IT Security Threat Modeling

Threat modeling is the process of identifying, analyzing and categorizing threats.

List of Cybersecurity Threat Models

Cybersecurity Threat Models featured on this post:

  • MITRE ATT&CK
  • STRIDE
  • PASTA
  • DREAD
  • VAST
  • Diamond Model of Intrusion Attack

The most popular is MITTRE ATT&CK.

MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Matrix is both a threat model to classify the nature of threat and a knowledge base, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.

It can help to integrate both internally created intelligence and external threat feed data.

The Cyber Killer Chain consists of these steps:

  1. Recon
  2. Weaponize
  3. Deliver
  4. Exploit
  5. Execute
  6. Control
  7. Maintain

In addition to the model, it is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

It is broadly accepted by threat modeling and threat intelligence organizations and is used as default model in many software packages and tools.

MITRE ATT&CK official website

STRIDE

STRIDE is a threat model to classify the nature of threat.

It is developed by American company Microsoft.

STRIDE is an acronym that stands for the different threat categories it considers:

  1. Spoofing
  2. Tampering
  3. Repudiation
  4. Information Disclosure
  5. Denial of Service (DoS)
  6. Escalation of Privilege

STRIDE official website

STRIDE 2009 website

Applying STRIDE 2009 webiste

Microsoft Threat Modeling Tool official website

PASTA

Process for Attack Simulation and Threat Analysis (PASTA) is designed to help with countermeasure selection in relation to the assets to be protected.

It was created by Tony Uceda Vélez and Marco M. Morana from American company VerSprite.

PASTA stages:

  1. Define of objectives (DO) for the analysis of risks
  2. Definition of the technical scope (TS)
  3. Application decomposition and analysis (ADA)
  4. Threat analysis (TA)
  5. Weakness and Vulnerability analysis (WVA)
  6. Attack modeling & simulation (AMS)
  7. Risk analysis & management (RAM)

PASTA official website

DREAD

DREAD is developed by Microsoft, but it is now abandoned in favor of STRIDE. Nevertheless, DREAD defines the name of threat attributes while STRIDE offers simple threat categories.

DREAD’s categories of risk:

  1. Damage
  2. Reproducibility
  3. Exploitability
  4. Affected Users
  5. Discoverability

It is featured in the CCSP exam version designed in 2021.

ATASM

ATASM stands for Architecture, Threat, Attack Surfaces, and Mitigations.

ATASM steps:

  1. Seek to understand the architecture
  2. List all threat agents, their goals, methods, and objectives
  3. Look at your architecture’s potential attack surfaces and look at how the attack methods and objectives already identified would interact with the attack surface being assessed
  4. Review security controls and the attack surfaces, removing any attack surfaces that are sufficiently secured by existing controls

It seems to have been modeled by Brook Schoefield.

ATASM website

VAST

Visual, Agile, and Simple Thread (VAST) integrates threat and risk management into an Agile programming environment on a scalable basis.

Diamond Model of Intrusion Attack

Diamond model of intrusion attack addresses how to think about intrusions, without addressing broader threats.

You can read more about it on this external link.

You might also be interested in…

External References

  • STRIPE
    • M. Chapple et al; “CISSP Study Guide Ninth Edition”, chapter 1 “Security governance through principles and policies”, section “Threat Modeling”, p. 27; Wiley, 2021
    • M. Chapple, D. Seidl; “CCSP Study Guide Third Edition”, p. 173; Wiley, 2021
  • PASTA
    • M. Chapple et al; “CISSP Study Guide Ninth Edition”, chapter 1 “Security governance through principles and policies”, section “Threat Modeling”, p. 27-28; Wiley, 2021
    • Tony Uceda Velez, Marco M. Morana; “Threat MOdeling: Process for Attack Simulation and Threat Analysis”; Wiley 2015
    • M. Chapple, D. Seidl; “CCSP Study Guide Third Edition”, p. 1743; Wiley, 2021
  • DREAD
  • ATASM
  • VAST
    • M. Chapple et al; “CISSP Study Guide Ninth Edition”, chapter 1 “Security governance through principles and policies”, section “Threat Modeling”, p. 28; Wiley, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *