Threat Modeling
Objectives: By the end of this topic, you will be able to…
- Understand and apply basic threat modeling methodologies
- Use visual tools to represent threats
- Formulate practical countermeasures for simulated scenarios
- Justify security decisions in system design
What is threat modeling?
Threat modeling is the systematic process of identifying which assets need to be protected, determining who could attack them (threat actors), analyzing how they could do it (attack vectors), assessing vulnerabilities and their impact, and defining controls to mitigate those risks. Its purpose is to anticipate potential attacks, design more secure systems from the start, and prioritize security controls and resources.
Why is it important?
Threat modeling is applied mainly during the design phase of the Secure Software Development Lifecycle (SDLC), before implementing solutions — when fixing vulnerabilities is cheaper and the architecture can still be modified without major impact. Doing it early improves communication between security, development, and product teams; helps everyone understand the system from an attacker’s perspective; and ensures that protection effort is focused on the most critical assets first.
Threat modeling methodologies
STRIDE (Microsoft)
Each letter represents a threat category:
| Threat Type | Description |
|---|---|
| Spoofing | Identity impersonation |
| Tampering | Data or code manipulation |
| Repudiation | Denial of actions without evidence |
| Information Disclosure | Leakage of sensitive information |
| Denial of Service | Service disruption |
| Elevation of Privilege | Gaining unauthorized permissions |
Useful for mapping threats by component in a system.
DREAD (threat prioritization)
Used to rank and prioritize threats based on risk:
| Criterion | Associated Question |
|---|---|
| Damage | How severe is the damage if it happens? |
| Reproducibility | How easily can the attack be repeated? |
| Exploitability | How easy is it to exploit the threat? |
| Affected Users | How many users are affected? |
| Discoverability | How easy is it to discover the threat? |
Each criterion is scored from 1 to 10. The average gives an idea of the overall risk.
PASTA (Process for Attack Simulation and Threat Analysis)
A more comprehensive methodology oriented toward enterprise risk management, consisting of 7 stages: define business objectives, define attack surface, model threats, model vulnerabilities, analyze impact, model attacks, and plan mitigations. More widely used in complex or regulated corporate environments.
Data Flow Diagrams (DFDs)
DFDs visualize how information flows in a system and help identify critical points from a security perspective.
| Element | Common Symbol | Example |
|---|---|---|
| External entity | Rectangle | User, external system |
| Process | Circle/Oval | Web service, business logic |
| Data store | Two lines | Database, files |
| Data flow | Arrow | Interaction between elements |
DFDs are useful because they make it easy to identify where data enters and exits the system, apply STRIDE analysis to each component, and serve as a clear communication tool that both developers and security analysts can reason about together.
Here is a minimal DFD for a login system — the kind you will build in the lab:
[User] (Validate Credentials) =User DB=
│ │ │ │
│──── username + password ────►│ │◄──── user record ─────────│
│◄─── session token ───────────│ │──── lookup query ─────────►│
│
│──── write session ────► =Session Store=
Legend: [ ] external entity · ( ) process · = = data store · ───► data flow
Each arrow is a potential threat surface: the login request can be spoofed or intercepted (Spoofing, Information Disclosure), the DB query can be injected (Tampering), and the session write can be replayed (Elevation of Privilege). Drawing the diagram first makes these threats visible before writing a single line of code.
Identifying threats, vectors, and mitigations
Example: User login web system
| Asset | Threat (STRIDE) | Vector | Mitigation |
|---|---|---|---|
| User credentials | Spoofing, Disclosure | Brute force, MITM | Password hashing, HTTPS |
| Database | Tampering | SQL Injection | Input validation, WAF |
| System logs | Repudiation | Log deletion | Immutable logs, auditing |
| Internal API | Elevation of Privilege | Endpoint abuse | Access control, JWT validation |
When analyzing a system for threats, a useful mental checklist runs through five questions: who are the attackers that could realistically reach the system, what assets would be valuable to them, what vectors could they use to get there, what vulnerabilities exist at the entry and exit points they would traverse, and what controls would meaningfully reduce the risk of a successful attack.
Hands-on lab
Requirements: Draw.io, Threat Dragon, or Lucidchart. Base case: Online Banking Web Application
Part 1: Case introduction and asset analysis
- Review the base case: online banking web system
- In pairs, identify critical assets and list entry points and actors
- Create a basic Data Flow Diagram (DFD) with at least:
- 2 processes, 2 data stores, 2 external entities, 2 data flows with direction
? Which entry point in your DFD represents the highest risk, and why? What combination of threat actors and attack vectors makes it the most attractive target?
Part 2: Applying STRIDE to the DFD
- Analyze the DFD and review each component, applying STRIDE
- Complete a table with at least one threat per component:
| Element | STRIDE Type | Threat Description | Proposed Countermeasure |
|---|---|---|---|
| Login | Spoofing | Attacker impersonates a legitimate user | Multi-factor authentication, suspicious IP detection |
| DB | Tampering | Alteration of transaction records | Digital signatures, integrity control |
| API Email | Repudiation | User denies making a transfer | Audit logging with timestamp and session token |
? Looking at your completed STRIDE table, which category has the most threats in this system? What does this pattern reveal about its design weaknesses?
Part 3: Risk analysis with DREAD
- Select 2-3 threats from the STRIDE analysis
- Apply the DREAD formula:
(D + R + E + A + D) / 5 = Total Risk- Compare threats and discuss which should be mitigated first
? Did the DREAD scores change how you would prioritize threats compared to your initial intuition? Which criterion had the greatest influence on the final ranking?
Part 4: Documentation and export
- Export the DFD diagram as
.pngor PDF - Export STRIDE and DREAD tables
- Write a mini report containing: system description, DFD, threats table, DREAD scores, prioritized countermeasures
Submission
- Data Flow Diagram (
.pngor.pdf) - STRIDE table with at least 5 different threats
- DREAD table with scores and priorities
- Document or presentation with findings
Key concepts
| Term | Definition |
|---|---|
| STRIDE | Threat categorization model: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege |
| DREAD | Threat prioritization model based on five risk criteria |
| DFD | Data flow diagram that visualizes how information flows through a system |
| PASTA | Threat modeling methodology oriented toward enterprise risk management |