221:
231:(DFD). DFDs were developed in the 1970s as tool for system engineers to communicate, on a high level, how an application caused data to flow, be stored, and manipulated by the infrastructure upon which the application runs. Traditionally, DFDs utilize only four unique symbols: data flows, data stores, processes, and interactors. In the early 2000s, an additional symbol, trust boundaries, were added to improve the usefulness of DFDs for threat modeling.
176:
dynamic threat identification, enumeration, and scoring process. Once the threat model is completed, security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.
129:
highest semantic levels of the DML model. This is followed by the TTP (Tactics, Techniques and
Procedures) which represent intermediate semantic levels. The lowest semantic levels of the DML model are the tools used by the attacker, host and observed network artifacts such as packets and payloads, and finally atomic indicators such as IP addresses at the lowest semantic level. Current
307:. In this context, threats to security and privacy like information about the inhabitant's movement profiles, working times, and health situations are modeled as well as physical or network-based attacks. The latter could make use of more and more available smart building features, i.e., sensors (e.g., to spy on the inhabitant) and actuators (e.g., to unlock doors).
212:
and enumerate potential threats. Further analysis of the model regarding risks associated with identified threats, prioritization of threats, and enumeration of the appropriate mitigating controls depends on the methodological basis for the threat model process being utilized. Threat modeling approaches can focus on the system in use, attackers, or assets.
289:
is a
Pythonic framework for threat modeling and the first Threat-Model-as-Code tool: The system is first defined in Python using the elements and properties described in the pytm framework. Based on this definition, pytm can generate a Data Flow Diagram (DFD), a Sequence Diagram and most important of
184:
The focus of the Trike methodology is using threat models as a risk-management tool. Within this framework, threat models are used to satisfy the security auditing process. Threat models are based on a "requirements model." The requirements model establishes the stakeholder-defined "acceptable" level
282:
is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. Threat Dragon follows the values and principles of the threat modeling manifesto. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the
275:
is a software security requirements management platform that includes automated threat modeling capabilities. A set of threats is generated by filling out a short questionnaire on the application's technical details and compliance factors. Countermeasures are included in the form of actionable tasks
268:
to security engineer, including technician. securiCAD performs automated attack simulations on current and future IT architectures, identifies and quantifies risks globally, including structural vulnerabilities, and provides decision support based on results. securiCAD is available in commercial and
175:
The
Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a
128:
should be expressed with different semantic levels, and proposed the DML (Detection
Maturity Level) model. An attack is an instantiation of a threat scenario which is caused by a specific attacker with a specific goal in mind and a strategy for reaching that goal. The goal and strategy represent the
93:
published his analysis of cyber risks utilizing attack trees in his paper entitled "Toward a Secure System
Engineering Methodology". The paper proved to be a seminal contribution in the evolution of threat modeling for IT-systems. In Schneier's analysis, the attacker's goal is represented as a "root
211:
All IT-related threat modeling processes start with creating a visual representation of the application, infrastructure or both being analyzed. The application or infrastructure is decomposed into various elements to aid in the analysis. Once completed, the visual representation is used to identify
234:
Once the application-infrastructure system is decomposed into its five elements, security experts consider each identified threat entry point against all known threat categories. Once the potential threats are identified, mitigating security controls can be enumerated or additional analysis can be
193:
The Visual, Agile and Simple Threat (VAST) methodology, is based on ThreatModeler, a commercial automated threat-modeling platform. VAST requires creating two types of models: application threat models and operational threat models. Application threat models use process-flow diagrams, representing
166:
was created in 1999 at
Microsoft as a mnemonic for developers to find 'threats to our products'. STRIDE can be used as a simple prompt or checklist, or in more structured approaches such as STRIDE per element. STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling
37:
or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's
53:
Conceptually, most people incorporate some form of threat modeling in their daily life and don't even realize it. Commuters use threat modeling to consider what might go wrong during the morning journey to work and to take preemptive action to avoid possible accidents. Children engage in threat
153:
Conceptually, a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Typically, threat modeling has been implemented using one of five approaches independently: asset-centric, attacker-centric, software-centric, value and
283:
threat model components and threat surfaces. Threat Dragon runs either as a web application or as a desktop application. Threat Dragon supports STRIDE / LINDDUN / CIA / DIE / PLOT4ai, provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.
73:
In 1994, Edward
Amoroso put forth the concept of a "threat tree" in his book, "Fundamentals of Computer Security Technology." The concept of a threat tree was based on decision tree diagrams. Threat trees graphically represent how a potential threat to an IT system can be exploited.
62:
Shortly after shared computing made its debut in the early 1960s, individuals began seeking ways to exploit security vulnerabilities for personal gain. As a result, engineers and computer scientists soon began developing threat modeling concepts for information technology systems.
185:
of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.
109:
for: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege) The resultant mnemonic helps security professionals systematically determine how a potential attacker could utilize any threat included in STRIDE.
94:
node," with the potential means of reaching the goal represented as "leaf nodes." Utilizing the attack tree in this way allowed cybersecurity professionals to systematically consider multiple attack vectors against any defined target.
194:
the architectural point of view. Operational threat models are created from an attacker point of view based on DFDs. This approach allows for the integration of VAST into the organization's development and DevOps lifecycles.
133:(Security Information and Event Management) tools typically only provide indicators at the lowest semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.
54:
modeling when determining the best path toward an intended goal while avoiding the playground bully. In a more formal sense, threat modeling has been used to prioritize military defensive preparations since antiquity.
248:(formerly SDL Threat Modeling Tool), also uses the Microsoft threat modeling methodology, is based on DFD and identifies threats based on the STRIDE threat classification system. It is mainly intended for general use.
144:
In 2024 the same group of authors followed up the
Manifesto with a Threat Modeling Capabilities document, which "...provides a catalog of capabilities to help you cultivate value from your Threat Modeling practice".
202:
Researchers created this method to combine the positive elements of different methodologies. This methodology combines different methodologies, including SQUARE and the
Security Cards and Personae Non Gratae.
113:
In 2003, OCTAVE (Operationally
Critical Threat, Asset, and Vulnerability Evaluation) method, an operations-centric threat modeling methodology, was introduced with a focus on organizational risk management.
141:
The threat modeling manifesto is a document published in 2020 by threat modeling authorities in order to clearly state the core values and principles that every threat modeler should know and follow.
258:. It drives the process using fully customizable questionnaires and risk model libraries, and connects to several other different tools (OWASP ZAP, BDD-Security, Threadfix) to enable automation.
832:
574:
264:
is a threat modeling and risk management tool from the Scandinavian company foreseeti. It is intended for enterprise cybersecurity management, from
559:
254:
provides both a community and a commercial version of the tool. This tool focuses on creating and maintaining a living threat model throughout the
714:
356:
85:
on a structured graphical representation of how specific attacks against IT-systems could be executed. The resulting representation was called "
121:
wrote "Threat Modeling," published by Microsoft press. In it they developed the concept of using threat models to create secure applications.
154:
stakeholder-centric, and hybrid. Based on the volume of published online content, the methodologies discussed below are the most well known.
167:
approaches developed and published by Microsoft. References to "the" Microsoft methodology commonly mean STRIDE and Data Flow Diagrams.
130:
66:
Early technology-centered threat modeling methodologies were based on the concept of architectural patterns first presented by
888:
38:
profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like
34:
918:
101:
and Praerit Garg developed a model for considering attacks relevant to the Microsoft Windows development environment. (
660:
385:
17:
70:
in 1977. In 1988 Robert Barnard developed and successfully applied the first profile for an IT-system attacker.
819:
255:
871:
Meyer, D.; Haase, J.; Eckert, M.; Klauer, B. (2016-07-01). "A threat-model for building and home automation".
701:
402:
598:
503:
623:
637:
526:
676:
78:
327:
438:
220:
67:
125:
8:
300:
299:
Threat modeling is being applied not only to IT but also to other areas such as vehicle,
488:
894:
884:
847:
656:
553:
457:
381:
228:
163:
102:
898:
876:
843:
342:
98:
743:
420:
527:"Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis"
304:
880:
795:
90:
779:
912:
118:
820:
http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf
474:
689:
375:
463:. Semantic Technology for Intelligence, Defence and Security (STIDS 2016).
206:
873:
2016 IEEE 14th International Conference on Industrial Informatics (INDIN)
86:
831:
Hamad, Mohammad; Prevelakis, Vassilis; Nolte, Marcus (November 2016).
807:
768:"Cyber Threat Modelling and Risk Management - securiCAD by foreseeti"
575:"Threat modeling explained: A process for anticipating cyber attacks"
215:
106:
57:
730:
360:
276:
for developers that can be tracked and managed across the SDLC.
842:. Publications Institute of Computer and Network Engineering.
541:
540:
Eddington, Michael, Brenda Larcom, and Eleanor Saitta (2005).
426:. Software Engineering Institute, Carnegie Mellon: Pittsburgh.
767:
82:
677:"Security Quality Requirements Engineering Technical Report"
265:
48:"What do I need to do to safeguard against these threats?"
380:. AT&T Bell Labs. Prentice-Hall: Upper Saddle River.
343:"The World's First Computer Password? It Was Useless Too"
653:
Threat Modeling: A Practical Guide for Development Teams
651:
Tarandach, Izar; Coles, Matthew J. (24 November 2020).
207:
Generally accepted technology threat modeling processes
870:
197:
715:"What's New with Microsoft Threat Modeling Tool 2016"
833:"Towards Comprehensive Threat Modeling for Vehicles"
830:
216:Visual representations based on data flow diagrams
77:Independently, similar work was conducted by the
33:is a process by which potential threats, such as
27:Process of identifying structural vulnerabilities
910:
403:"Toward A Secure System Engineering Methodology"
294:
124:In 2014, Ryan Stillions expressed the idea that
97:In 1999, Microsoft cybersecurity professionals
58:Evolution of technology-centric threat modeling
650:
525:Ucedavélez, Tony and Marco M. Morana (2015).
148:
558:: CS1 maint: multiple names: authors list (
377:Fundamentals of Computer Security Technology
136:
572:
524:
363:. John Wiley & Sons Inc: Indianapolis.
539:
455:
436:
361:"Threat Modeling: Designing for Security"
690:https://securitycards.cs.washington.edu/
400:
355:
340:
238:
219:
599:"Threat Modeling: 12 Available Methods"
418:
408:. National Security Agency: Washington.
373:
40:"Where am I most vulnerable to attack?"
14:
911:
421:"Introduction to the OCTAVE® Approach"
866:
864:
401:Schneier, Bruce; et al. (1998).
44:"What are the most relevant threats?"
322:
320:
227:Most threat modeling approaches use
702:"CSDL | IEEE Computer Society"
624:"The Hybrid Threat Modeling Method"
198:'The Hybrid' Threat Modeling Method
24:
861:
502:Kohnfelder, Loren; Garg, Praerit.
25:
930:
780:"SD Elements by Security Compass"
731:"Irius Risk Risk Management Tool"
638:"A Hybrid Threat Modeling Method"
529:. John Wiley & Sons: Hobekin.
317:
848:10.24355/dbbs.084-201806251532-0
840:Institute of Control Engineering
655:. O'Reilly Media, Incorporated.
458:"Semantic Cyberthreat Modelling"
824:
813:
801:
789:
773:
761:
736:
724:
708:
694:
683:
669:
644:
630:
616:
591:
573:Fruhlinger, Josh (2020-04-15).
566:
542:"Trike v1 Methodology Document"
533:
518:
495:
481:
273:SD Elements by Security Compass
489:"Threat Modeling Capabilities"
467:
449:
430:
412:
394:
367:
349:
334:
13:
1:
419:Alberts, Christopher (2003).
310:
295:Further fields of application
117:In 2004, Frank Swiderski and
443:Ryan Stillions security blog
7:
733:. Continuum Security. 2016.
501:
475:"Threat Modeling Manifesto"
290:all, threats to the system.
10:
935:
919:Computer security exploits
881:10.1109/INDIN.2016.7819280
374:Amoroso, Edward G (1994).
149:Threat modeling frameworks
35:structural vulnerabilities
504:"Threats to Our Products"
341:McMillan, Robert (2012).
328:"The STRIDE Threat Model"
157:
137:Threat Modeling Manifesto
456:Bromander, Siri (2016).
437:Stillions, Ryan (2014).
179:
170:
786:. Retrieved 2017-03-24.
784:www.securitycompass.com
744:"foreseeti - securiCAD"
188:
224:
796:"OWASP Threat Dragon"
719:Microsoft Secure Blog
239:Threat modeling tools
223:
68:Christopher Alexander
875:. pp. 860–866.
246:Threat Modeling Tool
280:OWASP Threat Dragon
269:community editions.
721:. Microsoft. 2015.
679:. 31 October 2005.
330:. Microsoft. 2016.
229:data flow diagrams
225:
890:978-1-5090-2870-2
605:. 2 December 2018
445:. Ryan Stillions.
345:. Wired Business.
244:Microsoft's free
16:(Redirected from
926:
903:
902:
868:
859:
858:
856:
854:
837:
828:
822:
817:
811:
805:
799:
793:
787:
777:
771:
765:
759:
758:
756:
754:
740:
734:
728:
722:
712:
706:
705:
698:
692:
687:
681:
680:
673:
667:
666:
648:
642:
641:
640:. 27 March 2018.
634:
628:
627:
626:. 22 April 2018.
620:
614:
613:
611:
610:
595:
589:
588:
586:
585:
570:
564:
563:
557:
549:
537:
531:
530:
522:
516:
515:
513:
511:
499:
493:
492:
485:
479:
478:
471:
465:
464:
462:
453:
447:
446:
434:
428:
427:
425:
416:
410:
409:
407:
398:
392:
391:
371:
365:
364:
353:
347:
346:
338:
332:
331:
324:
99:Loren Kohnfelder
21:
934:
933:
929:
928:
927:
925:
924:
923:
909:
908:
907:
906:
891:
869:
862:
852:
850:
835:
829:
825:
818:
814:
806:
802:
794:
790:
778:
774:
766:
762:
752:
750:
742:
741:
737:
729:
725:
713:
709:
700:
699:
695:
688:
684:
675:
674:
670:
663:
649:
645:
636:
635:
631:
622:
621:
617:
608:
606:
597:
596:
592:
583:
581:
571:
567:
551:
550:
538:
534:
523:
519:
509:
507:
500:
496:
487:
486:
482:
473:
472:
468:
460:
454:
450:
439:"The DML Model"
435:
431:
423:
417:
413:
405:
399:
395:
388:
372:
368:
354:
350:
339:
335:
326:
325:
318:
313:
305:home automation
297:
241:
218:
209:
200:
191:
182:
173:
160:
151:
139:
60:
31:Threat modeling
28:
23:
22:
18:Threat modeling
15:
12:
11:
5:
932:
922:
921:
905:
904:
889:
860:
823:
812:
800:
788:
772:
760:
735:
723:
707:
693:
682:
668:
662:978-1492056553
661:
643:
629:
615:
590:
565:
532:
517:
494:
480:
466:
448:
429:
411:
393:
386:
366:
357:Shostack, Adam
348:
333:
315:
314:
312:
309:
296:
293:
292:
291:
284:
277:
270:
259:
249:
240:
237:
217:
214:
208:
205:
199:
196:
190:
187:
181:
178:
172:
169:
159:
156:
150:
147:
138:
135:
91:Bruce Schneier
59:
56:
26:
9:
6:
4:
3:
2:
931:
920:
917:
916:
914:
900:
896:
892:
886:
882:
878:
874:
867:
865:
849:
845:
841:
834:
827:
821:
816:
809:
804:
797:
792:
785:
781:
776:
769:
764:
749:
748:foreseeti.com
745:
739:
732:
727:
720:
716:
711:
703:
697:
691:
686:
678:
672:
664:
658:
654:
647:
639:
633:
625:
619:
604:
600:
594:
580:
576:
569:
561:
555:
547:
546:Octotrike.org
543:
536:
528:
521:
505:
498:
490:
484:
476:
470:
459:
452:
444:
440:
433:
422:
415:
404:
397:
389:
387:9780131089297
383:
379:
378:
370:
362:
358:
352:
344:
337:
329:
323:
321:
316:
308:
306:
302:
288:
285:
281:
278:
274:
271:
267:
263:
260:
257:
253:
250:
247:
243:
242:
236:
232:
230:
222:
213:
204:
195:
186:
177:
168:
165:
155:
146:
142:
134:
132:
127:
126:cyber threats
122:
120:
119:Window Snyder
115:
111:
108:
104:
100:
95:
92:
88:
84:
80:
75:
71:
69:
64:
55:
51:
49:
45:
41:
36:
32:
19:
872:
851:. Retrieved
839:
826:
815:
808:"OWASP pytm"
803:
791:
783:
775:
770:. foreseeti.
763:
753:November 27,
751:. Retrieved
747:
738:
726:
718:
710:
696:
685:
671:
652:
646:
632:
618:
607:. Retrieved
602:
593:
582:. Retrieved
578:
568:
545:
535:
520:
508:. Retrieved
497:
483:
469:
451:
442:
432:
414:
396:
376:
369:
351:
336:
298:
286:
279:
272:
261:
251:
245:
233:
226:
210:
201:
192:
183:
174:
161:
152:
143:
140:
123:
116:
112:
96:
87:attack trees
76:
72:
65:
61:
52:
47:
43:
39:
30:
29:
506:. Microsoft
235:performed.
89:." In 1998
609:2022-02-03
584:2022-02-03
579:CSO Online
311:References
287:OWASP pytm
262:securiCAD
252:IriusRisk
913:Category
899:12725362
853:11 March
603:SEI Blog
554:cite web
359:(2014).
301:building
107:acrostic
897:
887:
659:
384:
164:STRIDE
158:STRIDE
105:is an
103:STRIDE
46:, and
895:S2CID
836:(PDF)
510:4 Feb
461:(PDF)
424:(PDF)
406:(PDF)
180:Trike
171:PASTA
83:DARPA
885:ISBN
855:2019
755:2018
657:ISBN
560:link
512:2024
382:ISBN
303:and
266:CISO
256:SDLC
189:VAST
162:The
131:SIEM
81:and
877:doi
844:doi
79:NSA
915::
893:.
883:.
863:^
838:.
782:.
746:.
717:.
601:.
577:.
556:}}
552:{{
544:.
441:.
319:^
50:.
42:,
901:.
879::
857:.
846::
810:.
798:.
757:.
704:.
665:.
612:.
587:.
562:)
548:.
514:.
491:.
477:.
390:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
