Threat Modeling is a structured approach used in cybersecurity and software development to identify, assess, and mitigate potential security threats. It involves understanding the system, identifying potential threats, determining their impact, and implementing appropriate defenses.
A threat classification model developed by Microsoft to identify and categorize potential threats to a system. Identifies specific types of threats across different parts of a system, enabling targeted security improvements.
Components and Features
Spoofing
Pretending to be something or someone else.
Tampering
Modifying data or code.
Repudiation
Denying actions.
Information Disclosure
Exposing information to unauthorized individuals.
Denial of Service (DoS)
Interrupting service availability.
Elevation of Privilege
Gaining unauthorized access to higher-level privileges.
Tools and Frameworks
Microsoft Threat Modeling Tool
Purpose-built for STRIDE. User-friendly interface for creating data flow diagrams. Automated analysis to identify threats.
OWASP Threat Dragon
Open-source tool with support for STRIDE. Browser-based and desktop versions available. Integrates with development workflows.
ThreatModeler
Enterprise-level tool with STRIDE support. Offers integration with CI/CD pipelines. Provides visual modeling and collaborative features.
IriusRisk
Focuses on automated threat modeling. Supports STRIDE and integrates with various security tools. Generates detailed reports and mitigation suggestions.
PyTM
Python-based, code-centric threat modeling tool. Supports STRIDE and allows integration with other Python libraries. Suitable for developers familiar with Python scripting.
TMT (Threat Modeling Tool)
Supports both STRIDE and LINDDUN. Generates data flow diagrams and identifies potential threats. Community-driven with an emphasis on extensibility.
1.2. DREAD
A risk assessment model that evaluates the potential impact of threats.
Components and Features
Damage potential
How severe the impact would be.
Reproducibility
How easily the threat can be reproduced.
Exploitability
How easily the threat can be exploited.
Affected users
The number of users affected by the threat.
Discoverability
How easily the threat can be discovered.
Tools and Frameworks
OWASP Threat Dragon
Supports integration with DREAD scoring. Provides visual threat modeling with a focus on ease of use. Open-source and available for both desktop and browser.
ThreatModeler
Supports various threat modeling frameworks, including DREAD. Provides a user-friendly interface and collaborative features. Offers integration with development pipelines.
IriusRisk
Supports risk assessment methodologies, including DREAD. Automated threat modeling with a focus on ease of integration. Generates detailed risk reports and mitigation strategies.
TMT (Threat Modeling Tool)
Community-driven with customizable templates. Can incorporate DREAD scoring in threat analysis. Focuses on extensibility and flexibility.
SecuriCAD
Provides simulation-based threat modeling. Can use DREAD for risk scoring and analysis. Offers a model-based approach to security analysis.
1.3. PASTA
PASTA (Process for Attack Simulation and Threat Analysis) is a seven-stage methodology that focuses on aligning business objectives with technical requirements and threats. It involves defining objectives, scoping, decomposing the application, analyzing threats, identifying vulnerabilities, modeling attacks, and managing risks. This process aims to provide a comprehensive risk-centric view of the application.
Components and Features
Stage 1
Definition of the Objectives (DO) for the analysis.
Stage 2
Definition of the Technical Scope (DTS).
Stage 3
Application Decomposition and Analysis (ADA).
Stage 4
Threat Analysis (TA).
Stage 5
Weakness and Vulnerability Analysis (WVA).
Stage 6
Attack Modeling and Simulation (AMS).
Stage 7
Risk Analysis and Management (RAM).
Tools and Frameworks
IriusRisk
Supports PASTA stages. Automates threat modeling and risk assessment. Integrates with various security tools and CI/CD pipelines.
ThreatModeler
Offers features for PASTA. Provides visual threat modeling and risk analysis. Collaborative environment for teams.
CAIRIS
Open-source tool that supports PASTA. Focuses on risk assessment and security requirements. Suitable for complex projects with detailed modeling needs.
SecuriCAD
Simulation-based threat modeling tool. Supports the attack simulation aspect of PASTA. Provides insights into potential attack paths and mitigations.
1.4. LINDDUN
A privacy threat modeling framework that focuses on identifying privacy issues in systems.
Components and Features
Linkability
Linking two pieces of information without authorization.
Identifiability
Identifying a subject within a system.
Non-repudiation
Ensuring actions cannot be denied.
Detectability
Detecting the presence of a subject or event.
Disclosure of information
Unauthorized information disclosure.
Unawareness
Lack of awareness by data subjects.
Non-compliance
Non-compliance with legal, regulatory, or organizational obligations.
Tools and Frameworks
OWASP Threat Dragon
Open-source tool with support for LINDDUN. Browser-based and desktop options. Provides visual modeling for privacy threats.
IriusRisk
Supports LINDDUN for privacy risk assessment. Automated threat modeling with detailed reports. Integrates well with development pipelines.
CAIRIS
Open-source tool that supports privacy threat modeling, including LINDDUN. Focuses on security and usability requirements. Suitable for complex systems and detailed analysis.
PrivD
A specific tool for LINDDUN, designed for privacy threat modeling. Helps identify privacy threats and suggest mitigations. User-friendly interface for privacy-focused modeling.
1.5. Attack Tree
An Attack Tree is a hierarchical diagram that represents potential attack paths on a system. The root node represents the attacker's main goal, while the branches and leaves detail the various methods and steps to achieve that goal. This visual representation helps in understanding and analyzing different attack vectors.
Components and Features
Root Node
Represents the ultimate goal of the attack.
Child Nodes
Subgoals or methods to achieve the root node.
Leaf Nodes
Basic actions or conditions that directly lead to achieving child nodes.
Branches
Connections between nodes, showing relationships and dependencies.
AND Nodes
Require all child nodes to be successful to proceed. Indicates that multiple conditions must be met.
OR Nodes
Require any one child node to be successful to proceed. Indicates multiple alternative paths to achieve a goal.
Tools and Frameworks
AttackTree
User-friendly tool specifically for attack tree modeling. Supports drag-and-drop interface. Allows detailed analysis and visualization of attack scenarios.
SeaMonster
Open-source tool for attack tree analysis. Focuses on system security and resilience. Offers simulation and risk assessment capabilities.
ADTool
Designed for attack-defense trees. Supports quantitative analysis of security scenarios. Allows modeling of both attacks and defenses.
CAIRIS
Supports attack tree modeling alongside other security analysis. Open-source with a focus on requirements and risk management. Useful for complex projects requiring detailed threat analysis.
SecurITree
Commercial tool for constructing and analyzing attack trees. Provides quantitative risk analysis and detailed reporting. Suitable for enterprise-level security assessments.
1.6. MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive framework for understanding cyber adversary behavior. It provides detailed information about the tactics and techniques used by attackers throughout different stages of an attack lifecycle.
Components and Features
Adversarial Tactics
High-level objectives that attackers aim to achieve during an attack. Tactics represent the "why" of an attack, such as gaining initial access, maintaining persistence, or exfiltrating data.
Techniques
Specific methods used by attackers to achieve their tactical objectives. Techniques represent the "how" of an attack, detailing the actions adversaries take to accomplish their goals.
Common Knowledge
Repository of shared information about adversary behavior, including tools, techniques, and procedures (TTPs). Provides detailed descriptions of how specific techniques are implemented and used by attackers, serving as a resource for defenders.
Tools and Frameworks
ATT&CK Navigator
Web-based tool for visualizing and customizing the ATT&CK matrix. Allows mapping of techniques and tactics to specific use cases. Supports annotations and layer customization.
CALDERA
Automated adversary emulation platform. Uses the ATT&CK framework for testing defenses. Supports modular plugins for various attack scenarios.
MITRE ATT&CK Workbench
Open-source tool for managing and customizing ATT&CK data. Enables collaboration and sharing of custom matrices. Useful for internal threat modeling and analysis.
Atomic Red Team
Open-source library of tests mapped to ATT&CK techniques. Allows security teams to simulate real-world attacks. Facilitates testing and validating defensive measures.
Prelude Operator
Security automation platform using ATT&CK for red teaming. Provides a user-friendly interface for attack simulations. Emphasizes continuous testing and improvement.
ATT&CK Evaluations
Assessments conducted by MITRE to evaluate products against ATT&CK techniques. Helps organizations understand security tool effectiveness. Useful for benchmarking and improving security posture.
1.7. CVSS
CVSS (Common Vulnerability Scoring System) is a standardized framework for rating the severity of security vulnerabilities. It includes Base, Temporal, and Environmental metrics to provide a comprehensive assessment of vulnerability impact and urgency, aiding in prioritization and response planning.
Components and Features
Base Metrics
Base metrics represent the intrinsic characteristics of a vulnerability that are constant over time and across different user environments. They are divided into two groups: Exploitability and Impact.
Temporal Metrics
Temporal metrics reflect the characteristics of a vulnerability that change over time but are not affected by the environment.
Environmental Metrics
Environmental metrics are specific to a user's environment and can vary significantly based on the operational environment.
Tools and Frameworks
NVD CVSS Calculator
Official calculator from the National Vulnerability Database. Allows calculation of CVSS scores using base, temporal, and environmental metrics.
FIRST CVSS Calculator
Hosted by the Forum of Incident Response and Security Teams (FIRST). User-friendly interface for calculating CVSS v2 and v3 scores.
CVSS Calculator (CVSSv3)
Web-based tool for calculating CVSS v3 scores. Provides an intuitive interface with real-time score updates.
OpenVAS
Open-source vulnerability scanner with integrated CVSS scoring. Automatically calculates CVSS scores for identified vulnerabilities.
Qualys Vulnerability Management
Commercial vulnerability management tool. Integrates CVSS scoring in vulnerability assessments.
Tenable.io
Cloud-based vulnerability management platform. Utilizes CVSS scoring for risk prioritization and management.
1.8. TRIKE
TRIKE provides a structured, stakeholder-driven approach to threat modeling, focusing on risk management and quantitative analysis. It helps organizations identify security requirements, analyze threats, and implement effective controls to mitigate risks.
Components and Features
Risk-Based Methodology
Uses a risk management approach to prioritize threats based on potential impact.
Stakeholder Involvement
Involves various stakeholders to ensure comprehensive threat identification and assessment.
Requirement Models
Defines security requirements based on stakeholder needs and identified risks. Includes the components assets, actions, and actors involved in the system.
Threat Models
Analysis and identifies potential threats by examining misuse cases. Includes the components attacker profiles, goals, and potential attack vectors.
Implementation Models
Mapping and aligning security requirements with system architecture. Ensures that requirements are effectively integrated into the system design.
Role-Based Analysis
Focuses and considers different user roles and their interactions with the system. Identifies specific threats based on role permissions and actions.
Quantitative Risk Assessment
Uses quantitative metrics to assess risk levels. Provides a clear basis for prioritizing security efforts.
Attack Graphs
Visualization represents potential attack paths through the system. Helps identify and address security gaps.
Tools and Frameworks
TRIKE
Official GitHub Repository with documentation and examples. Provides templates and guidelines for using TRIKE.
IriusRisk
Supports various threat modeling frameworks, including TRIKE. Automated risk assessment and mitigation suggestions.
1.9. VAST
VAST (Visual, Agile, and Simple Threat) is a threat modeling methodology designed for simplicity and scalability. It uses the submodels Application Threat Model, which focuses on technical aspects, and the Operational Threat Model, which addresses operational concerns. VAST integrates well with agile development practices and aims to be easily adopted across large organizations.
Components and Features
Visual
Visual representation using diagrams to clearly represent application and operational threats. Comprehensive diagrams focuses on intuitive visual models to facilitate understanding among all stakeholders.
Agile
Integration with Agile Development designed to fit seamlessly into Agile and DevOps workflows. Iterative process continuously updated threat models as part of regular development cycles.
Simple Threat
User-Friendly simplifies the threat modeling process to make it accessible to non-security experts.
Application Threat Model
Focus on Applications: Identifies and analyzes threats specific to software applications. Considers various detailed use cases and user interactions to identify potential vulnerabilities.
Operational Threat Model
Infrastructure Focus: Addresses threats related to the IT infrastructure and operational environment. Considers holistic view network, servers, and other infrastructure components as part of the threat landscape.
Tools and Frameworks
ThreatModeler
Comprehensive tool designed for VAST. Provides visual threat modeling and integrates with Agile workflows. Supports large-scale enterprise applications.
IriusRisk
Supports VAST methodology. Offers automated threat modeling with detailed risk assessments. Integrates with CI/CD pipelines and Agile practices.
1.10. OCTAVE
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning methodology. It focuses on organizational risk management, emphasizing the identification and protection of critical assets through a systematic evaluation of threats, vulnerabilities, and risks.
Components and Features
Operationally Critical
Focuses on risks that are critical to the organization's operations. Prioritizes assets and processes essential for business continuity.
Threat
Identifies potential threats to critical assets. Considers internal and external threat sources. Analyzes how these threats could impact the organization.
Asset
Emphasizes the protection of key information assets. Includes data, systems, and processes vital to the organization. Involves stakeholders in identifying and valuing these assets.
Vulnerability
Assesses weaknesses in systems and processes. Identifies potential exploit points that threats could target. Evaluates the effectiveness of existing controls.
Tools and Frameworks
OCTAVE Allegro
Official tool supporting the OCTAVE Allegro approach. Focuses on information assets and risk assessments. Provides templates and worksheets for structured analysis.
RiskWatch
Comprehensive risk management platform. Supports OCTAVE methodology for risk assessment. Facilitates asset identification, threat analysis, and risk prioritization.
RiskLens
Focuses on quantitative risk assessment. Compatible with OCTAVE for integrating threat and vulnerability data. Provides risk analysis and reporting features.
RSA Archer
Integrated risk management tool that can support OCTAVE. Offers modules for threat management and vulnerability assessment. Customizable workflows for risk analysis.
Xacta
Risk management tool with support for OCTAVE principles. Facilitates compliance and vulnerability assessments. Provides risk scoring and reporting capabilities.
2. Best Practice
Applying Best Practice helps ensure a structured, effective approach to identifying and mitigating security threats, ultimately enhancing the overall security posture of the system.
Identify Assets
Focus on what needs protection, such as data, systems, and user privacy.
Understand the Architecture
Create detailed diagrams or models to visualize system components and data flows.
Identify Threats
Use Threat Modeling frameworks like STRIDE to systematically identify potential security threats.
Determine and Prioritize Risks
Assess the likelihood and impact of each identified threat to prioritize mitigation efforts utilizing Exploit Prediction system like EPSS (Exploit Prediction Scoring System).
Mitigation Strategies
Develop and implement controls to address identified threats, such as encryption, authentication, and access controls.
Iterative Process
Continuously review and update the threat model as the system evolves, incorporating feedback and lessons learned.
Assume an Attacker’s Perspective
Consider potential threats from the viewpoint of an adversary to uncover vulnerabilities.
Integration into Development Lifecycle
Incorporate Threat Modeling by Shift Left throughout the Secure Software Development Lifecycle (SSDLC) to identify risks proactively.
Collaboration
Engage Cross-Functional Teams, including developers, security experts, and stakeholders, to ensure comprehensive threat identification and mitigation.
Document and Communicate
Clearly document the threat model using Architectural Decision Records (ADR), identified risks, and mitigation strategies, and ensure effective communication across the team.
3. Terminology
Asset
Anything valuable that needs protection, such as data, systems, or intellectual property.
Threat
A potential cause of an unwanted incident, which may result in harm to a system or organization.
Vulnerability
A weakness in a system or process that can be exploited by a threat to cause harm.
Attack Vector
The path or means by which an attacker can gain access to a system.
Risk
The potential for loss or damage when a threat exploits a vulnerability.
Mitigation
Measures taken to reduce the likelihood or impact of a threat exploiting a vulnerability.
Threat Actor
An individual or group posing a threat to a system.
Threat Scenario
A specific instance of a threat exploiting a vulnerability, describing the steps an attacker might take.
Attack Surface
The sum of all the points where an attacker could try to enter or extract data from a system.
Threat Model
A structured representation of potential threats to a system and the measures taken to counter them.
Impact
The potential damage or adverse effect resulting from a successful threat exploitation.
Likelihood
The probability of a threat exploiting a vulnerability.
Security Control
Safeguards or countermeasures implemented to protect assets and reduce risk.
Data Flow Diagram (DFD)
A graphical representation of data flow within a system, used to identify potential threats.
Security Requirement
Specific criteria or constraints that must be met to ensure the security of a system.
Abuse Case
A scenario that describes how a system can be misused by a threat actor.
Residual Risk
The remaining risk after security controls have been applied.
Threat Modeling
Threat Modeling is a structured approach used in cybersecurity and software development to identify, assess, and mitigate potential security threats. It involves understanding the system, identifying potential threats, determining their impact, and implementing appropriate defenses.
1. Category
1.1. STRIDE
A threat classification model developed by Microsoft to identify and categorize potential threats to a system. Identifies specific types of threats across different parts of a system, enabling targeted security improvements.
Components and Features
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service (DoS)
Elevation of Privilege
Tools and Frameworks
Microsoft Threat Modeling Tool
OWASP Threat Dragon
ThreatModeler
IriusRisk
PyTM
TMT (Threat Modeling Tool)
1.2. DREAD
A risk assessment model that evaluates the potential impact of threats.
Components and Features
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
Tools and Frameworks
OWASP Threat Dragon
ThreatModeler
IriusRisk
TMT (Threat Modeling Tool)
SecuriCAD
1.3. PASTA
PASTA (Process for Attack Simulation and Threat Analysis) is a seven-stage methodology that focuses on aligning business objectives with technical requirements and threats. It involves defining objectives, scoping, decomposing the application, analyzing threats, identifying vulnerabilities, modeling attacks, and managing risks. This process aims to provide a comprehensive risk-centric view of the application.
Components and Features
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Stage 6
Stage 7
Tools and Frameworks
IriusRisk
ThreatModeler
CAIRIS
SecuriCAD
1.4. LINDDUN
A privacy threat modeling framework that focuses on identifying privacy issues in systems.
Components and Features
Linkability
Identifiability
Non-repudiation
Detectability
Disclosure of information
Unawareness
Non-compliance
Tools and Frameworks
OWASP Threat Dragon
IriusRisk
CAIRIS
PrivD
1.5. Attack Tree
An Attack Tree is a hierarchical diagram that represents potential attack paths on a system. The root node represents the attacker's main goal, while the branches and leaves detail the various methods and steps to achieve that goal. This visual representation helps in understanding and analyzing different attack vectors.
Components and Features
Root Node
Child Nodes
Leaf Nodes
Branches
AND Nodes
OR Nodes
Tools and Frameworks
AttackTree
SeaMonster
ADTool
CAIRIS
SecurITree
1.6. MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive framework for understanding cyber adversary behavior. It provides detailed information about the tactics and techniques used by attackers throughout different stages of an attack lifecycle.
Components and Features
Adversarial Tactics
Techniques
Common Knowledge
Tools and Frameworks
ATT&CK Navigator
CALDERA
MITRE ATT&CK Workbench
Atomic Red Team
Prelude Operator
ATT&CK Evaluations
1.7. CVSS
CVSS (Common Vulnerability Scoring System) is a standardized framework for rating the severity of security vulnerabilities. It includes
Base,Temporal, andEnvironmentalmetrics to provide a comprehensive assessment of vulnerability impact and urgency, aiding in prioritization and response planning.Components and Features
Base Metrics
Temporal Metrics
Environmental Metrics
Tools and Frameworks
NVD CVSS Calculator
FIRST CVSS Calculator
CVSS Calculator (CVSSv3)
OpenVAS
Qualys Vulnerability Management
Tenable.io
1.8. TRIKE
TRIKE provides a structured, stakeholder-driven approach to threat modeling, focusing on risk management and quantitative analysis. It helps organizations identify security requirements, analyze threats, and implement effective controls to mitigate risks.
Components and Features
Risk-Based Methodology
Stakeholder Involvement
Requirement Models
Threat Models
Implementation Models
Role-Based Analysis
Quantitative Risk Assessment
Attack Graphs
Tools and Frameworks
TRIKE
IriusRisk
1.9. VAST
VAST (Visual, Agile, and Simple Threat) is a threat modeling methodology designed for simplicity and scalability. It uses the submodels
Application Threat Model, which focuses on technical aspects, and theOperational Threat Model, which addresses operational concerns. VAST integrates well with agile development practices and aims to be easily adopted across large organizations.Components and Features
Visual
Agile
Simple Threat
Application Threat Model
Operational Threat Model
Tools and Frameworks
ThreatModeler
IriusRisk
1.10. OCTAVE
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning methodology. It focuses on organizational risk management, emphasizing the identification and protection of critical assets through a systematic evaluation of threats, vulnerabilities, and risks.
Components and Features
Operationally Critical
Threat
Asset
Vulnerability
Tools and Frameworks
OCTAVE Allegro
RiskWatch
RiskLens
RSA Archer
Xacta
2. Best Practice
Applying Best Practice helps ensure a structured, effective approach to identifying and mitigating security threats, ultimately enhancing the overall security posture of the system.
Identify Assets
Focus on what needs protection, such as data, systems, and user privacy.
Understand the Architecture
Create detailed diagrams or models to visualize system components and data flows.
Identify Threats
Use Threat Modeling frameworks like
STRIDEto systematically identify potential security threats.Determine and Prioritize Risks
Assess the likelihood and impact of each identified threat to prioritize mitigation efforts utilizing
Exploit Predictionsystem likeEPSS (Exploit Prediction Scoring System).Mitigation Strategies
Develop and implement controls to address identified threats, such as encryption, authentication, and access controls.
Iterative Process
Continuously review and update the threat model as the system evolves, incorporating feedback and lessons learned.
Assume an Attacker’s Perspective
Consider potential threats from the viewpoint of an adversary to uncover vulnerabilities.
Integration into Development Lifecycle
Incorporate Threat Modeling by
Shift Leftthroughout theSecure Software Development Lifecycle (SSDLC)to identify risks proactively.Collaboration
Engage
Cross-Functional Teams, including developers, security experts, and stakeholders, to ensure comprehensive threat identification and mitigation.Document and Communicate
Clearly document the threat model using
Architectural Decision Records (ADR), identified risks, and mitigation strategies, and ensure effective communication across the team.3. Terminology
Asset
Threat
Vulnerability
Attack Vector
Risk
Mitigation
Threat Actor
Threat Scenario
Attack Surface
Threat Model
Impact
Likelihood
Security Control
Data Flow Diagram (DFD)
Security Requirement
Abuse Case
Residual Risk
4. References