Home » Blog » hTMM threat modeling method

hTMM threat modeling method

The Hybrid Threat Modeling Method (hTMM) was developed by the Software Engineering Institute (SEI). As the name suggests, it is a combination of several methods: SQUARE (Security Quality Requirements Engineering), designed to elicit, categorize and prioritize security requirements, Security Cards, STRIDE and PnG (Persona non Grata), which focuses on uncovering ways a system can be attacked. This combination helps to cover a wider range of threats, produces no false positives and it is cost-effective. It contains an inbuilt prioritization of threat mitigation and shows consistent results in repeated use.

hTMM emphasizes the importance of early security requirements specification because it can have a significant impact on the system’s security and its architecture in the future system lifecycle.

The authors of the method advise using tools to facilitate summarization and analytics of the threat findings. The usage of Security Cards and PnG is admittedly helpful, however, it is not something exclusive to the metrology.

PnG method

The Hybrid Threat Modeling Method includes PnG as one of its components.

PnG (Persona non Grata) focuses on motivations and skills of actual human hackers. It relates users to certain archetypes and helps analyzing teams to look at the system from an unintended-use point of view. It helps to visualize threats from the counterpart side, examining the potential attacker’s skills, motivations and goals, and understand the vulnerabilities of the system from the attacker’s point of view.

Steps of hTMM

An hTTM analysis is performed in five steps:

Target system identification. It is used to define the target system, security goals, assets and system artifacts. At this stage the SQUARE method is used.
Threat Generation. At this stage Security Cards are applied for brainstorming potential threats and attack vectors. It is conducted jointly with developers, system users and security staff.
Attack vector/scenario filtering. At this stage the output of the Security Cards analysis is studied to filter attack scenarios based on realistic persons, all unlikely PnGs and unrealistic attack vectors are removed from the list.
Summarizing the result. At this stage STRIDE is commonly used to analyze and summarize the findings for each identified threat with a list of attributes (actor, purpose, target, action, result of the action, impact and threat type).
Risk assessment modeling. At the final stage a formal risk assessment modeling is carried out.

previous post

February 19, 2023

Zero-knowledge proof in blockchain technology

Zero-knowledge proof (ZKP) is a type of math-based cryptography protocol or mechanism which allows to exchange data between parties without using passwords or any other contributory information. It is used by one of the parties involved in the transaction to verify the information is legit information without revealing anything else. Zero knowledge proof is considered one of the best and advanced solutions for achieving confidentiality ...

Read more
next post

February 22, 2023

Multi-party computation (MPC) and its role in secure transactions

Multi-party computation (MPC) is a cryptographic tool which allows multiple parties making calculations by means of using their combined data, without revealing their individual input or any sensitive information. It was invented by Andrew Yao from China. It may be used to replace individual private keys for transaction signatures. The method uses a complex encryption to distribute the computations process and contributes to the signing ...

Read more