Threat Modeling: what is it and how does it work?

threat modeling

Threat Modeling: what is it and how does it work?

  Cyvatar | 03/27/2023

Threat modeling is a proactive way to improve the security of applications, systems, or business processes. It does this by identifying goals and weaknesses and then coming up with ways to stop or lessen the effects of system threats.

In the threat modeling approach, the parts of an application or system are taken apart to find the assets that need to be protected and the possible risks that need to be reduced.

Using a threat modeling methodology, users and businesses may break down a complex process into more minor activities, making it easier to identify and correct flaws.

Why Threat Modeling?

During the 1990s, the emergence of threat and attacker profiles helped popularize IT-based threat modeling. When Microsoft first released its STRIDE (Spoofing, Tampering, Rejection, Information Disclosure, Denial of Service, and Elevation of Privilege) threat modeling technique, it was a game-changer. Many other options are now available to users.

Threat modeling assists in determining the security requirements of a system or process– anything that is mission-critical, sensitive, or contains valuable data.

It is a systematic and structured process to identify potential threats and vulnerabilities to reduce the risk to IT resources. It also helps IT managers understand how threats affect their systems, measure the severity of these threats, and put controls in place.

When it comes to software security, threat modeling is the most critical aspect of the software design and development lifecycles.

Security teams can do threat modeling at any time during development, but it’s best to do it at the start of the project. This way, threats can be found and dealt with before they become a problem.

Questions you should ask yourself

  • Is there a certain kind of threat model that needs to be implemented?

You need to look at data flow transitions, architecture diagrams, and data classifications to get a virtual model of the network you want to protect.

  • What could go wrong?

The main threats to your network and apps are found here.

  • What should be done to get back to normal after a cyberattack?

You’ve already found out what’s wrong, so now it’s time to figure out how to fix it.

  • Did it actually work?

This step is a follow-up. You do a retrospective to check the project’s quality, feasibility, planning, and progress.

Threat Modeling Process

Threat modeling is defining an organization’s assets, figuring out what each application does in the big picture, and putting together a security profile for each application.

The process moves on to figuring out and prioritizing possible threats, then recording both the harmful events and the steps that need to be taken to fix them.

Or, to put it another way, threat modeling is the process of looking at your organization’s digital and network assets to figure out where they are weak, what threats there are, and how to protect or recover from them, among other things.

In some industries, security isn’t given as much attention as it should be. In this world, some people use the word “password” as their password, and others leave their phones unattended.

In that light, it’s not surprising that many businesses and organizations haven’t even thought about the idea of threat modeling at all.

Threat modeling is effective because it is built based on the point of view of a potential attacker instead of a defensive approach.

For this reason, the threat modeling process and threat modeling tools need to be incorporated into your cybersecurity system.

The threat modeling process can be broken down into three essential steps. Let’s take a brief look below:

Step 1: Breaking down the Application

The first stage in the process of threat modeling is to get an understanding of the application and its interactions with external entities. This entails:

  • Developing use cases to better understand how the program is used.
  • Identifying entry points to the application to determine how a possible attacker could interact with it.
  • Identifying assets, i.e., assets or points of interest that would be the focus of a hacker or an attacker.
  • Defining trust levels that correspond to the access rights granted by the application to external entities.

This information is then captured in a threat model document. Additionally, it is used to generate application-specific data flow diagrams (DFDs).

The DFDs illustrate the many routes through the system, emphasizing the privilege boundaries.

Step 2: Rank and Determine Threats/ Attackers

Utilizing a threat classification methodology is critical for threat identification. A threat classification methodology such as Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of service and Elevation of privileges (STRIDE) or the Application Security Framework (ASF) can set up threat categories like auditing and logging, authentication and authorization, configuration management, data protection in storage and in transit, data validation, and exception management.

The goal of threat classification is to help find threats both from an attacker’s (STRIDE) and a defender’s (ASF) point of view.

The DFDs created in step 1 assist in identifying potential targets from the attacker’s perspective, such as data sources, processes, data flows, and user interactions.

These attacks can be further categorized as the roots of threat trees; each threat target has its own tree. From a defensive standpoint, ASF categorization enables the identification of dangers and the shortcomings of security mechanisms designed to protect against such threats.

Common threat lists accompanied by examples can assist in identifying such threats.

Cases of use and abuse can demonstrate how current protective measures might be circumvented or where such protection is lacking.

The security risk associated with any threat can be determined using a value-based risk model such as Damage, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) on generic risk criteria.

Step 3: Countermeasures and Mitigation

The third and final step in the threat modeling process is about mitigation and establishing countermeasures.

By implementing a countermeasure, a vulnerability can be minimized. Threat-countermeasure mapping lists can be used to identify such countermeasures.

After assigning a risk rating to the risks in step 2, it is necessary to prioritize mitigation actions by sorting threats from highest to lowest risk.

Risk mitigation strategies may include assessing these dangers in terms of the business impact they represent.

Once the potential impact has been determined, the following approaches for mitigating the risk are available:

  • Accept: Determine that the economic damage is tolerable
  • Eliminate: Eliminate components that contribute to the vulnerability’s existence
  • Mitigate: Incorporate safeguards or controls that lessen the risk’s impact or likelihood of occurrence

Threat Modeling Approaches

We have already discussed Microsoft’s STRIDE, one of the initial threat modeling approaches that gave way to many more ways for cybersecurity teams to tackle threats and bolster cybersecurity threat modeling and security threat modeling.

Here are some of the most prominently used threat modeling approaches and  methodologies used today:


STRIDE is the most advanced threat modeling tool currently available. It was invented in 1999 and adopted by Microsoft in 2002.

Over time, it has expanded to include new threat-specific tables and variants such as STRIDE-per-Element and STRIDE-per-Interaction.

STRIDE assesses the detailed design of the system. It is a simulation of the in-place system. It is used to recognize system entities, events, and the system’s boundaries by creating data-flow diagrams (DFDs).

It determines a broad range of known hazards based on its mnemonic moniker.

Spoofing: An imposter posing as another user, component, or other system feature containing an identity.

Tampering: The modification of data within a system to achieve a malicious goal.

Repudiation: The ability of an intruder to deny that they performed some malicious activity, due to lack of proof or evidence.

Information Disclosure: Exposing private data to a user that isn’t authorized to view it.

Denial of Service: An adversary uses illegitimate means to exhaust services needed to provide service to users.

Elevation of Privilege: Allowing an intruder to execute commands and functions that they should not have access to.


This application threat model stands for Process for Attack Simulation and Threat Analysis (PASTA), a risk-centric seven-step process.

It provides a dynamic approach for identifying, enumerating, and assessing threats. After specialists do a thorough investigation of identified threats, developers can construct an asset-centric mitigation approach by examining the application from an attacker’s perspective.

The threat modeling framework of PASTA is as follows:

threat modeling PASTA framework explained
  • Attack Trees

The attack tree is a conceptual representation of how an asset, or target, could be attacked. It is composed of a root node, leaves, and child nodes. A child node represents requirements that must be satisfied in order for the direct parent node to be true.

Each node’s requirements are met solely by its direct child nodes. Additionally, it has “AND” and “OR” alternatives, which reflect alternative paths toward these objectives.

Attack trees are one of the most extensively used methodologies for modeling threats to cyber-only systems, cyber-physical systems, and purely physical systems. Initially used as a stand-alone technique, attack trees have been coupled with various techniques and frameworks.

Attack trees are tree-like visualizations that describe attacks on a system. The attack’s objective is the tree root, and the leaves are a means to that end. Each objective is represented by a distinct tree.

Thus, the threat analysis of the system generates a set of attack trees.

Below is a visual representation of the Attack Tree Threat Modeling Framework:


Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a risk-based strategic assessment and planning approach.

OCTAVE is a risk assessment tool that focuses exclusively on organizational hazards and therefore does not address technical issues.

It is divided into three phases:

  • Creating threat profiles based on assets (Evaluation of an organization).
  • Vulnerabilities in infrastructure identification (Evaluation of information infrastructure).
  • Creating and strategizing a security strategy (Risk assessment and decision-making around the company’s vital assets).


Linkability, Identifiability, Nonrepudiation, Detectability, Disclosure of information, Unawareness, and Noncompliance (LINDDUN) is a privacy-focused data security threat model.

It is a six-step process that enables a systematic approach to privacy evaluation.

It begins by defining the system’s data flows, storage, processes, and external entities using a DFD.

By iteratively examining all model aspects from the perspective of threat categories, the users may determine a threat’s applicability to the system and construct threat trees.

Below is an example of a LINDDUN Threat Model Framework:

  • CVSS

The Common Vulnerability Scoring System (CVSS) method allows for the capturing of a vulnerability’s primary characteristics and the assignment of a number score (ranging from 0 to 10, with 10 being the most severe) indicating the vulnerability’s severity. After that, the score is converted to a qualitative representation (e.g., Low, Medium, High, and Critical).

This representation enables organizations to efficiently and effectively prioritize their own vulnerability management methods efficiently and effectively. Also, CVSS method consists of three metric groups namely Base, Temporal and Environmental.

CVSS method is frequently used in conjunction with other threat modeling techniques. A CVSS score is calculated using analyst-assigned values for each indicator.


The TRIKE methodology focuses on using threat models as more of a risk management tool. Threat models, which are based on requirement models, determine the “acceptable” amount of risk allotted to each asset class by stakeholders.

The analysis of the requirements model generates a threat model in which threats are detected and assigned risk levels. After completing the threat model, it is utilized to construct a risk model, which incorporates activities, assets, roles, and calculated risk exposure.

Mitigate cybersecurity risks with Cyvatar

The whole purpose of threat modeling is to proactively mitigate security risks. Cyvatar’s outcome-based service is designed to deliver proactive security to your assets and resources.

Get started with our freemium plan or get in touch with our cybersecurity experts to get customized services.

Circa Las Vegas

Thurs. Aug 5th

Cybersecurity Reunion Pool Party at BlackHat 2021