adam's notes

Threat Modeling

Threat modeling is an overall process and management approach to identify possible threats, categorize them, and analyze and assess both these categories and specific threats.

  • an analysis technique employed to identify the security needs of a system
  • analysis sheds light on:
    • nature and severity of the threat
    • the systems, assets, processes, or outcomes it endangers
    • offers insights into ways to deter, detect, defeat, or degrade the effectiveness of the threat
  • major component of ongoing systems security support
  • designed to identify the tactics, techniques, and procedures (TTPs) that a system may be subject to
    • evaluated from both an attacker’s and defender’s perspective
  • for scenario-based threat situations, asks whether defensive systems are sufficient to repel a given attack

“a technique to identify the attacks a system must resist and the defenses that will bring the system to a desired defensive state”

Brook Schoenfield

Objectives

  1. To improve the security architecture and design of a target system, organization, process, design, concept, or architecture.
  2. To identify significant attack scenarios and their potential impacts
  3. To precede penetration testing as a guide to identify the most impactful areas for testing1

Threat Modeling Approaches

Attacker-Centric

  • works well when organizations can characterize the type of attackers most likely to inflict the greatest damage
  • not well suited to dealing with broad/general attackers
  • useful to consider specific threats when used with other approaches
  • e.g.,
    • Process for Attack Simulation and Threat Analysis (PASTA)

Asset-Centric

Asset-centric threat modeling identifies the assets of value first.

  • value of asset may be different for organization vs attacker
  • assets are evaluated by how an attacker might compromise it
  • many compliance regulations focus on protecting assets
    • e.g., HIPAA PHI, GDPR PII, PCI DSS primary account number
  • use tools to classify and categorize sensitive information
  • typically maintain an inventory or library process to identify asset values
  • e.g.,
    • NIST 800-154
    • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

System- or Software-Centric

System-centric threat modeling represents a system as a set of interconnected processes which often reveal threat surfaces or trust boundaries that exist between groups of systems components or elements.

  • often using data flow diagrams (DFD) as a key visualization and analysis tool
  • analysts identify channels that cross surfaces/boundaries and determine whether sufficient control and detection is in place to protect the crossing point
  • helps identify covert channels
    • use system functions in ways unintended by their designers
  • often called systems-of-systems-centric when organizations must examine the threats to a combination of infrastructure, applications, platforms, and service elements
  • E.g.,
    • Microsoft’s Secure Development Lifecycle

Others

  • TRIKE
    • open source threat modeling approach and tool
  • Construct a platform for Risk Analysis of Security Critical Systems (CORAS)
    • open source threat modeling approach that relies heavily on UML as the front end for visualizing threats
  • Visual, Agile, and Simple Threat Modeling (VAST)
    • proprietary approach that leverages Agile concepts

Threat Model Frameworks

Footnotes

  1. Brook schoenfield’s threat modeling methods | brookschoenfield.com. (n.d.). Retrieved April 17, 2026, from https://brookschoenfield.com/?page_id=341

Graph View

Backlinks