AWS re:Invent 2025 - Threat-Modeling-As-Code - Transforming Your Threat Statements into Attack Trees

Threat Modeling as Code: Transforming Threat Statements into Attack Trees

Overview

• Presenters: Danny, a principal security specialist, and Christian, a data scientist, from AWS
• Discussed threat modeling as a framework to identify, analyze, and mitigate security risks in applications
• Introduced an open-source tool called "Threat Forest" that automates the process of generating attack trees from threat statements

The Threat Modeling Framework

• Consists of 4 key questions:
  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good enough job?
• Performed early in the design phase to identify threats and implement appropriate controls
• Helps align business, development, and security teams to understand and address risks

Threat Statements

• Structured format to describe threats: "A threat source with some prerequisites can do something that leads to some impact, which results in the reduction of a required property or goal of an asset."
• Provides a consistent way to analyze threats, including categorizing by severity, actor type, and impacted assets
• Can be expanded into attack steps, which describe the detailed attack paths an adversary could take

Attack Trees

• Graphical representation of the different ways an asset can be attacked
• Builds on the threat statement structure to map out the various attack steps and their relationships
• Provides a comprehensive view of potential attack vectors and their likelihood/impact

Threat Forest Tool

• Open-source CLI tool developed by AWS to automate the generation of attack trees
• Supports multi-modal input (code, docs, diagrams) to extract context about the application
• Uses a novel prompt optimization technique (DSPY) to generate high-quality attack trees
• Maps attack steps to the MITRE ATT&CK framework for alignment with known threats and mitigations

Key Features and Benefits

• Reduces security review time by 22-23% when used as part of the application security process
• Helps developers and security teams collaborate on threat modeling early in the development lifecycle
• Enables proactive identification of threats and implementation of appropriate controls
• Can be used to scope penetration testing and validate defensive capabilities

Technical Details

• Uses an agent-based architecture with specialized agents for parsing input, extracting context, and generating attack trees
• Leverages sentence embedding models (e.g., Attack Bird) to map attack steps to MITRE ATT&CK techniques
• Stores the generated attack trees in a local graph database for efficient querying and analysis
• Supports multiple LLM providers (Bedrock, Anthropic, Hugging Face) and allows bring-your-own-model

Business Impact

• Empowers developers to proactively identify and mitigate security risks in their applications
• Facilitates collaboration between business, development, and security teams to align on risk appetite and controls
• Enables organizations to adopt new technologies (e.g., generative AI) more securely by understanding the associated threats
• Can be used to stress-test defensive capabilities and improve security operations

Example Use Case

• Demonstrated the Threat Forest tool on a connected vehicle solution, generating attack trees for 11 high-priority threats
• Mapped the attack steps to the MITRE ATT&CK framework, providing insights into potential attack vectors and recommended mitigations
• Highlighted the ability to visualize the attack paths and understand the relationships between different attack steps