Security

Getting Started with Threat Modeling

January 7, 2024 5 min read By Anshul Dhull

Threat modeling is one of the most effective proactive security measures you can implement in your development lifecycle. It's about thinking like an attacker before they do—identifying potential threats, vulnerabilities, and attack vectors in your systems.

What is Threat Modeling?

Threat modeling is a structured approach to identifying and addressing potential security threats. It involves:

  • Understanding your system's architecture
  • Identifying potential threats and attack vectors
  • Prioritizing risks based on impact and likelihood
  • Implementing appropriate mitigations
"Threat modeling is the process of using hypothetical scenarios, system diagrams, and testing to help secure systems and data."

The STRIDE Framework

Developed by Microsoft, STRIDE is a mnemonic for six categories of security threats:

S - Spoofing

Pretending to be something or someone you're not. This includes stealing credentials, session hijacking, or impersonating services.

T - Tampering

Modifying data or code maliciously. Examples include SQL injection, man-in-the-middle attacks, and unauthorized data modification.

R - Repudiation

Claiming you didn't do something when you actually did. This is why proper logging and audit trails are essential.

I - Information Disclosure

Exposing information to unauthorized parties. This includes data breaches, verbose error messages, and insecure data storage.

D - Denial of Service

Making a system unavailable. Think DDoS attacks, resource exhaustion, or crashing services through malformed inputs.

E - Elevation of Privilege

Gaining capabilities without proper authorization. This includes privilege escalation attacks and broken access control.

💡 Pro Tip

When analyzing a system, map each component and data flow to STRIDE categories. Ask yourself: "How could an attacker spoof, tamper, repudiate, disclose, deny service, or escalate privileges here?"

The DREAD Framework

DREAD is a risk rating framework to help prioritize threats. Each factor is rated on a scale of 1-10: 

Risk Rating = (D + R + E + A + D) / 5

Where:
D = Damage Potential    (How bad would an attack be?)
R = Reproducibility     (How easy is it to reproduce?)
E = Exploitability      (How easy is it to launch?)
A = Affected Users      (How many users impacted?)
D = Discoverability     (How easy to discover?)

Practical Steps to Start

  1. Draw your architecture - Create data flow diagrams showing components, trust boundaries, and data flows
  2. Identify threats - Use STRIDE on each component
  3. Rate risks - Apply DREAD to prioritize
  4. Plan mitigations - Address high-priority threats first
  5. Document everything - Keep your threat model updated

Conclusion

Threat modeling isn't a one-time activity—it's an ongoing practice. As your system evolves, so do the threats. Make threat modeling part of your development lifecycle, and you'll catch vulnerabilities before they become breaches.

In upcoming posts, I'll dive deeper into specific threat modeling techniques and share real-world examples from my experience at IBM and SEIA.