Top 8 Threat Modeling Methodologies and Techniques
Learn how to use threat modeling to improve identification of cybersecurity threats, prioritize them, and perform effective risk mitigation.
What is threat modeling?
Threat modeling is a proactive strategy for evaluating cybersecurity threats. It involves identifying potential threats, and developing tests or procedures to detect and respond to those threats. This involves understanding how threats may impact systems, classifying threats and applying the appropriate countermeasures.
A typical threat modeling process includes five steps: threat intelligence, asset identification, mitigation capabilities, risk assessment, and threat mapping. Each of these provides different insights and visibility into your security posture.
There are eight main methodologies you can use while threat modeling: STRIDE, PASTA, VAST, Trike, CVSS, Attack Trees, Security Cards, and hTMM. Each of these methodologies provides a different way to assess the threats facing your IT assets.
In this article:
- Advantages of threat modeling
- What are the main steps in the threat modeling process?
- Top threat modeling methodologies and techniques
- Hybrid Threat Modeling Method (hTMM)
Advantages of threat modeling
Threat modeling has the following key advantages:
- Helps prioritize threats, ensuring that resources and attention are distributed effectively. This prioritization can be applied during planning, design, and implementation of security to ensure that solutions are as effective as possible.
- Ensures defenses are in line with evolving threats. If not, new threats may remain undefended, leaving systems and data vulnerable.
- Helps teams adopt or develop new tools or create software. It helps teams understand how tools and applications may be vulnerable in comparison to what protections are offered.
- Helps development teams prioritize fixes to existing software, according to the severity and impact of anticipated threats.
What are the five main steps in the threat modeling process?
When performing threat modeling, several processes and aspects should be included. Failing to include one of these components can lead to incomplete models and can prevent threats from being properly addressed.
1. Apply threat intelligence
This area includes information about types of threats, affected systems, detection mechanisms, tools and processes used to exploit vulnerabilities, and motivations of attackers.
Threat intelligence information is often collected by security researchers and made accessible through public databases, proprietary solutions, or security communications outlets. It is used to enrich the understanding of possible threats and to inform responses.
2. Identify assets
Teams need a real-time inventory of components, credentials, and data in use, where those assets are located, and what security measures are in use. This inventory helps security teams track assets with known vulnerabilities.
A real-time inventory enables security teams to gain visibility into asset changes. For example, getting alerts when assets are added with or without authorized permission, which can potentially signal a threat.
3. Identify mitigation capabilities
Mitigation capabilities generally refer to technology to protect, detect, and respond to a certain type of threat, but can also refer to an organization’s security expertise and abilities, and their processes. Assessing your existing capabilities will help you determine whether you need to add additional resources to mitigate a threat.
For example, if you have enterprise-grade antivirus, you have an initial level of protection against traditional malware threats. You can then determine if you should invest further, for example, to correlate your existing AV signals with other detection capabilities.
4. Assess risks
Risk assessments correlate threat intelligence with asset inventories and current vulnerability profiles. These tools are necessary for teams to understand the current status of their systems and to develop a plan for addressing vulnerabilities.
Risk assessments can also involve active testing of systems and solutions. For example, penetration testing to verify security measures and patching levels are effective.
5. Perform threat mapping
Threat mapping is a process that follows the potential path of threats through your systems. It is used to model how attackers might move from resource to resource and helps teams anticipate where defenses can be more effectively layered or applied.
Top threat modeling methodologies and techniques
When performing threat modeling, there are multiple methodologies you can use. The right model for your needs depends on what types of threats you are trying to model and for what purpose.
STRIDE threat modeling
STRIDE is a threat model, created by Microsoft engineers, which is meant to guide the discovery of threats in a system. It is used along with a model of the target system. This makes it most effective for evaluating individual systems.
STRIDE is an acronym for the types of threats it covers, which are:
- Spoofing — a user or program pretends to be another
- Tampering — attackers modify components or code
- Repudiation — threat events are not logged or monitored
- Information disclosure — data is leaked or exposed
- Denial of service (DoS) — services or components are overloaded with traffic to prevent legitimate use
- Elevation of Privilege — attackers grant themselves additional privileges to gain greater control over a system
Process for Attack Simulation and Threat Analysis (PASTA)
PASTA is an attacker-centric methodology with seven steps. It is designed to correlate business objectives with technical requirements. PASTA’s steps guide teams to dynamically identify, count, and prioritize threats.
The steps of a PASTA threat model are:
- Define business objectives
- Define the technical scope of assets and components
- Application decomposition and identify application controls
- Threat analysis based on threat intelligence
- Vulnerability detection
- Attack enumeration and modeling
- Risk analysis and development of countermeasures
Common Vulnerability Scoring System (CVSS)
CVSS is a standardized threat scoring system used for known vulnerabilities. It was developed by the National Institute of Standards and Technology (NIST) and maintained by the Forum of Incident Response and Security Teams (FIRST).
This system is designed to help security teams assess threats, identify impacts, and identify existing countermeasures. It also helps security professionals assess and apply threat intelligence developed by others in a reliable way.
CVSS accounts for the inherent properties of a threat and the impacts of the risk factor due to time since the vulnerability was first discovered. It also includes measures that allow security teams to specifically modify risk scores based on individual system configurations.
Visual, Agile, and Simple Threat (VAST)
Visual, Agile, and Simple Threat (VAST) is an automated threat modeling method built on the ThreatModeler platform. Large enterprises implement VAST across their entire infrastructure to generate reliable, actionable results and maintain scalability.
VAST can integrate into the DevOps lifecycle and help teams identify various infrastructural and operational concerns. Implementing VAST requires the creation of two types of threat models:
- Application threat model — uses a process-flow diagram to represent the architectural aspect of the threat
- Operational threat model — uses a data-flow diagram to represent the threat from the attacker’s perspective
Trike is a security audit framework for managing risk and defense through threat modeling techniques. Trike defines a system, and an analyst enumerates the system’s assets, actors, rules, and actions to build a requirement model. Trike generates a step matrix with columns representing the assets and rows representing the actors. Every matrix cell has four parts to match possible actions (create, read, update, and delete) and a rule tree — the analyst specifies whether an action is allowed, disallowed, or allowed with rules.
Trike builds a data-flow diagram mapping each element to the appropriate assets and actors with the requirements defined. The analyst uses the diagram to identify denial of service (DoS) and privilege escalation threats.
Trike assesses attack risks using a five-point probability scale for each CRUD action and actor. It also evaluates actors based on their permission level for each action (always, sometimes, or never).
Attack trees are charts that display the paths that attacks can take in a system. These charts display attack goals as a root with possible paths as branches. When creating trees for threat modeling, multiple trees are created for a single system, one for each attacker goal.
This is one of the oldest and most widely used threat modeling techniques. While once used alone, it is now frequently combined with other methodologies, including PASTA, CVSS, and STRIDE.
The Security Cards methodology is based on brainstorming and creative thinking rather than structured threat modeling approaches. It is designed to help security teams account for less common or novel attacks. This methodology is also a good way for security teams to increase knowledge about threats and threat modeling practices.
The methodology uses a set of 42 cards, which help analysts answer questions about future attacks, such as who might attack, what their motivation could be, which systems they might attack, and how they would implement an attack. Analysts can deal the cards in a type of table-top game, to simulate possible attacks and consider how the organization might respond.
Hybrid Threat Modeling Method (hTMM)
hTMM is a methodology developed by Security Equipment Inc. (SEI) that combines two other methodologies:
- Security Quality Requirements Engineering (SQUARE) — a methodology designed to elicit, categorize and prioritize security requirements
- Persona non Grata (PnG) — a methodology that focuses on uncovering ways a system can be abused to meet an attacker’s goals
hTMM is designed to enable threat modeling which accounts for all possible threats, produces zero false positives, provides consistent results, and is cost-effective.
It works by applying Security Cards, eliminating unlikely PnGs, summarizing results, and formally assessing risk using SQUARE.
Threat modeling with Exabeam’s Next-generation SIEM platform
Threat modeling is a complex process that requires real-time data collection and analysis, as well as a quick (if not real-time) response.
Next-generation SIEM platforms, like Exabeam’s Security Management Platform, can help you effectively create, manage, maintain, and automate the threat modeling process of your choice.
Exabeam offers the following modules that you can use to perform threat modeling:
- Advanced analytics — using behavioral analytics to identify anomalous behavior that might indicate an attack, and correlating with threat analytics data to identify the type and source of the attack
- Smart forensic analysis — collecting all relevant information about a security incident, across multiple users, IP addresses, and IT systems, combining it with threat intelligence data, and laying it out on an incident timeline
- Incident response automation — gathering data from hundreds of tools, automatically identifying incidents, referencing them with threat intelligence data, and even automatically orchestrating containment and mitigation steps
- Threat hunting — using threat intelligence data, combined with free exploration of internal security data, to identify new and unknown threats that might be affecting your organization
Exabeam Threat Hunter is especially helpful during the threat modeling process. It helps analysts outsmart attackers by simplifying threat detection. Here’s what you can do with Exabeam Threat Hunter:
- Easy to use interface — Point-and-click interface makes it simple to query data.
- Context-aware data — enables complex searches
- Automatic incident timelines — Automation makes gathering evidence simpler and faster than maintaining logs.
- Provides visual aid — represents relationships, revealing hidden correlations between data
In addition to these tools, Exabeam also offers a Threat Intelligence Service, which provides a cloud-based solution with proprietary threat intelligence technology. This system collects and analyzes threat indicators from multiple feeds.
The Threat Intelligence Service is free for Exabeam customers as part of the Exabeam Security Management Platform, and can also integrate with TIP vendors for a broader source of IOCs.
Learn more about the Exabeam Security Management Platform.
Learn more about Threat Modeling
- Information Security: Goals, Types, and Applications
- The 8 Elements of an Information Security Policy
- What is MITRE ATT&CK: An Explainer
- MITRE Publishes Domain Generation Algorithm T1483 in the ATT&CK Framework
36 InfoSec Resources You Might Have Missed in October
Overview of Exabeam SIEM and Security Analytics Product Innovations
Exabeam News Wrap-up – November 1, 2022
Understanding UEBA: From Raw Events to Scored Events
Exabeam Alert Triage with Dynamic Alert Prioritization Now Available in Exabeam Fusion and Exabeam Security Investigation
Building a UEBA Risk Engine
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!