Threat Modeling: Thinking Like an Attacker

Threat modeling is a structured exercise for finding the ways your device could be attacked before an attacker does, then designing defenses for the ones that matter. For medical devices, the standard approach combines data flow diagrams, the STRIDE threat categories, and the four questions from the MITRE threat modeling playbook.

3.6.1 What Is Threat Modeling?

Threat modeling is a structured process to:

• Identify what could go wrong
• Understand how attacks might happen
• Prioritize based on risk
• Design appropriate defenses

Think of it as a "what if" exercise where you systematically explore how someone might compromise your device.

3.6.2 The Threat Modeling Process

The MITRE Playbook for Threat Modeling Medical Devices, developed with the Medical Device Innovation Consortium under FDA funding and published in 2021, outlines four key questions:

1. What are we working on? (System understanding)
2. What can go wrong? (Threat identification)
3. What are we going to do about it? (Mitigation planning)
4. Did we do a good job? (Validation)

3.6.3 Creating Data Flow Diagrams (DFDs)

DFDs are the foundation of threat modeling. They show:

• System components (processes, data stores)
• Data flows between components
• External entities
• Trust boundaries

DFD Elements

Processes (Circles):

• Software components
• Services
• Applications

Data Stores (Parallel lines):

• Databases
• Files
• Caches
• Logs

External Entities (Rectangles):

• Users
• Other systems
• Networks
• Attackers

Data Flows (Arrows):

• Communication paths
• Data movement
• Control signals

Trust Boundaries (Dashed boxes):

• Different privilege levels
• Network segments
• Physical boundaries

For a step-by-step walkthrough of building these diagrams, see Master data flow diagrams for medical devices.

3.6.4 Using STRIDE for Threat Identification

STRIDE is a systematic way to identify threats. It was created at Microsoft in 1999 by Loren Kohnfelder and Praerit Garg and still anchors Microsoft's SDL threat modeling practice today:

Spoofing - Pretending to be someone/something else

• Fake user credentials
• Impersonating a trusted system
• False sensor readings

Tampering - Modifying data or code

• Changing configuration
• Altering patient data
• Modifying software

Repudiation - Denying actions occurred

• Deleting audit logs
• Claiming false actions
• Avoiding accountability

Information Disclosure - Exposing confidential data

• Patient data leaks
• Credential theft
• System information exposure

Denial of Service - Making system unavailable

• Crashing the device
• Flooding with requests
• Resource exhaustion

Elevation of Privilege - Gaining unauthorized access

• User to admin escalation
• Escaping sandboxes
• Bypassing access controls

For medical device examples and defenses in each category, see STRIDE for medical devices: a complete threat modeling framework.

3.6.5 Threat Modeling in Practice

Let's walk through a simplified example:

System: Insulin pump with smartphone app

Step 1: Create DFD

Step 2: Identify Trust Boundaries

• Between phone and pump
• Between phone and cloud
• Between pump and sensor

Step 3: Apply STRIDE

Spoofing threats:

• Fake app pretending to be legitimate
• Rogue pump impersonating real device

Tampering threats:

• Modified commands changing insulin dose
• Altered glucose readings

Information Disclosure:

• Bluetooth sniffing revealing patient data
• Cloud breach exposing treatment history

Step 4: Prioritize Threats

• Tampering with dose: Critical (could kill patient)
• Information disclosure: High (privacy violation)
• Spoofing app: Medium (depends on implementation)