Threat Modeling¶

• STRIDE
• DREAD
• Diagrams

Threat modeling is identifying what could go wrong before it does
Instead of reacting to breaches you systematically analyze a system to find vulnerabilities , prioritize risks , and implement mitigations before attackers exploit them

Why Threat Model

• Proactive security (find issues during design not after deployment)
• Cost-effective (fixing design flaws is cheaper than patching production)
• Structured approach (methodology replaces panic)
• Communication tool (get stakeholders on same page about risks)
• Compliance requirement (many standards require threat modeling)

The Threat Modeling Process

1. Define Scope - What system are we analyzing?
2. Decompose System - Identify components, data flows, trust boundaries
3. Identify Threats - What can go wrong at each component?
4. Prioritize Risks - Which threats matter most?
5. Define Mitigations - How do we address each threat?
6. Document - Record findings for audit and iteration

Key Concepts

• Asset - Something of value (data, system, reputation)
• Threat - Potential danger to an asset
• Vulnerability - Weakness that can be exploited
• Risk - Likelihood * Impact of threat exploiting vulnerability
• Control - Mitigation that reduces risk
• Trust Boundary - Where trust levels change (crossing is risky)

Common Threat Modeling Frameworks

• STRIDE - Microsoft's threat categorization (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation)
• PASTA - Process for Attack Simulation and Threat Analysis (7 stages)
• LINDDUN - Privacy-focused threat modeling
• Trike - Risk-based methodology
• Attack Trees - Graphical threat analysis

When to Threat Model

Threat Modeling Mindset

• Think like an attacker (what would you do to break this?)
• Question assumptions (is this trust boundary real?)
• Follow the data (where does sensitive data go?)
• Check the edges (interfaces between components are risky)
• Prioritize ruthlessly (not all threats are equal)