Engineer your security architecture – using threat modeling & cyber-attack simulations


Managing IT, especially risk and security, is difficult and costly. There is a constant struggle and the main solution seems to be to throw more manpower on the problem. However, there are two issues with this solution; 1) finding and keeping competent people is not easy, and 2) the IT problems today are often too large and complex for any person, even the most skilled one, to handle without computerized help. Plus, is pumping water out of a leaking ship really the best use for your highly skilled staff?

Thus, it is time to be the engineers we are trained to be, also when it comes to IT and security. With the right engineering tools we can analyze our current security posture and design future architectures that meet our security requirements.


In mature engineering disciplines it is a golden standard to use tools when making decisions, designing new products, and making changes.

When constructing a bridge, manufacturing a new car or an airplane, blueprints are being used instead of designing these based on gut feeling. These design specifications and blueprints are often created and tested using Computer Aided Design (CAD) tools. Besides just presenting a description these tools can often also simulate and analyze important aspects of the product under design.

Another aspect related to design is that in most disciplines, it is easier to design something that is way too strong or way too weak. The trick is to find a balance and related to IT security, it is the balance between security and usability that needs to be handled.

It is about time that IT and IT security start following the same principle when implementing and changing the IT landscape with new systems and features incl. security countermeasures such as firewalls and encryption. That is, an architectural description acting as a blueprint that different stakeholders have agreed upon implemented in a CAD tool so that security and risk analysis can be automated (quantitative and data driven).
This is how you do it?

In securiCAD, a model of the existing or planned architecture is created. The model is usually created manually, similar to drawing an architecture in VISIO. The model can be enriched with existing data sources, such as vulnerability scanners or logs, but it is usually not important to have all the details in place in the model before the first simulation is run.

Once the model is created, an attacker is placed somewhere in the model. Where the attacker is placed depends on what kind of attacker the user wishes to study. It could be, e.g. an external attacker coming from the Internet, or a disgruntled employee with legitimate access to the internal network and a laptop.

Depending on where the attacker is in the model, it will have different opportunities of collecting credentials, making use of missing security patches, listening to and making use of legitimate communication and access as well as finding security flaws in web applications, just to mention some of them. Then, when the attacker has achieved some of these operations, other operations might become available and then the attacker will take a new look around in its new position.

In securiCAD, we can follow this attacker’s whereabouts in our model to see what our weak spots are most likely to be. To be more specific, we will see what methods the attacker is expected to use, how much effort/time it is expected to take and what assets in the model the attacker is expected to make most use of.

Based on the results, the user can explore the effects of potential mitigations and design suggestions in the model and run the simulation over again.


Being responsible for a ship, you don’t want your crew to run around searching for and fixing leaks, if they are not busy pumping water, that is. And you don’t want them to go around hammering different parts of the construction (the parts they can easily hammer on), to see if it will break. What you would really like to do instead is to let your staff use tools to foresee where problems will occur next, how bad they will be and in what way they are related, based on the ship’s design and the quality of the material used. That is what threat modeling with attack simulation is all about.

Article by: Robert Lagerström, Joar Jacobsson, and Jacob Henricson, foreseeti