Threat Modeling Methodologies

Threat Modeling Methodologies

Learn to apply threat modeling to enhance the identification of cybersecurity security threats, prioritize them and implement effective risk mitigation.

How do you define threat modeling?

It is a proactive approach to evaluate cybersecurity threats. It involves identifying possible threats, then formulating methods or tests to identify and counter the threats. This includes being aware of how threats could affect systems, identifying threats and implementing the correct countermeasures.

A typical process for threat modeling methodology comprises five steps including threat intelligence assets identification the ability to mitigate, risks assessment and mapping of threats. Each provides distinct perspectives and insight into your security capabilities.

There are eight primary methods you can apply to modeling threat: STRIDE PASTA VAST Trike and CVSS. They also include Attack Trees and Security Cards and hTMM. Each methodology offers an alternative method of assessing the risks that are posed to you and your IT assets.

The advantages of threat modeling

Threat modeling offers these advantages:

It helps prioritize threats, and ensures that attention and resources are efficiently distributed. This method of prioritization can be used in the design, planning and the implementation of security in order to ensure that security solutions are as effective as they can possibly be.
Make sure that defenses are aligned with changing threats. If there isn’t, new threats might remain unprotected, making systems and data at risk.
Team members can adopt new software or tools. It assists teams in understanding the ways that applications and tools could be vulnerable compared to the protections available.
Aids developers prioritize changes to their existing software depending on the impact and severity of threats that are anticipated.

Which are five most important steps of the process of threat modeling?

When performing threat modeling various processes and elements must be taken into consideration. Inadvertently omitting one of these elements could result in inaccurate models and may make it impossible for threats to be properly dealt with.

1. Utilize threat intelligence

This section contains information on the types of threats, the vulnerable systems, detection methods as well as tools and methods that are used to exploit vulnerabilities and the motives of attackers.

Information on threat intelligence is typically taken by security researchers, and then made available through public databases, private solutions, or security communication platforms. It’s used to improve the understanding of threats and inform the response.

2. Find assets

Teams require a live inventory of the components such as credentials, data, and other components used, including where the assets are, and the security measures being used. This inventory assists security teams to identify assets with known weaknesses.

An inventory that is real-time allows security personnel to gain insight of changes in assets. For instance, receiving alerts for the addition of assets or without authorization that could signal an imminent risk.

3. Identify mitigation capabilities

Mitigation capabilities generally mean technologies that protect, detect and deal with a particular type of threat however it could also be a reference to the security knowledge of an organization and capabilities, and also their procedures. Examining your capabilities can assist you in determining if you should add more resources to counter a security threat.

For instance, if you are using enterprise-grade antivirus, you’ve got a basic security level against the most common malware threats. It is then possible to determine whether you want to spend more in order to connect the AV you have in place with the other capabilities of detection.

4. Examine the risks

Risk assessments link information about threats with inventory of assets and the current vulnerability profiles. These tools are essential for teams to assess the present state of their systems as well as create a strategy for addressing weaknesses.

Risk assessments may also include active testing of solutions and systems. For instance, penetration testing to ensure the security procedures and patches are efficient.

5. Do threat mapping

It is the procedure which tracks the possible route of potential threats through your systems. It can be used to simulate the way attackers could shift from resource to resource and assists teams in determining which defenses will be effectively placed or used.

Top threat modeling techniques and methods

In the process of threat modeling there are many approaches that you can employ. The most appropriate model for your needs will depend on the kinds of threats you’re trying to model, and also for what need.

The threat modeling of STRIDE

The STRIDE threat model developed by Microsoft engineers. It is designed to aid in the detection of threats within an environment. It’s used in conjunction with an understanding of the system being targeted. This makes it the most efficient for evaluating the individual systems.

The acronym STRIDE refers to the kind of threat it addresses, and include:

Spoofing — where a user or program that pretends to be someone else
Tampering — attackers alter components or even code
Repudiation — threats aren’t recorded or recorded or
Data that is disclosed to the public is exposed or leaked
DoS – Denial of Service (DoS) means that components or services are overloaded with traffic in order to block legitimate usage
In the process, attackers are granted additional rights to gain control over the system

Process for Attack Simulation and Threat Analysis (PASTA)

PASTA is an attack-centric method that has seven steps. It was designed to align goals of the business with technical specifications. The steps of PASTA help teams rapidly identify, count prioritize threats.

The main steps of the PASTA threat model include:

Define the business goals
Define the technical definition of components and assets
Application decomposition and identification of application controls
Analysis of threats based on threat intelligence
Vulnerability detection
Modeling and enumeration of attacks
Analysis of risk and the creation of countermeasures

Common Vulnerability Scoring System (CVSS)

CVSS is a standard threat scoring system that is used to identify known security vulnerabilities. It was created through NIST. National Institute of Standards and Technology (NIST) and is maintained through NIST’s Forum of Incident Response and Security Teams (FIRST).

This system was created to help security professionals analyze threats, detect impacts and detect existing countermeasures. It also assists security professionals evaluate and apply threat information that others have developed with confidence.

CVSS takes into account the basic nature of threats and the impact on the risk factors in relation to the time that has passed after the flaw was identified. It also contains security measures that allow teams to modify risk scores according to individual system configurations.

Visual Simple, Agile, and Visual Threat (VAST)

Visual Simple Threat (VAST) is an automatized method of modeling threats that is based upon the ThreatModeler platform. Large companies employ VAST throughout their infrastructure to produce solid, actionable results while maintaining the ability to scale.

VAST can be integrated with the DevOps lifecycle to help teams determine the various operational and infrastructure problems. The implementation of VAST requires the creation of two kinds of threat models:

Application threat model utilizes a process flow diagram in order to depict the architectural component of the threat
Operational threat model utilizes a diagram of data flow to show the threat from an attackr’s perspective


Trike is an auditing framework for security that is designed to assist in managing risk and security using threat modeling methods. Trike creates a system and analysts enumerate its assets, actors rules and actions in order to construct an understanding model. Trike generates a step-by-step matrix that has columns representing assets and rows for the actors. Each matrix cell contains four components that correspond to the possible actions (create the action, read it update, delete, and create) and the rule tree, where the analyst defines whether an action is permitted or not allowed by rules.

Trike creates a data flow diagram that maps each element to the appropriate actors and assets according to the requirements set. The analyst can use the diagram to determine threats to denial of service (DoS) and the threat of privilege escalation.

Trike evaluates the risk of attacks with a five-point scale of probability for each CRUD event and the actor. The system also assesses actors on the basis of their level of permission for each specific action (always at times, occasionally, or never).

Attack Trees

Attack trees are graphs which show the possible paths attacks may take in an environment. They show the goals of attacks as a root, with potential paths being represented as branches. When making trees for threat modeling the trees are constructed in multiple ways to be used in a single system. one for each goal of an attacker.

This is among the most popular and oldest methods for modeling threats. Although it was initially used as a stand-alone method the technique is now often used in conjunction with other methods such as CVSS, PASTA and STRIDE.

Security Cards

Security Cards Security Cards methodology is based on brainstorming and creativity instead of structured methods for modeling threats. It is designed to aid security teams recognize new or unusual attacks that are not commonly encountered. This is also a useful approach for security professionals to improve their the knowledge of threats and modeling techniques.

The strategy employs 42 cards that aid analysts in answering questions regarding potential attacks, like who could be at risk and what their motives could be, what systems they may target and the best way to carry out an attack. Analysts can play the cards in a form of table-top game to simulate attacks and then consider how an business might respond.

Hybrid Threat Modeling Approach (hTMM)

The hTMM methodology was created by Security Equipment Inc. (SEI) that integrates two other methods:

Security Quality Requirements Engineering (SQUARE) is a process developed to collect the categorizing and prioritizing of security requirements
Persona non Grata (PnG) is a methodological approach which focuses on identifying ways that a system may be used to achieve the objectives of attackers.

The hTMM software is designed to facilitate threat modeling that takes into account every threat that could exist, generates Zero false negatives. It delivers the same results, and is cost-effective.

It operates by applying Security Cards, removing unlikely PnGs, analyzing the results, and then formally assessing the risk by with SQUARE.

Learn to apply threat modeling to enhance the identification of cybersecurity security threats, prioritize them and implement effective risk mitigation. How do you define threat modeling? It is a proactive approach to evaluate cybersecurity threats. It involves identifying possible threats, then formulating methods or tests to identify and counter the threats. This includes being aware…