to provide a risk-based assessment of an organization's technology architecture. It gathers performance data from across an organization, analyzes it from multiple perspectives, and identifies and visualizes potential threats and vulnerabilities. Splunk Security Essentials is the vendor's free tool, which offers limited dashboards, reports and features.

• System: Splunk Enterprise Security available in SaaS or on-premises options. Splunk Security Essentials is available as an app download in Splunkbase.
• Features: Splunk Security Essentials offers continuous monitoring, risk-based alerting, malware detection and root cause analysis. Splunk Security Essentials is mapped to the Kill Chain and Mitre ATT&CK frameworks.
• Performance: Easy-to-use interface and dashboards.
• Support: Learning and support services available, including Splunk University, videos and on-site training.
• Pricing: Splunk Enterprise Security has two versions, Essentials and Premier. The Premier platform requires a license and has workload-, entity- and ingest-based pricing. Splunk Security Essentials is free.

Threagile

Threagile is an open source, code-based threat modeling toolkit that functions in Agile environments.

• System: Integrated development environment-based tool that models a threat environment by assessing assets in an Agile fashion, using a YAML file for input.
• Features: Produces threat models as DFDs and detailed reports. The product integrates with Docker and generates reports in Excel, PDF and JSON formats.
• Performance: Efficient, enables easy threat modeling.
• Support: Documentation, plus an active user community for troubleshooting.
• Pricing: Free.

ThreatModeler

ThreatModeler is an automated threat modeling tool for DevOps.

• System: Web-based, designed primarily for large organizations with complex technology infrastructures.
• Features: Based on the VAST (visual, agile and simple threat) model. Offers an intelligent threat engine, report engine and integrated workflow approval. Supports many other systems and natively links with Jira, Jenkins, AWS, GitHub and Microsoft Azure.
• Performance: Easy navigation through various functions.
• Support: Various support options available via ThreatModeler.
• Pricing: Based on usage.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.