Threat Modeling


Threat modeling involves identifying and communicating information about the threats that may impact a particular system or network. Security threat modeling enables an IT team to understand the nature of threats, as well as how they may impact the network. In addition, threat modeling can be used to analyze the dangers threats pose to applications, taking into account their potential vulnerabilities. In this article, the threat modeling process and its terminology are explained.

What are some threat modeling examples?

Some examples of threat models include STRIDE, DREAD, PASTA, VAST, OCTAVE, and NIST.

Threat Modeling Terminology

You should be familiar with the following terms that will be used throughout this cheat sheet.

A threat agent is an individual or group that is capable of carrying out a particular threat. It is fundamental to identify who would want to exploit the assets of a company, how they might use them against the company, and if they would be capable of doing so. Some threats require more expertise or resources, and thus raise the level of threat actors needed. For example, if a threat requires hundreds of thousands of dollars of computing power to implement, it is likely that only organized corporate, criminal, or government actors would be valid threat actors for such a threat. However, with the rise of cloud computing and the prevalence of attack software on the internet, other threats may be easy to implement with relatively little skill and few resources.

Impact is a measure of the potential damage caused by a particular threat. Impact and damage can take a variety of forms. A threat may result in damage to physical assets, or may result in obvious financial loss. Indirect loss may also result from an attack, and needs to be considered as part of the impact. For example, if your company's website were defaced this could cause damage to your company's reputation, which may in turn cause a loss of business because of the loss of confidence by your users. Depending on the business you are in, attacks that expose user information could potentially result in a physical threat of harm or loss of life to your users, greatly raising the impact of threats that would allow such exposure.

Likelihood is a measure of the possibility of a threat being carried out. A variety of factors can impact the likelihood of a threat being carried out, including how difficult the implementation of the threat is, and how rewarding it would be to the attacker. For example, if a threat required a skilled threat actor with tens of thousands of dollars of computing resources to implement, and the only reward was that they were able to gain access to information that is already public in some other form, the likelihood is low. However, if the threat is relatively easy to accomplish, or if the attacker were to gain valuable information from which they could profit, the likelihood may be higher.

Controls are safeguards or countermeasures that you put in place in order to avoid, detect, counteract, or minimize potential threats against your information, systems, or other assets.

Preventions are controls that may completely prevent a particular attack from being possible. For example, if you identify a threat that your users' personal information may be identified by certain application logging, and you decide to completely remove that logging, you have prevented that particular threat.

Mitigations are controls that are put in place to reduce either the likelihood or the impact of a threat, while not necessarily completely preventing it. For example, if you store your user's passwords as hashes in a database, two users who have the same password will have the same hash. Thus, if an attacker has access to the hashed passwords and is able to determine the password associated with one hash, he is easily able to find all the other users who share the same password simply by looking for the same hash. However, if you add salts to each user's password, the cost of this particular attack is greatly increased, as the attacker must crack each password individual. An increase in cost reduces the likelihood, and thus has mitigated the attack.

A data flow diagram is a depiction of how information flows through your system. It shows each place that data is input into or output from each process or subsystem. It includes anywhere that data is stored in the system, either temporarily or long-term.

A trust boundary (in the context of threat modeling) is a location on the data flow diagram where data changes its level of trust. Any place where data is passed between two processes is typically a trust boundary. If your application reads a file from disk, there's a trust boundary between the application and the file because outside processes and users can modify the data in the file. If your application makes a call to a remote process, or a remote process makes calls to your application, that's a trust boundary. If you read data from a database, there's typically a trust boundary because other processes can modify the data in the database. Any place you accept user input in any form is always a trust boundary.

How do you make a threat model?

The threat modeling process depends on a sequential series of actions. Executing them together provides a comprehensive view of the threat situation. The steps tend to include:

  1. Outlining the concern you have as it pertains to a specific system, application, or process
  2. Document how data flows through a system/application to identify where the system might be attacked.
  3. Making a list outlining the assumptions regarding the threat, which need to be verified as conditions change
  4. Document as many potential threats to the system as possible.
  5. Document security controls that may be put in place to reduce the likelihood or impact of a potential threat.
  6. A way to make sure the methods of dealing with the threats are successful and still valid as the threat landscape changes

What are the 4 steps of making a threat model?

  1. Examining the systems that could be impacted
  2. Assessing the things that could go wrong
  3. Understanding what the organization or IT team is doing to reduce the risk
  4. After steps have been taken, assessing their success or failure

How can Sicura help?

Sicura is a security and compliance platform that enforces and remediates technical security controls, bridges the gap between security and engineering teams, and puts a stop to manual fixes of misconfigurations. 

Security hardening and system and application misconfigurations are the most common attack vectors second only to malware within the cyber security landscape. Automating this process aids in continuous monitoring of assets and improves an organization's overall security posture. For more information contact us at