Guide to Cyber Threat Modelling by CSA Singapure

Importance of Threat Modelling
Due to finite resources of the system owner, it is difficult to mitigate every vulnerability within
a system. Therefore, system owners must prioritise risks and treat them accordingly. A key step
in determining risk is identifying threat events, which contribute to the likelihood and impact
of risk. A threat event refers to any event during which a threat actor1 , by means of threat vector2
, acts against an asset in a manner that has the potential to cause harm. In the context
of cybersecurity, threat events can be characterised by the tactics, techniques and procedures
(TTP) employed by threat actors.
Threat modelling helps owners comprehensively identify threat events that are relevant to the
system, so that owners can focus on implementing effective control measures to protect key
components within the system. This makes it harder for the adversary to compromise key
components by establishing a foothold, pivoting and moving laterally within the system.
Consequently, system owners can stem and curtail the kill-chain before the adversary reaches
the crown jewels. With a threat model, system owners can also avoid blind spots in identifying
threat events.

Purpose of Document
CSA issued the Guide to Conducting Cybersecurity Risk Assessment for Critical Information
Infrastructure in December 2019 (subsequently revised in Feb 2021). The document provided
guidance to Critical Information Infrastructure Owners (CIIOs) on performing a proper
cybersecurity risk assessment, and briefly covered steps for threat modelling as part of the risk
This document supplements the aforementioned document by elaborating on threat
modelling, and aims to provide a practical and systematic way to identify threat events that
can be used in a cybersecurity risk assessment. It will introduce various approaches and
methods of threat modelling, and provide a suggested framework, coupled with practical
examples, for individuals and groups to adopt to derive a robust system threat model and
relevant threat events. System owners can then incorporate these threat events into their
cybersecurity risk assessment to develop and prioritise effective controls.
Ultimately, this exercise aims to cultivate a customised threat perspective in system owners
that goes beyond meeting minimum generic standards.

This document is for individuals or groups who would like to build a threat model for their system(s). They can use the results of the threat model as inputs to other assessments, such as cybersecurity risk assessments, to prioritise risk controls. Individuals and groups using this guidance (subsequently collectively termed as Users) may include, but are not limited to, the following:
• Internal stakeholders e.g. system owners, business unit heads, Chief Information Security Officers, and personnel involved in IT risk assessment and management within any organisation, including Critical Information Infrastructure Owners;
• External consultants or service providers engaged to conduct threat modelling on behalf of system owners; and
• Red team members, blue team defenders, and purple team members.
The guidance set out in this document focuses on the key areas of technical scoping, system
decomposition, threat identification and attack modelling. Other areas such as cyber threat
intelligence monitoring and studying geo-political threats, which are under the wider domain
of threat monitoring and analysis, are beyond the scope of this document

Leave a Reply

Your email address will not be published.