Cyber security is protection for computer systems and other information technologies. Think of it as security in general terms, but more geared towards protecting technological information and other components such as hardware, data, and software.
What is threat modeling in Cyber Security? Threat modeling methods are used to find potential vulnerabilities, exploits and weaknesses. Generally threat modeling is done at the beginning of a project, allowing time for remediation and cyber security measures to be put in place to provide protection against potential cyber threats and attacks.
There are different threat modeling methods used in cyber security, with each one requiring a minimum number of steps. STRIDE Threat Modeling, the most popular has 6 main steps, PASTA Threat Modeling has 7 steps, Hybrid Threat Modeling Method (hTMM) has 5 steps, and OCTAVE Threat Modeling has 3 steps. All four methods provide 21 steps in total and focus on various aspects of the threat modeling process in cyber security.
In cyber security, there are several processes by which potential threats can be scoped out and identified before becoming an issue. One particular process is known as threat modeling. Within threat modeling, there are several different methods by which potential threats can be identified, analyzed, and mitigated.
What Are Some Threats to Cyber security?
So, with addressing threat modeling and how it can help to identify potential threats, it’s no surprise that many people, including myself, are unaware of the potential threats that need to be addressed in the first place.
When we think of an example of a threat, one of the first things that may come to mind is a physical or emotional threat towards something that could potentially, not definitively, harm us. The same concept applies to information technology or cyber security.
“A threat refers to any method that unapproved parties can use to gain access to sensitive information, networks, and applications.” 
Threats can come in all forms, shapes, and sizes from a number of sources, many that are unfortunately untraceable. They include viruses, phishing scams, and cyber-attacks and can be the result of a hacker or electronic source. Even worse, someone with granted access, a legitimate user, can also be a perceived threat.
As well as threats, there are also vulnerabilities and weaknesses. Vulnerabilities and weaknesses act as soft spots for threats and attacks to be easily carried out by hackers and viruses.
In adopting the threat modeling process, you can identify any vulnerabilities and weaknesses and thus further secure a system. In fact, threats and attacks most frequently gain access to valuable information through vulnerabilities and weaknesses. This is why finding the source of the issue before it even becomes relevant is important.
Threat Modeling Process in Cyber security
Because cyber security is spread far wide now more than ever, many people fail to realize that they use cyber security as well as threat modeling in their daily lives. In this case, threat modeling doesn’t necessarily refer to cyber security but rather the way in which we perceive potential mishaps or threats to ourselves and our daily routines.
For instance, before we even venture out for our daily commutes to work and school, we think of the possible threats to our commutes like traffic, car accidents, packed subway cars, etc. The same concept applies to the threat modeling process in cyber security.
“Threat modeling helps to define valuable assets and the possible attacks that they are likely to face. The purpose of threat modeling is to determine where the most effort should be applied to keep a system secured.” 
To simplify, threat modeling in cyber security consists of three main elements:
Addressing all three of these main elements will ensure that the system at hand is protected and secured. In addition to the three methods of the threat modeling process addressed in this blog post, there are about 8 to 12 methods that can also be used for threat modeling.
What is STRIDE in cyber security? STRIDE is a threat modeling technique created in 1999 and later adopted in 2002 by the well-known software company, Microsoft. The STRIDE method is the most widely used and oldest of its kind. Each letter of the STRIDE name, a mnemonic device, stands for a step by which threat can be identified: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege.
STRIDE is currently no longer sustained through Microsoft; however, it is part of the company’s Microsoft Security Development Lifecycle. Let’s take a detailed look at each of the aspects of the STRIDE threat model below.
The purpose of spoofing attacks is to fool a person or a system into believing the person or system trying to get access is who they say they are, when they are really someone else.
The spoofing is the impersonating part of the attack, so armed with some information about the victim, like their date of birth, place of birth, maiden name to the name of their favorite band or the name of their pet. The spoofer tries to use the information they have about the victim to get access to the victims account.
Spoofing can include pretending to be from a different IP address than the real IP address they are coming from, so systems that have been set up to accept requests from a particular IP address, could end up believing the connection is from the trusted IP address when it is in fact from a spoofed IP address made to look like the trusted IP address.
Another area is DNS spoofing (also known as DNS cached poisoning) where the address translation from website name to the IP address used to find the web server where the website is hosted, is manipulated on the DNS server that provides the mapping between the website name and it’s corresponding IP address. So any connections go to a different IP address instead of the correct IP address associated with the website name.
As the DNS server entries have been amended to spoof to a different address, making it look like the intended website but it’s actually a different website altogether, with the same name, website name but with a different IP address.
This can be dangerous if the DNS server is spoofed to send someone to a website that looks like their bank website as they will end up entering their sensitive details like their credentials into the rogue website.
Tampering involves violating the integrity of a system or the information it contains, so the information is unknowingly modified or deleted, or new information added without anyone’s or any systems knowledge.
Take the example of an employee who manages to get access to confidential information on a system that they are not authorized to access. The employee knows the system keeps an audit trail in a log of all the people who access the system and the information they’ve accessed. They know this log is regularly analyzed and could easily give away what they are doing with the confidential information.
The employee manages to access the audit logs and deletes all the instances of themselves (their user account id) listed in the logs, so it looks like they have never accessed the system they have just accessed.
The integrity of the audit logs has been put into question because the employee tampered with the information. Thereby any checks on who has accessed the secret information will not flag up the unauthorized access by the employee, because there are no details of them accessing the system, even though they did.
Likewise a bank employee who manages to get access to a banking system and changes the amount of money in their bank account is another form of tampering and if they also change the audit logs of them doing this, then again, it’s tampering to hide and delete any evidence of their actions.
Repudiation involves trying to dispute and disprove an action took place or that the owner of the action was someone else instead of the person or system accused of undertaking the action.
As an example, an employee is accused of sending a malicious email to another employee using the company email system and denies they sent the email from their email account and that someone else must have sent it, when they were away from their desk as they’d forgot to lock their computer screen. The employee is repudiating the claim they did something, and they are not the person who sent the malicious email from their email account.
Non-repudiation is proving an action took place by a particular person or a particular system and as such they own the action as they did it. So, if the CCTV is checked and the employee is seen sat at their computer when the malicious email was sent, then it’s difficult to disprove they did send it. This could satisfy non-repudiation, proving the email sent the malicious email.
Digital signatures are good examples of non-repudiation at work, whereby by signing messages using a digital signature, it becomes difficult to prove someone else may have signed the message instead of the owner of the digital signature. It’s like saying the check you signed paying someone, wasn’t signed by you, but the signature exactly matches your signature, so it’s difficult to prove someone else did it.
The confidentiality of information is a vital tenet of Information Security along with Integrity and Availability, commonly abbreviated to CIA (see detailed article on CIA here). If the confidentiality of the information is compromised, then the repercussions can be quite extensive. For example, if the online medical records of a famous person are stolen by hackers and put into the public domain, then not only is it personally embarrassing for that person, but their confidential health records are no longer confidential, as they are now available for all to see.
Information like company secrets and plans are all confidential information that only a select number of individuals are authorized to view. If this information is disclosed through a data breach and leak into the public domain, then people who are not authorized to see the information get to see it, with potentially devastating consequences for the company involved.
Connecting to a website insecurely or sending confidential information using email can lead to information disclosure, as the insecure website connection will allow anyone with the right tools to intercept and see the information being sent. Likewise with email, as the email travels to it’s destination, it passes through multiple hops between mail server and the next, with some of the connections not using encryption.
Thereby making it possible for someone with the right tools to be able to see the confidential information being sent. If the website connection is made using a secure encrypted connection using TSL/SSL and likewise the information in the email is encrypted, then the likelihood of information disclosure is minimized.
Information Disclosure is an important threat to mitigate by ensuring only authorized individuals or systems have access to the information in question and all unauthorized access is strictly prohibited.
Denial of Service
Denial of Service (DoS) involves exhausting systems of the resources they need to provide their services. Take a website that takes bookings for restaurants, if the website doesn’t have the computing resources to deal with a large influx of visitors, the website will slow down dramatically and make it difficult to make bookings. As there is a denial of service, with the service not working as expected.
The computing resources could be increased to deal with demand but let’s assume the demand isn’t real, it’s malicious instead, designed solely to drain the computing resources behind the website. In essence this is exactly what the denial of service attacks do, they stop legitimate access to services by draining the resources required to deal with the legitimate access.
Hackers can simply use an army of computing bots to attack a website from many different locations using a Distributed Denial of Service (DDoS) attack. DDoS tries to open as many connections to the website as possible, to starve systems of resources to deal with legitimate requests.
Elevation of Privilege (EoP)
When someone is able to do something they’re not authorized to do, this is known as an elevation of privilege, as additional access and permissions give the person additional rights to do something they shouldn’t be doing.
For example an employee uses a special system to enter the hours they work but they notice there’s a bug in the system that allows them to approve the hours they work without having to get their manager to approve. They decide to increase the hours they say they’ve been working and approve the timesheet themselves without their managers approval.
By effectively increasing the level of privileges they have, they end up doing more than they are allowed to, such as approving their own timesheets. This is an elevation of privilege as they are not authorized to do approvals but because of a bug they can do it.
Hackers try to elevate the privilege of their access to ensure with additional permissions and rights they can do a lot more when they have successfully managed to infiltrate a company or their online systems. If they can obtain administrator level privileges through a successful elevation privilege attack, then they can do a lot of damage, by not only deleting and destroying data and online systems, but they can also steal confidential information.
STRIDE Threat Model examples
The following steps highlight the steps used in the STRIDE Threat model along with some examples of how the STRIDE steps can be done. Each of the steps requires extensive checking of the people, process and technology involved, to limit the opportunity to spoof, tamper, repudiate, disclose information, cause denial of service as well as elevate privileges.
1. Check systems, processes for spoofing
I look for areas in systems and the processes used, to see how I could spoof them, by thinking like a hacker. So, a new postal service system where you can collect undelivered packages, I would look at how I could get a package not belonging to me. I would look at how the system checks to see who I am and verify I am the rightful owner of the package.
2. Look at areas where tampering could occur
I always look at transaction histories and logs where audit and activity information is kept to see how well it has been designed to deal with tampering. Versioning controls and strict access controls are some of the controls I look for being in place.
3. How could repudiation affect the service?
When money is withdrawn from the bank system and fraud is suspected, the bank needs to prove the customer took the money first before it looks to see if anyone else took it in a fraudulent transaction. As part of threat modeling in bank systems, the controls in place to prove non-repudiation of transactions is vital and finding areas where these can be compromised must be assessed as part of the threat model.
4. How could information disclosure occur?
SQL Injection is one of the easiest ways to get information out a system when inadequate validation of the information entered into the system are not in place. By entering certain words into the forms used by websites to capture information, the hacker can end up obtaining more information than they should be able to legitimately if there are not protections against SQL Injection.
I look at how the developers are using validation to limit SQL injection and how they are formatting their SQL queries to ensure correct parameterization removes the risk of SQL injections.
5. Opportunities for the denial of service
I look at the resources used by a service or system to see how they are managed and what mitigations are in place to ensure the system can remain operations, dealing with legitimate requests when demand increases. I then look at what measures are in place to ensure illegitimate requests are prohibited.
So anywhere where there’s limited control to control the information being ingested by the system is one area, like data storage. Where a lack of check on the origin of the data leads to superfluous data ending up clogging up storage space to a point where storage space runs out.
6. Potential for elevation of privilege
Vulnerabilities tend to be the one of the most common ways to elevate privileges, as something not fixed or out of date could end up leaving a security hole. As part of the threat modeling I would look at all the services and systems that could potentially have vulnerabilities and then look at how these vulnerabilities could be managed.
If an organization uses Docker containers to deploy it’s application on, I would look at how the vulnerabilities in the Docker containers are determined and what the processes are involved when vulnerabilities are found. Especially as Docker containers are immutable (they can’t be updated), so I would expect there to be a process to rebuild the Docker containers with up to date components as part of the build pipeline using Continuous Integration and Continuous Deployment (CI/CD).
PASTA does not refer to the lovely staple dish you would find in your kitchen. It, in fact, refers to one of the most common methods of the threat modeling process. PASTA stands for the Process for Attack Simulation and Threat Analysis.
“PASTA aims to bring business objectives and technical requirements together. It uses a variety of design and elicitation tools in different stages. This method elevates the threat-modeling process to a strategic level by involving key decision-makers and requiring security input from operations, governance, architecture, and development.” 
Developed in 2012, PASTA contains seven steps in its threat modeling process. Each step involves several actions to address and identify business objectives as well as technical priorities.
1. Identify and Define Security Objectives
This step involves identifying and defining business objectives, security objectives, and analyzing potential business impact. Additionally, this step is important for addressing security requirements necessary for meeting the intended business objectives while still maintaining standard security measures.
2. Define Technical Scopes
Defining the technical scope, more or less, involves defining the boundaries of the technical environment you wish to protect. This is important because you can’t protect what you don’t know needs protecting.
“Define the technical scope/boundaries of threat modeling as they depend on the various technologies, software, and hardware, components, and services used by the application.” 
This step also involves categorizing infrastructure and other technological components whose purpose will be to provide security.
3. Application Decomposition
Now that technological boundaries have been identified as well as the organization of the infrastructure, essential application components can be broken down or decomposed and analyzed. Essential components include assets, users, and servers.
This is also where the application components and data should be studied and understood. They can also be an analysis of potential threats where an attack simulation can be performed from either side of the threat or the defender.
4. Analysis of Threats
After potential threats have been identified through various scenarios and simulations, they can be further analyzed. The key component of this step is to analyze the threats that are most likely to occur. These threats need to undergo an attack simulation once more before finalizing the next steps.
5. Identify Potential Vulnerabilities and Weaknesses
This step involves identifying any vulnerabilities and weaknesses within the proposal of the application.
“The main goal of this stage of the methodology is to map vulnerabilities identified for different assets that include the application as well as the application infrastructure to the threats and the attack scenarios previously identified in the previous threat analysis stage.” 
Furthermore, through the use of threat trees, a formal method of tracing threats, vulnerabilities that can be used for attack simulation can be identified. The vulnerabilities will then be scored and enumerated.
6. Attack Simulation or Modeling
The identified vulnerabilities and weaknesses can be used for attack simulation and exploited. In this simulation, all aspects of the application will be analyzed for how they can be potentially attacked once the identified vulnerabilities and weaknesses have been exploited. Through emulating attacks, threat viability can also be identified.
7. Risk and Impact Analysis
Once all the prerequisite steps, 1 through 6, have been completed and evaluated, all vulnerabilities and weaknesses can be resolved or at least revised, if applicable.
Also, the business impacted prior to being analyzed can be edited to conform to the new results of the most recent analysis, such as the technical boundary, application components, and vulnerabilities.
The Hybrid Threat Modeling Method
The hTMM, or Hybrid Threat Modeling Method, is concerned with identifying the system that needs to be threat modeled. Through the next five steps, come up with a formal risk assessment method to identify and eliminate steps previously accounted for.
“The targeted characteristics of the method include no false positives, no overlooked threats, a consistent result regardless of who is doing the threat modeling, and cost-effectiveness.” 
This method for the threat modeling process in cyber security is desirable because of its cost-effectiveness and ability to be performed thoroughly without wasting too much time. Its ability to provide consistent results with each use also makes it a great candidate. The hybrid threat modeling method was developed in 2018 by SEI.
1. Identify the System That Needs to Be Threat Modelled
In order to successfully execute this step, all three actions of the SQUARE method or similar method must be completed. The SQUARE method or Security Quality Requirements Engineering Method is used for enumerating the required security measures for cyber security and other technology systems and applications.
Three steps of the SQUARE method are:
- Agree on definitions
- Identify a security or business goal for the system identified
- Collect potential artifacts and scenarios to support required security measures
2. Apply Security Cards
Based on developer suggestions, security cards should be distributed. These can be distributed prior to or during when the method is taking place. Security cards are useful for identifying complex attacks and are more of an informal approach to concluding who or what may attack, what can be attacked, and the reason for attacking.
Security cards are presented in the form of a deck of 42 cards, each with one of the four threat identification activities on it:
- Human Impact
- Adversary’s Motivations
- Adversary Resources
- Adversary’s Methods
After looking through each card, depending upon which activity is on the card, the participants or team analysts can identify the who, what, and why of attacks, assets, and such.
“Include representatives of at least the three following groups of stakeholders:
- System users/purchasers
- System engineers/developers
- Cyber security experts” 
The security card step of this method can be revised or approached in different ways, depending on the intended outcome of the threat modeling process. This is a step where lots of brainstorming occurs.
Once distributed to the participants, the cards should be looked over, and the potential threats or attack to the system identified should be weighed. The ways in which the system could be attacked should be evaluated as well, including who or what could potentially threaten the system and the purpose of that threat.
3. Get Rid of Unlikely PnGs
Following the previous step in which security cards were analyzed, attack vectors identified, and possible PnGs as well, you can get rid of unnecessary PnGs. PnGs or portable network graphics are image files that are used in web design by providing a transparent background in place of an image with a patent holder.
The PnGs can be removed if no realistic attack vectors have been identified. The remaining attack vectors should have their misuse cases itemized to identify how they would take place.
4. Summarize Results from Previous Steps by Using Tool Support
After any PnGs have been removed and the remaining attack vectors have had their misuse cases itemized, the results taken from all previous steps should be summarized using tool support.
“Since software processes can become very complex, both process engineers and project teams need suitable tool support for developing, managing, and enacting these processes.
For example, a tool to support process modeling might be a simpler editor, or it might include various consistency checks, generate different views of the process as needed for different roles, and perhaps even generate some support for enacting the process.” 
In tool support for the threat modeling processes in cyber security, there are a series of steps to follow before the results can be fully summarized thoroughly. They are as follows:
- Result of action
- Type of threat
Within each step, there are several questions that should be addressed before continuing with the next one. For example, in the first step, who or what is responsible for any potential attacks should be identified once more. Furthermore, in the second step, the purpose of the who or what identified in the actor step should be defined.
The purpose of this stage is to help the participants obtain fully conclusive results in following the method. The last of the support tool steps identifies the type of threat that will then be used in the formal risk assessment in the very last step of the hTMM.
5. Formal Risk Assessment
A formal risk assessment involves reviewing any evidence systematically through a process and, more specifically, reviewing evidence for potential risks. Using the results from the previous steps as well as the steps of the SQUARE method, potential risks or hazards that come with these results should be assessed.
Once any risks or hazards within the results have been identified and assessed through the formal risk assessment method, revisions can be made to the previous steps of the threat modeling process.
The first step in which the system needing threat modeling is identified, and the second step involving the security card, should first be revised before continuing with the rest of the hTMM method. These steps can easily be tailored or fully eliminated if found unnecessary in the revision process.
OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation and is a method in which planning and risk-based assessing for cyber security are evaluated. OCTAVE was established in 2003 by SEI, and in 2005, it was further refined.
This method is concerned with addressing organizational risks more so than technological risks.
“For an organization looking to understand its information security needs, OCTAVE is a risk-based strategic assessment and planning technique for security.
Unlike the typical technology-focused assessment, which is targeted at technological risk and focused on tactical issues, OCTAVE is targeted at organizational risk and focused on strategic, practice-related issues.” 
This method is also useful for organizations that wish to understand and refine their needs for information security. The great thing about the OCTAVE method is that it can be easily tailored to meet the needs and ideals of the organization utilizing it for their threat modeling.
The OCTAVE method consists of three steps, which are also more commonly referred to as phases. Each step or phase will aid the organization using it in establishing their cyber security needs as well as evaluating potential operational risks.
1. Establish Asset-Based Threat Profiles
This step is also known as the organizational phase and evaluation. In this step, it’s important for the organization to clearly identify and determine their assets and how they are being protected at the time. The next actions of this step should revolve around the organization determining which of their assets are of priority and why.
These assets are known as critical assets.
Once the critical assets and their importance have been established, the cyber security needs of each of those assets, as well as their threats, should be addressed. Through this evaluation, a threat profile for each asset can be created.
2. Identify Vulnerabilities Within the Infrastructure
Through an analysis of components within each critical asset identified, vulnerabilities within the cyberinfrastructure can be further evaluated. This evaluation occurs through the organization’s analysis team responsible for overseeing network paths as well.
After examining network access paths, the team can then decide which components of each critical asset are most resistant to attacks occurring on the network paths. The result of this step is the potential vulnerability or vulnerabilities within the infrastructure.
3. Develop A Plan and Strategy
Now that vulnerabilities and potential risks have been identified in the previous steps, it’s important to develop a plan and strategy for how to fix them. To do so, the team can create a protection strategy, a mitigation plan, or another form of strategic planning.
“During this part of the evaluation, the analysis team identifies risks to the organization’s critical assets and decides what to do about them.” 
Last but not least, this last step can be followed by an additional phase, commonly referred to as phase zero. This exploratory phase is mostly used in higher education organizations; however, other organizations are welcomes to use this phase to further narrow down the objectives used to identify their critical assets.
In this phase, the criteria that the organization uses to conduct the method is determined.
The Benefits of The Threat Modeling Process in Cyber security
If you’re thinking after reading through the different methods that adopting a threat modeling process could be beneficial to your cyber security needs, then you’ve indeed thought correctly! Threat modeling is great for protecting components of cyber security in the long run, but it also comes with many benefits.
Previously we discussed how threat modeling is like estimating how long you’ll have to sit in early morning traffic for your commute to work. Threat modeling works the same way except, it helps to detect, identify, analyze, and assess the potential risks, threats, and attacks hazardous to securing electronic data and software.
“The purpose of threat modeling is to identify, communicate, and understand threats and mitigation to the organization’s stakeholders as early as possible. Documentation from this process provides system analysts and defenders with a complete analysis of probable attackers profile, the most likely attack vectors, and the assets most desired by the attacker.” 
Having your cyber data hacked or attacked can result in it being lost, stolen, or even worse, damaged beyond repair. This is why personal, organizational, and corporational adoption of the threat modeling process is beneficial and important for maintaining a secure system.
Although the threat modeling process is indeed an iterative one, it is vital for upkeeping cyber components and software, especially ones that contain a large amount of data and other valuable assets. It is an iterative process because it involves many repetitions to get the desired result as applications and data are upgraded, removed, and added.
Nevertheless, as technology advances and hackers and other potential threats find creative ways to access private data, it is more important now than ever for threat modeling to play a role in the development of applications and cyber security.
Additional Threat Modeling Methods
Although there were only three main methods covered in this blog post, once again, there are numerous methods that can be used towards the threat modeling process.
Depending on what aspects of cyber security you or the organization you belong to is most concerned with, utilizing a threat modeling method can provide various results and address multiple cyber security concerns as well.
Each method of threat modeling can be more comprehensive than another, concerned with maintaining privacy instead of identifying risks, simplified or more abstract in methodology, and etc. They also target different areas as well as from different sources.
It’s also important to know that not all methods may address the same steps of the threat modeling process.
Some additional threat modeling methods include, but are not limited to:
- DREAD—also a method developed under Microsoft, DREAD’s name doubles as a mnemonic device that helps to rate the risk of potential security threats. Although DREAD is no longer utilized by Microsoft since 2008, it is still currently used by many other big corporations and organizations.
- Trike—this method is geared towards managing and identifying risks such as potential threats as well as attacks. Similar to the hybrid threat modeling method, Trike’s first concern to identify the system that needs to be threat modeled. Unlike the three methods previously listed, Trike requires the use of a data flow diagram to specifically identify assets and threats.
- VAST—the VAST method, also known as the Visual, Agile, and Simple Threat method, is quite unique in that it is utilized through an automated threat modeling platform. This unique aspect makes it easily accessible by many and fully reliable as well. VAST is mostly used by a variety of stakeholders, including those in cyber security and application developers. Through the use of this method, stakeholders can receive outputs for their cyber security needs.
- LINDDUN—LINDDUN stands for Linkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information, Unawareness, and Noncompliance. This method is most concerned with maintaining the privacy and data security. Instead of first identifying a system that needs threat modeling, the system that defines data flow and other system processes are first assessed.
- CVSS—CVSS stands for Common Vulnerability Scoring System. Much like several threat modeling methods whose concern is to identify a vulnerability, this method dives deeper by seeking to understand the characteristics of vulnerability as well as its severity. The characteristics are scored on a scale of 0 to 10, with 0 being the least severe and ten being the most severe. This score can then be labeled as critical, low, high, or medium.
Threat modeling is not only limited to methods already developed and established, but one can also create a threat model from scratch. For a step-by-step guide to building a threat modeling process for cyber security, visit the threat modeler website.