Threat Modeling

Objectives: By the end of this topic, you will be able to…

Understand and apply basic threat modeling methodologies

Use visual tools to represent threats

Formulate practical countermeasures for simulated scenarios

Justify security decisions in system design

What is threat modeling?

Threat modeling is the systematic process of:

Identifying which assets need to be protected
Determining who could attack them (threat actors)
Analyzing how they could do it (attack vectors)
Assessing vulnerabilities and their impact
Defining controls to mitigate those risks

Purpose: anticipate potential attacks, design more secure systems from the start, and prioritize security controls and resources.

Why is it important?

Threat modeling is applied mainly during the design phase of the Secure Software Development Lifecycle (SDLC), before implementing solutions, when:

Fixing vulnerabilities is cheaper
The architecture can be modified without major impacts

Benefits:

Improves communication between teams (security, development, product)
Helps understand the system from an attacker’s perspective
Prioritizes protection of the most critical assets

Threat modeling methodologies

STRIDE (Microsoft)

Each letter represents a threat category:

Threat Type	Description
Spoofing	Identity impersonation
Tampering	Data or code manipulation
Repudiation	Denial of actions without evidence
Information Disclosure	Leakage of sensitive information
Denial of Service	Service disruption
Elevation of Privilege	Gaining unauthorized permissions

Useful for mapping threats by component in a system.

DREAD (threat prioritization)

Used to rank and prioritize threats based on risk:

Criterion	Associated Question
Damage	How severe is the damage if it happens?
Reproducibility	How easily can the attack be repeated?
Exploitability	How easy is it to exploit the threat?
Affected Users	How many users are affected?
Discoverability	How easy is it to discover the threat?

Each criterion is scored from 1 to 10. The average gives an idea of the overall risk.

PASTA (Process for Attack Simulation and Threat Analysis)

A more comprehensive methodology oriented toward enterprise risk management, consisting of 7 stages: define business objectives, define attack surface, model threats, model vulnerabilities, analyze impact, model attacks, and plan mitigations. More widely used in complex or regulated corporate environments.

Data Flow Diagrams (DFDs)

DFDs visualize how information flows in a system and help identify critical points from a security perspective.

Element	Common Symbol	Example
External entity	Rectangle	User, external system
Process	Circle/Oval	Web service, business logic
Data store	Two lines	Database, files
Data flow	Arrow	Interaction between elements

Why use DFDs?

Identify where data enters/exits the system
Apply STRIDE to each component
Provide a clear communication tool for developers and analysts

Identifying threats, vectors, and mitigations

Example: User login web system

Asset	Threat (STRIDE)	Vector	Mitigation
User credentials	Spoofing, Disclosure	Brute force, MITM	Password hashing, HTTPS
Database	Tampering	SQL Injection	Input validation, WAF
System logs	Repudiation	Log deletion	Immutable logs, auditing
Internal API	Elevation of Privilege	Endpoint abuse	Access control, JWT validation

Key questions for threat analysis:

What attackers can access the system?
What assets are valuable to them?
What vectors could they use?
What vulnerabilities exist at entry/exit points?
What controls would reduce risk?

Hands-on lab

Requirements: Draw.io, Threat Dragon, or Lucidchart. Base case: Online Banking Web Application

Part 1: Case introduction and asset analysis

Review the base case: online banking web system
In pairs, identify critical assets and list entry points and actors
Create a basic Data Flow Diagram (DFD) with at least:
- 2 processes, 2 data stores, 2 external entities, 2 data flows with direction

Part 2: Applying STRIDE to the DFD

Analyze the DFD and review each component, applying STRIDE
Complete a table with at least one threat per component:

Element	STRIDE Type	Threat Description	Proposed Countermeasure
Login	Spoofing	Attacker impersonates a legitimate user	Multi-factor authentication, suspicious IP detection
DB	Tampering	Alteration of transaction records	Digital signatures, integrity control
API Email	Repudiation	User denies making a transfer	Audit logging with timestamp and session token

Part 3: Risk analysis with DREAD

Select 2-3 threats from the STRIDE analysis
Apply the DREAD formula:

(D + R + E + A + D) / 5 = Total Risk

Compare threats and discuss which should be mitigated first

Part 4: Documentation and export

Export the DFD diagram as .png or PDF
Export STRIDE and DREAD tables
Write a mini report containing: system description, DFD, threats table, DREAD scores, prioritized countermeasures

Submission

Data Flow Diagram (.png or .pdf)
STRIDE table with at least 5 different threats
DREAD table with scores and priorities
Document or presentation with findings

Key concepts

Term	Definition
STRIDE	Threat categorization model: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege
DREAD	Threat prioritization model based on five risk criteria
DFD	Data flow diagram that visualizes how information flows through a system
PASTA	Threat modeling methodology oriented toward enterprise risk management

Test yourself

STRIDE: Given an e-commerce system with a shopping cart, payment gateway, and customer database, identify at least one threat for each STRIDE category.
DREAD: For a SQL injection vulnerability in a login form, assign DREAD scores (1-10) to each criterion and calculate the total risk. Justify your scores.
Design: Why is it more cost-effective to apply threat modeling during the design phase than to fix vulnerabilities in production?

Navigation: ← Previous | Home | Next →

Quartz 4

Explorer

04 - Threat Modeling