Threat modeling enables you to perform a proactive threats assessment. Security teams use threat modeling insights to evaluate risks and prioritize mitigation. You can design your own threat modeling process or you can use ready-made threat modeling software.

A typical threat modeling process includes five components—threat intelligence, asset identification, mitigation capabilities, risk assessment, and threat mapping. Each of these processes provides different insights and visibility into your security perimeter.

There are six main methodologies you can use while threat modeling—STRIDE, PASTA, CVSS, attack trees, Security Cards, and hTMM. Each of these methodologies provides a different way to assess the threats facing your IT assets.

In this article you will learn:

What is Threat Modeling?

Threat modeling is a proactive strategy for evaluating risks. It involves identifying potential threats, and developing tests or procedures to detect and respond to those threats. This involves understanding how threats may impact systems, classifying threats and applying the appropriate countermeasures.

Why is Threat Modeling Important?
Threat modeling can help security teams prioritize threats, ensuring that resources and attention are distributed effectively. This prioritization can be applied during planning, design, and implementation of security to ensure that solutions are as effective as possible.

When done routinely, threat modeling can also help security teams ensure that protections are in line with evolving threats. If not, new threats may remain undefended leaving systems and data vulnerable.

Threat modeling is also important when adopting new software or creating software. It helps teams understand how tools and applications may be vulnerable in comparison to what protections are offered.

When adopting tools, threat modeling helps teams understand where security is lacking. This allows you to make an informed decision about whether a component is worth adopting.

Threat modeling can also help development teams prioritize fixes to existing software, according to the severity and impact of anticipated threats.

Components of a Threat Modeling Process

When performing threat modeling, several processes and aspects should be included. Failing to include one of these components can lead to incomplete models and can prevent threats from being properly addressed.

Threat intelligence
This area includes information about types of threats, affected systems, detection mechanisms, tools and processes used to exploit vulnerabilities, and motivations of attackers.

Threat intelligence information is often collected by security researchers and made accessible through public databases, proprietary solutions, or security communications outlets. It is used to enrich the understanding of possible threats and to inform responses.

Asset identification
Teams need a real-time inventory of components and data in use, where those assets are located and what security measures are in use. This inventory helps security teams track assets with known vulnerabilities.

A real-time inventory enables security teams to gain visibility into asset changes. For example, getting alerts when assets are added with or without authorized permission, which can potentially signal a threat.

Mitigation capabilities

Mitigation capabilities generally refer to technology to protect, detect and respond to a certain type of threat, but can also refer to an organization’s security expertise and abilities, and their processes. Assessing your existing capabilities will help you determine whether you need to add additional resources to mitigate a threat.

For example, if you have enterprise-grade antivirus, you have an initial level of protection against traditional malware threats. You can then determine if you should invest further, for example, to correlate your existing AV signals with other detection capabilities.

Risk assessment
Risk assessments correlate threat intelligence with asset inventories. These tools are necessary for teams to understand the current status of their systems and to develop a plan for addressing vulnerabilities.

Risk assessments can also involve active testing of systems and solutions. For example, penetration testing to verify security measures are effective.

Threat mapping

Threat mapping is a process that follows the potential path of threats through your systems. It is used to model how attackers might move from resource to resource and helps teams anticipate where defenses can be more effectively layered or applied.

Threat Modeling Methodologies

When performing threat modeling, there are multiple methodologies you can use. The right model for your needs depends on what types of threats you are trying to model and for what purpose.

STRIDE threat modeling
STRIDE is a threat model, created by Microsoft engineers, which is meant to guide the discovery of threats in a system. It is used along with a model of the target system. This makes it most effective for evaluating individual systems.

STRIDE is an acronym for the types of threats it covers, which are:

  • Spoofing—a user or program pretends to be another
  • Tampering—attackers modify components or code
  • Repudiation—threat events are not logged or monitored
  • Information disclosure—data is leaked or expose
  • Denial of service (DoS)—services or components are overloaded with traffic to prevent legitimate use
  • Privilege escalation—attackers grant themselves additional privileges to gain greater control over a system

Process for Attack Simulation and Threat Analysis (PASTA)
PASTA is an attacker-centric methodology with seven steps. It is designed to correlate business objectives with technical requirements. PASTA’s steps guide teams to dynamically identify, count, and prioritize threats.

The steps of a PASTA threat model are:

  1. Define business objectives
  2. Define the technical scope of assets and components
  3. Application decomposition and identify application controls
  4. Threat analysis based on threat intelligence
  5. Vulnerability detection
  6. Attack enumeration and modeling
  7. Risk analysis and development of countermeasures

Common Vulnerability Scoring System (CVSS)
CVSS is a standardized threat scoring system used for known vulnerabilities. It was developed by the National Institute of Standards and Technology (NIST) and maintained by the Forum of Incident Response and Security Teams (FIRST).

This system is designed to help security teams access threats, identify impacts, and identify existing countermeasures. It also helps security professionals assess and apply threat intelligence developed by others in a reliable way.

CVSS accounts for the inherent properties of a threat and the impacts of the risk factor due to time since the vulnerability was first discovered. It also includes measures that allow security teams to specifically modify risk scores based on individual system configurations.

Attack trees
Attack trees are charts that display the paths that attacks can take in a system. These charts display attack goals as a root with possible paths as branches. When creating trees for threat modeling, multiple trees are created for a single system, one for each attacker goal.

This is one of the oldest and most widely used threat modeling techniques. While once used alone, it is now frequently combined with other methodologies, including PASTA, CVSS, and STRIDE.

Security Cards
Security Cards is a methodology based on brainstorming and creative thinking rather than structured threat modeling approaches. It is designed to help security teams account for less common or novel attacks. This methodology is also a good way for security teams to increase knowledge about threats and threat modeling practices.

The methodology uses a set of 42 cards, which help analysts answer questions about future attacks, such as who might attack, what their motivation could be, which systems they might attack, and how they would implement an attack. Analysts can deal the cards in a type of table-top game, to simulate possible attacks and consider how the organization might respond.

Hybrid Threat Modeling Method (hTMM)
hTMM is a methodology developed by Security Equipment Inc. (SEI) that combines two other methodologies:

  • Security Quality Requirements Engineering (SQUARE)—a methodology designed to elicit, categorize and prioritize security requirements.
  • Persona non Grata (PnG)—a methodology that focuses on uncovering ways a system can be abused to meet an attacker’s goals.

hTMM is designed to enable threat modeling which accounts for all possible threats, produces zero false positives, provides consistent results, and is cost effective.

It works by applying Security Cards, eliminating unlikely PnGs, summarizing results, and formally assessing risk using SQUARE.

Threat Modeling With Exabeam’s Next generation SIEM Platform

Threat modeling is a complex process that requires real-time data collection and analysis, as well as a quick (if not real-time) response.

Next generation SIEM platforms, like Exabeam’s Security Management Platform, can help you effectively create, manage, maintain, and automate the threat modeling process of your choice.

Exabeam offers the following modules that you can use to perform threat modeling:

  • Advanced analytics—using behavioral analytics to identify anomalous behavior that might indicate an attack, and correlating with threat analytics data to identify the type and source of the attack.
  • Smart forensic analysis—collecting all relevant information about a security incident, across multiple users, IP addresses and IT systems, combining it with threat intelligence data, and laying it out on an incident timeline.
  • Incident response automation—gathering data from hundreds of tools, automatically identifying incidents, referencing them with threat intelligence data, and even automatically orchestrating containment and mitigation steps.
  • Threat hunting—using threat intelligence data, combined with free exploration of internal security data, to identify new and unknown threats that might be affecting your organization.

Exabeam Threat Hunter is especially helpful during the threat modeling process. It helps analysts outsmart attackers by simplifying threat detection. Here’s what you can do with Exabeam Threat Hunter:

  • Easy to use interface—point-and-click interface makes it simple to query data.
  • Context-aware data—enables complex searches
  • Automatic incident timelines—automation makes gathering evidence simpler and faster than maintaining logs.
  • Provides visual aid—represents relationships, revealing hidden correlations between data.

In addition to these tools, Exabeam also offers a Threat Intelligence Service, which provides a cloud-based solution with proprietary threat intelligence technology. This system collects and analyzes threat indicators from multiple feeds.

The Threat Intelligence Service service is free for Exabeam customers as part of the Exabeam Security Management Platform and can also integrate with TIP vendors for a broader source of IOCs.

Learn more about the Exabeam Security Management Platform.

Further reading

Product Marketing Manager

Cynthia Gonzalez is a Product Marketing Manager at Exabeam. An advocate for customers, she’s focused on their use of technology to enable and simplify work. She is at her best when bridging the gap between sophisticated software products and the benefits customers can expect. Cynthia is always on the hunt for her next meal and known for her dad jokes –“I’d share my joke about paper, but it’s tearable.

Follow on Linkedin

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog

Subscribe