• Home
  • /
  • Resources
  • /
  • Threat Modeling Methodologies: STRIDE, PASTA, DREAD and More

Estimated reading time:  minutes

Image of a electronic chip - Destination Certification

Last Updated On: September 26, 2024

Threat modeling is a cornerstone of effective cybersecurity strategy. As a CCSP and CISSP candidate, you'll need to master the art of systematically identifying and prioritizing potential threats to your organization's assets.

This guide introduces four key threat modeling methodologies: STRIDE, DREAD, PASTA, and ATASM. While the CISSP exam doesn't require in-depth expertise in each, understanding their core principles is crucial for robust risk management.

We'll explore how these methodologies can enhance your cybersecurity approach and strengthen your organization's defenses. Let's dive into the world of threat modeling and its practical applications in information security.

Purpose of Threat Modeling

In order to perform proper risk management, it is important to identify the threats and vulnerabilities associated with each asset. Threat modeling methodologies aid in systematically identifying threats and their severity, which in turn makes risk management more accurate and effective.

Identifying all the threats to a complex asset, like a mobile phone, server, application, network, architecture, function, or process, can be a daunting task. So many possible threats exist, and it can be difficult to decide where to start and how to proceed to ensure a systematic identification and prioritization of threats. This is where threat modeling methodologies can help. They enable: the systematic identification, enumeration, and prioritization of threats related to an asset.

Numerous threat modeling methodologies exist, and the primary goal of most is to provide a systematic and deliberate means of identifying and categorizing threats to a given asset. Three of the major threat modeling methodologies you need to know about for the exam are STRIDE, PASTA, DREAD and ATASM (for CCSP).

Major Threat Modeling Methodologies

Threat modeling methodologies provide structured approaches to identifying and assessing potential security risks. Each methodology offers a unique perspective on how to analyze and prioritize threats. Let's examine four key methodologies widely used in cybersecurity

The STRIDE Model

The STRIDE model was developed by Microsoft in the late nineties to help secure its products for the company’s customers. It is intended to identify the types of threats a product is susceptible to during the design process. Once the threats and vulnerabilities have been identified, security controls can be implemented to mitigate them.

The STRIDE model includes six major threat categories:

Threat

Violation

Definition

Spoofing

Authentication

Spoofing of user identity involves an attacker circumventing authentication by leveraging a user’s personal information or replaying steps of the authentication process. It can allow an attacker to gain unauthorized access to systems and data. Examples can include man-in-the-middle attackers spoofing packets, or attackers eavesdropping on sensitive communications and using the information to impersonate the victim.

Tampering

Integrity

Tampering with data involves making unauthorized changes to user or system data. It compromises the integrity of data. Lack of access controls and malware infections can both lead to data being tampered with.

Repudiation

Non-repudiation

Repudiation refers to the ability to deny something. If a system is designed with adequate non-repudiation controls a user cannot take an action and then plausibly deny their activity later on. Logging and auditing are important for being able to detect malicious activity and determine who is responsible.

Information disclosure

Confidentiality

Information disclosure involves exposing information to unauthorized parties. It can occur for many reasons, including if insufficient access controls are in place, or if data isn’t encrypted properly.

Denial of service

Availability

Denial of service involves making a system unusable or unavailable. One common example is a DDoS attack. We must design our critical systems to have a high level of resiliency and availability if we want to be able to stay online during serious incidents.

Elevation of privilege

Authorization

Elevation of privilege is where someone escalates their privileges to access systems and resources that they are unauthorized to access. One example involves a user gaining admin privileges and compromising critical systems.

The PASTA Model

Process for Attack Simulation and Threat Analysis (PASTA), contrary to STRIDE, is an attacker-focused, risk-centric methodology. It is much more detailed than STRIDE and performs threat analysis from a strategic perspective that includes input from governance, operations, architecture, and development. This is done from both business and technical viewpoints.

PASTA is a seven-stage threat modeling methodology, and each stage focuses on a specific set of goals and deliverables that must be achieved:

1

Define Objectives—This considers the inherent application risk profile and addresses other business impact considerations early.

2

Define Technical Scope—The philosophy behind this stage is that you can’t protect what you don’t know. It’s intended to decompose the technology stack that supports the application components that realize the business objectives identified from Stage 1.

3

Application Decomposition—This stage focuses on understanding the data flows among application components and services in the application threat model.

4

Threat Analysis—Reviews threat assertions from data within the environment as well as industry threat intelligence that is relevant to service, data, and deployment model.

5

Vulnerability and Weakness Analysis—Identifies the vulnerabilities and weaknesses within the application design and code and correlates to see if it supports the threat assertions from the prior stage.

6

Attack Modeling—This stage focuses on emulating attacks that could exploit identified weaknesses/vulnerabilities from the prior stage. It helps to also determine the threat viability via attack patterns.

7

Risk and Impact Analysis—This stage centers around remediating vulnerabilities or weaknesses in code or design that can facilitate threats and underlying attack patterns. It may warrant some risk acceptance by broader application owners or development managers.

Looking for some exam prep guidance and mentoring?


Learn about our personal mentoring

Image of Lou Hablas mentor - Destination Certification

The DREAD Model

DREAD is a threat model primarily used to measure and rank the severity of threats. DREAD is often used in combination with the STRIDE model, where STRIDE identifies the threats, and DREAD is then used to rank the severity of threats. This model gives you a numerical rating which you can then use to prioritize threats and the relevant mitigation strategies:

Damage potential

The maximum amount of damage that the threat could pose. As an example, a 10 indicates an extreme amount of damage, such as granting attackers the ability to bypass all security controls and act as they please.

Reproducibility

This measures how difficult an attack is to reproduce. If an exploit works every time, it would be considered a 10. If it only works occasionally, or only when specific conditions are met, the rating is lower.

Exploitability

This is a measure of how much skill, energy and resources are required for the attack. If an 11-year-old script kiddy can do it, it’s a 10. If only a nation-state has the ability, it ranks much lower.

Affected users

This is the portion of users that would be affected. 0-10% would be considered a 1, 11-20% a 2, 21-30% a 3, all the way up to 91-100% indicating a 10.

Discoverability

This metric is an estimation of the likelihood of an attacker discovering it. A 10 represents near-certainty, while a 1 indicates low likelihood.

To use the DREAD model, you should analyze each threat according to each of the five metrics and give each one a rating between 1 and 10. Add these numbers together and then divide them by 5 to give yourself a rough average of the overall importance of each threat.
Once you have been through this process for each threat, you can rank them all in descending order. This gives you a system that you can use to prioritize each threat and the appropriate mitigation strategies. While it is by no means a perfect system, it does give you a rough guide to work with.

Here’s an example of the DREAD model in action:

Damage potential

5

Reproducibility

3

Exploitability

7

Affected users

9

Discoverability

2

The ATASM model

The ATASM model was introduced by Brook Schoenfield in his book Securing Systems. The ATASM model is a high-level process for threat modeling. This model is covered in the CCSP exam, so it's important for candidates to understand its key components. The ATASM model consists of the following steps:

Architecture

This step involves understanding:

  • Both the logical and component architecture of the system.
  • All communication flows and the locations of all data, both in storage and in transit.

Threats

The threats step involves:

  • Listing each of the possible threat agents for the system.
  • Writing down all of the possible goals of these threat agents.
  • Listing the typical attack methods of the threat agents.
  • Writing down the system level objectives of the threat agents for each of these attack methods.

Atack Surfaces

Attack surfaces provides both the A and S of the acronym. This stage of the process involves:

  • Decomposing the architecture to expose every attack surface.
  • Applying the attack methods identified in the prior step to each attack surface.
  • Filtering out threat agents if there are no attack surfaces for their usual attack methods

Mitigations

The mitigations step involves:

  • Writing down all existing security controls for each attack surface.
  • Filtering out attack surfaces that are already protected appropriately.
  • Adding security controls to mitigate the remaining security issues.
  • Establishing defense in depth.

Discoverability

This metric is an estimation of the likelihood of an attacker discovering it. A 10 represents near-certainty, while a 1 indicates low likelihood.

FAQs

What is the threat modeling process?

The threat modeling process involves systematically identifying, enumerating, and prioritizing the threats that relate to an asset. It allows us to assess the risk to a given asset by understanding potential threats, their likelihood, and their potential impact.

What is threat modeling and why is it important?

Threat modeling is a structured approach to identifying and categorizing potential security threats to a system or organization. It's important because it helps cybersecurity professionals and organizations to systematically identify and prioritize potential threats, make risk management more accurate and effective, allocate resources efficiently towards mitigating the most critical threats and improve overall security posture by addressing vulnerabilities proactively.

What is the main reason why we do threat modeling?

The main reason for conducting threat modeling is to perform proper risk management. By identifying threats and vulnerabilities associated with each asset, organizations can make more informed decisions about security controls and mitigation strategies. Threat modeling helps in systematically identifying threats and their severity, which in turn makes risk management more accurate and effective, especially for complex assets like mobile phones, servers, applications, networks, or processes.

Learn Threat Modeling Methodologies at Destination Certification

Mastering threat modeling methodologies is crucial for both CISSP and CCSP candidates. While you don't need to be an expert in every approach, understanding STRIDE, DREAD, PASTA, and ATASM will sharpen your ability to identify and prioritize security risks effectively.

At Destination Certification, we recognize the challenge of balancing depth with practicality. Our CISSP and CCSP MasterClasses are tailored to provide you with the essential knowledge of threat modeling, ensuring you're well-equipped for your exams and real-world scenarios. We focus on helping you grasp how these methodologies fit into the overall security landscape, preparing you to think critically about risk assessment strategies. This holistic approach will serve you well not only in your exams but also in your future career as a security professional.

Ready to enhance your understanding of security concepts? Join our CISSP and CCSP MasterClasses and gain valuable insights into threat modeling and its role in comprehensive security strategies. With Destination Certification, you'll be prepared to approach security challenges with a well-rounded perspective.

Image of Rob Witcher - Destination Certification

Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.

Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.

The easiest way to get your CISSP Certification 


Learn about our CISSP MasterClass

Image of masterclass video - Destination Certification