Threat modeling is a cornerstone of effective cybersecurity strategy. As a CCSP and CISSP candidate, you'll need to master the art of systematically identifying and prioritizing potential threats to your organization's assets.
This guide introduces four key threat modeling methodologies: STRIDE, DREAD, PASTA, and ATASM. While the CISSP exam doesn't require in-depth expertise in each, understanding their core principles is crucial for robust risk management.
We'll explore how these methodologies can enhance your cybersecurity approach and strengthen your organization's defenses. Let's dive into the world of threat modeling and its practical applications in information security.
Purpose of Threat Modeling
In order to perform proper risk management, it is important to identify the threats and vulnerabilities associated with each asset. Threat modeling methodologies aid in systematically identifying threats and their severity, which in turn makes risk management more accurate and effective.
Identifying all the threats to a complex asset, like a mobile phone, server, application, network, architecture, function, or process, can be a daunting task. So many possible threats exist, and it can be difficult to decide where to start and how to proceed to ensure a systematic identification and prioritization of threats. This is where threat modeling methodologies can help. They enable: the systematic identification, enumeration, and prioritization of threats related to an asset.
Numerous threat modeling methodologies exist, and the primary goal of most is to provide a systematic and deliberate means of identifying and categorizing threats to a given asset. Three of the major threat modeling methodologies you need to know about for the exam are STRIDE, PASTA, DREAD and ATASM (for CCSP).
Major Threat Modeling Methodologies
Threat modeling methodologies provide structured approaches to identifying and assessing potential security risks. Each methodology offers a unique perspective on how to analyze and prioritize threats. Let's examine four key methodologies widely used in cybersecurity
The STRIDE Model
The STRIDE model was developed by Microsoft in the late nineties to help secure its products for the company’s customers. It is intended to identify the types of threats a product is susceptible to during the design process. Once the threats and vulnerabilities have been identified, security controls can be implemented to mitigate them.
The STRIDE model includes six major threat categories:
Threat | Violation | Definition |
---|---|---|
Spoofing | Authentication | Spoofing of user identity involves an attacker circumventing authentication by leveraging a user’s personal information or replaying steps of the authentication process. It can allow an attacker to gain unauthorized access to systems and data. Examples can include man-in-the-middle attackers spoofing packets, or attackers eavesdropping on sensitive communications and using the information to impersonate the victim. |
Tampering | Integrity | Tampering with data involves making unauthorized changes to user or system data. It compromises the integrity of data. Lack of access controls and malware infections can both lead to data being tampered with. |
Repudiation | Non-repudiation | Repudiation refers to the ability to deny something. If a system is designed with adequate non-repudiation controls a user cannot take an action and then plausibly deny their activity later on. Logging and auditing are important for being able to detect malicious activity and determine who is responsible. |
Information disclosure | Confidentiality | Information disclosure involves exposing information to unauthorized parties. It can occur for many reasons, including if insufficient access controls are in place, or if data isn’t encrypted properly. |
Denial of service | Availability | Denial of service involves making a system unusable or unavailable. One common example is a DDoS attack. We must design our critical systems to have a high level of resiliency and availability if we want to be able to stay online during serious incidents. |
Elevation of privilege | Authorization | Elevation of privilege is where someone escalates their privileges to access systems and resources that they are unauthorized to access. One example involves a user gaining admin privileges and compromising critical systems. |
The PASTA Model
Process for Attack Simulation and Threat Analysis (PASTA), contrary to STRIDE, is an attacker-focused, risk-centric methodology. It is much more detailed than STRIDE and performs threat analysis from a strategic perspective that includes input from governance, operations, architecture, and development. This is done from both business and technical viewpoints.
PASTA is a seven-stage threat modeling methodology, and each stage focuses on a specific set of goals and deliverables that must be achieved:
1 | Define Objectives—This considers the inherent application risk profile and addresses other business impact considerations early. |
2 | Define Technical Scope—The philosophy behind this stage is that you can’t protect what you don’t know. It’s intended to decompose the technology stack that supports the application components that realize the business objectives identified from Stage 1. |
3 | Application Decomposition—This stage focuses on understanding the data flows among application components and services in the application threat model. |
4 | Threat Analysis—Reviews threat assertions from data within the environment as well as industry threat intelligence that is relevant to service, data, and deployment model. |
5 | Vulnerability and Weakness Analysis—Identifies the vulnerabilities and weaknesses within the application design and code and correlates to see if it supports the threat assertions from the prior stage. |
6 | Attack Modeling—This stage focuses on emulating attacks that could exploit identified weaknesses/vulnerabilities from the prior stage. It helps to also determine the threat viability via attack patterns. |
7 | Risk and Impact Analysis—This stage centers around remediating vulnerabilities or weaknesses in code or design that can facilitate threats and underlying attack patterns. It may warrant some risk acceptance by broader application owners or development managers. |
Looking for some exam prep guidance and mentoring?
Learn about our personal mentoring
The DREAD Model
DREAD is a threat model primarily used to measure and rank the severity of threats. DREAD is often used in combination with the STRIDE model, where STRIDE identifies the threats, and DREAD is then used to rank the severity of threats. This model gives you a numerical rating which you can then use to prioritize threats and the relevant mitigation strategies:
Damage potential | The maximum amount of damage that the threat could pose. As an example, a 10 indicates an extreme amount of damage, such as granting attackers the ability to bypass all security controls and act as they please. |
Reproducibility | This measures how difficult an attack is to reproduce. If an exploit works every time, it would be considered a 10. If it only works occasionally, or only when specific conditions are met, the rating is lower. |
Exploitability | This is a measure of how much skill, energy and resources are required for the attack. If an 11-year-old script kiddy can do it, it’s a 10. If only a nation-state has the ability, it ranks much lower. |
Affected users | This is the portion of users that would be affected. 0-10% would be considered a 1, 11-20% a 2, 21-30% a 3, all the way up to 91-100% indicating a 10. |
Discoverability | This metric is an estimation of the likelihood of an attacker discovering it. A 10 represents near-certainty, while a 1 indicates low likelihood. |
To use the DREAD model, you should analyze each threat according to each of the five metrics and give each one a rating between 1 and 10. Add these numbers together and then divide them by 5 to give yourself a rough average of the overall importance of each threat.
Once you have been through this process for each threat, you can rank them all in descending order. This gives you a system that you can use to prioritize each threat and the appropriate mitigation strategies. While it is by no means a perfect system, it does give you a rough guide to work with.
Here’s an example of the DREAD model in action:
Damage potential | 5 |
Reproducibility | 3 |
Exploitability | 7 |
Affected users | 9 |
Discoverability | 2 |
The ATASM model
The ATASM model was introduced by Brook Schoenfield in his book Securing Systems. The ATASM model is a high-level process for threat modeling. This model is covered in the CCSP exam, so it's important for candidates to understand its key components. The ATASM model consists of the following steps:
Architecture | This step involves understanding:
|
Threats | The threats step involves:
|
Atack Surfaces | Attack surfaces provides both the A and S of the acronym. This stage of the process involves:
|
Mitigations | The mitigations step involves:
|
Discoverability | This metric is an estimation of the likelihood of an attacker discovering it. A 10 represents near-certainty, while a 1 indicates low likelihood. |
FAQs
The threat modeling process involves systematically identifying, enumerating, and prioritizing the threats that relate to an asset. It allows us to assess the risk to a given asset by understanding potential threats, their likelihood, and their potential impact.
Threat modeling is a structured approach to identifying and categorizing potential security threats to a system or organization. It's important because it helps cybersecurity professionals and organizations to systematically identify and prioritize potential threats, make risk management more accurate and effective, allocate resources efficiently towards mitigating the most critical threats and improve overall security posture by addressing vulnerabilities proactively.
The main reason for conducting threat modeling is to perform proper risk management. By identifying threats and vulnerabilities associated with each asset, organizations can make more informed decisions about security controls and mitigation strategies. Threat modeling helps in systematically identifying threats and their severity, which in turn makes risk management more accurate and effective, especially for complex assets like mobile phones, servers, applications, networks, or processes.
Learn Threat Modeling Methodologies at Destination Certification
Mastering threat modeling methodologies is crucial for both CISSP and CCSP candidates. While you don't need to be an expert in every approach, understanding STRIDE, DREAD, PASTA, and ATASM will sharpen your ability to identify and prioritize security risks effectively.
At Destination Certification, we recognize the challenge of balancing depth with practicality. Our CISSP and CCSP MasterClasses are tailored to provide you with the essential knowledge of threat modeling, ensuring you're well-equipped for your exams and real-world scenarios. We focus on helping you grasp how these methodologies fit into the overall security landscape, preparing you to think critically about risk assessment strategies. This holistic approach will serve you well not only in your exams but also in your future career as a security professional.
Ready to enhance your understanding of security concepts? Join our CISSP and CCSP MasterClasses and gain valuable insights into threat modeling and its role in comprehensive security strategies. With Destination Certification, you'll be prepared to approach security challenges with a well-rounded perspective.
Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.
Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.
The easiest way to get your CISSP Certification
Learn about our CISSP MasterClass