Skip to content

Threat Modelling

Threat Model Summary

[!info] Threat Modeling — The Short Version
Threat Modeling is the structured practice of identifying and prioritizing potential threats and vulnerabilities, and the prioritization…
http://medium.com/dark-roast-security/threat-modeling-the-short-version-5b70ba96cea8?utm_source=pocket_shared

[!important] STRIDE Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of privilege (STRIDE) was developed by Microsoft with the goal to aid applications in meeting security standards based on the CIA triad principles: Confidentiality, Integrity, and Availability. STRIDE offers a six-category process to identify security threats, shown below.

[!important] VAST The Visual, Agile, and Simple Threat (VAST) Model is a method based on ThreatModeler which is an automated threat modeling platform. The VAST threat modeling focuses on covering the entire software development lifecycle (SDLC) across an organization.

[!important] OCTAVE The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) process is a risk-based strategic assessment and planning method that focuses on assessing organizational risks with little to no focus on technological risks. OCTAVE has three phases: Build asset-based threat profiles.
Identify infrastructure vulnerability.
Develop a security strategy and plans.

[!important] PASTA The Process for Stack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling framework that aims to bring business objectives and technical requirements together. PASTA employs an attacker-centric perspective to produce an asset-focused output in the form of threat enumeration and scoring.

[!important] DREAD The DREAD methodology was proposed by Microsoft and published in 2008. It is currently used by many organizations to assess the probability of security risks within five categories:

[!important] TRIKE Trike, was created as a security audit framework — it focuses on using threat models as a risk management tool. By using the requirements model, each asset is assigned an acceptable risk level. The analysis of requirements models yields a threat model where potential threats are identified and given risk values. Lastly, the appropriate security controls are assigned to each asset until the risk that the threats posed to each asset is within the tolerable range that the requirement model outlines. The completed threat model is then used to build a risk model, factoring in actions, assets, roles, and calculated risk exposure.

[!important] MITRE ATT&CK MITRE ATT&CK is a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” This framework is used in the development of threat models by providing a detailed outline of common techniques used by cybercriminals to compromise businesses and organizations.

[!important] CVSS The Common Vulnerability Scoring System (CVSS) method was developed by NIST and captures a vulnerability’s main characteristics, then assigns a numerical score which is then translated to a severity score. This representation helps organizations effectively assess and prioritize the vulnerabilities that exist in their environment.