Threat Modeling
Threat modeling is the process of identifying potential security threats and vulnerabilities in a system during the design phase. This proactive approach helps teams build security into systems from the start rather than bolting it on afterward.
Why Threat Model?
STRIDE Methodology
STRIDE is Microsoft's threat modeling framework that categorizes threats into six categories. Each category maps to a specific security property that the threat violates.
| Threat | Description | Security Property | Example |
|---|---|---|---|
| Spoofing | Pretending to be something or someone else | Authentication | Attacker uses stolen credentials |
| Tampering | Modifying data or code without authorization | Integrity | SQL injection modifies database |
| Repudiation | Denying having performed an action | Non-repudiation | User denies making a transaction |
| Information Disclosure | Exposing information to unauthorized parties | Confidentiality | Sensitive data in error messages |
| Denial of Service | Denying or degrading service to users | Availability | Resource exhaustion attack |
| Elevation of Privilege | Gaining capabilities without authorization | Authorization | Local user gains admin rights |
STRIDE per Element
Apply STRIDE to each element in your Data Flow Diagram (DFD):
External Entities
Vulnerable to: S, R
Users, external systems, third-party APIs
Processes
Vulnerable to: S, T, R, I, D, E
Application logic, services, functions
Data Stores
Vulnerable to: T, R, I, D
Databases, files, caches, message queues
Data Flows
Vulnerable to: T, I, D
Network connections, API calls, IPC
PASTA Framework
Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage, risk-centric threat modeling methodology that aligns business objectives with technical requirements.
Define Objectives
Identify business objectives, security requirements, and compliance needs. What are we protecting and why?
Define Technical Scope
Document the technical environment: infrastructure, applications, dependencies, and data flows.
Application Decomposition
Create DFDs, identify trust boundaries, entry points, assets, and privilege levels.
Threat Analysis
Research attack patterns, threat intelligence, and relevant threat actors for your industry.
Vulnerability Analysis
Map vulnerabilities to threat scenarios. Use vulnerability databases, SAST/DAST results.
Attack Modeling
Build attack trees, simulate attacks, and determine attack probability and impact.
Risk & Impact Analysis
Quantify risk, prioritize mitigations, and develop countermeasures aligned with business impact.
DREAD Risk Rating
DREAD is a qualitative risk rating model used to prioritize threats. Each category is rated 1-10 and averaged to produce an overall risk score.
| Factor | Question | Low (1-3) | High (8-10) |
|---|---|---|---|
| Damage | How bad is the impact? | Minor data leakage | Complete system compromise |
| Reproducibility | How easy to reproduce? | Requires rare conditions | Always reproducible |
| Exploitability | How easy to exploit? | Requires expert skills | Script kiddie can do it |
| Affected Users | How many users affected? | Single user | All users |
| Discoverability | How easy to find? | Requires source code access | Obvious in UI/docs |
DREAD Score Calculation
Risk = (D + R + E + A + D) / 5 0-3: Low Risk | 4-6: Medium Risk | 7-10: High Risk
LINDDUN (Privacy Threats)
LINDDUN is a privacy-focused threat modeling framework, essential for GDPR compliance and privacy-by-design requirements.
Linkability
Ability to link two or more items of interest about a data subject
Identifiability
Ability to identify a data subject within a set of subjects
Non-repudiation
Inability to deny a claim (can be privacy-negative)
Detectability
Ability to distinguish whether an item of interest exists
Disclosure of Information
Exposure of personal data to unauthorized parties
Unawareness
Data subject is unaware of data collection or processing
Non-compliance
Not complying with legislation, regulations, or corporate policies (GDPR, CCPA, HIPAA)
Attack Trees
Attack trees are hierarchical diagrams showing how a system might be attacked. The root node is the attacker's goal, and child nodes represent ways to achieve that goal.
Attack Tree Structure
Goal: Steal User Credentials
├── [OR] Phishing Attack
│ ├── [AND] Create convincing email
│ └── [AND] Set up credential harvesting site
├── [OR] Exploit Web Vulnerability
│ ├── SQL Injection on login form
│ └── XSS to steal session tokens
├── [OR] Credential Stuffing
│ ├── [AND] Obtain breached credentials
│ └── [AND] Automate login attempts
└── [OR] Social Engineering
├── Call helpdesk for password reset
└── Impersonate IT support
OR Nodes
Any child node can achieve the parent goal. Attack succeeds if ANY path works.
AND Nodes
All child nodes must succeed for the parent goal. Attack requires ALL conditions.
Use the Attack Tree Builder Tool
Threat Modeling Process
Identify Assets
What are we trying to protect? Data, functionality, reputation, compliance status.
Create Architecture Diagrams
Build Data Flow Diagrams (DFDs) showing processes, data stores, data flows, and trust boundaries.
Identify Threats
Apply STRIDE to each element. Consider who might attack, their motivations, and capabilities.
Rate Threats
Use DREAD or CVSS to prioritize threats by risk. Focus on high-impact, high-likelihood threats first.
Determine Mitigations
For each threat: mitigate (reduce risk), eliminate (remove feature), transfer (insurance), or accept.
Validate & Iterate
Verify mitigations are implemented. Update threat model as architecture evolves.
Threat Modeling Tools
Microsoft Threat Modeling Tool
Free tool for creating DFDs and auto-generating STRIDE threats
Free • WindowsOWASP Threat Dragon
Open-source threat modeling tool with diagram editor
Free • Cross-platformSTRIDE Modeler Tool
Interactive STRIDE threat modeling tool built into Hacker's Manifest
Built-in • InteractiveThreagile
Agile threat modeling as code using YAML
Free • CLI