What Is Threat Modeling?
Threat Modeling is a structured security process used to identify potential threats before they become real attacks. Think of it as security planning done before something goes wrong.
Identify Threats
Spot what could go wrong in a system - before attackers do.
Analyze Vulnerabilities
Understand how threats could exploit weaknesses in the system.
Determine Impact
Evaluate which assets are most valuable and how much damage could occur.
Define Controls
Design appropriate security countermeasures to reduce or eliminate risk.
Key Terminology
You must master these terms - they're the building blocks of every threat modeling question.
Exam Trick: Threat vs. Attack
Threat = potential event (hasn't happened). Attack = actual event (it happened). This distinction frequently appears in multiple choice questions.
A hacker (threat agent) identifies an unpatched SQL injection flaw (vulnerability) in a university portal. The hacker is a threat. When they actually run the SQL attack, it becomes an attack. The hacker exploits the vulnerability. The university must implement input validation (control) to prevent this. The asset is student grade records. The overall risk = likelihood the hacker will actually do this × how damaging it would be.
When Is Threat Modeling Performed?
✅ Proactive (Preferred)
Also called the Defensive Approach. Performed during system design and development - security is built in from the start. Predicts threats and designs defenses before deployment instead of relying on patches later.
This is the preferred and more effective approach - always select proactive over reactive when asked which is better.
⚠️ Reactive (Adversarial)
Also called the Adversarial Approach. Performed after deployment or after an incident. Based on observed attacks or failures. Useful but less ideal than proactive modeling.
Reactive doesn't mean bad - it means you're responding to real evidence. But it's slower and costlier to fix issues post-deployment.
Identifying Threats
Three primary steps to identify threats in any system:
Identify All Technologies Involved
Map out the entire system - hardware, software, networks, data flows, and external connections.
Identify Possible Attacks on Each Element
Consider ALL attack types: logical/technical (SQL injection, XSS), physical (theft, destruction), and social (phishing, impersonation).
Define Prevention Measures
For each identified attack, specify countermeasures - encryption, access controls, firewalls, training, etc.
There are three key approaches to identifying what to focus on:
🗃️ Asset-Focused
Start from what's valuable. Use asset valuation to prioritize protection. "What is worth protecting?" - data, systems, money, reputation, intellectual property.
👤 Attacker-Focused
Identify potential attackers first. "Who would attack us and why?" - hackers, insiders, competitors, nation-states, malware authors.
💻 Software-Focused
If you develop software, identify threats to the software itself - buffer overflows, injection attacks, insecure APIs, authentication flaws.
A university's online learning platform (assignments, quizzes, grades) was threat-modeled using the asset-focused approach:
| Asset | Threat Actor | Vulnerability | Threat Scenario |
|---|---|---|---|
| Student grades | Student | Weak authentication | Student changes their own grade |
| Exam content | Hacker | SQL injection | Hacker extracts upcoming exam questions |
| Faculty login | Hacker | Phishing, no MFA | Hacker accesses faculty account to manipulate data |
| Platform uptime | Insider | Misconfigured permissions | Staff deletes files causing downtime |
STRIDE Threat Model
STRIDE is a threat categorization scheme developed by Microsoft. It classifies threats by what security property they violate. While typically used for application threats, it applies to network and other threats too.
Memory Trick
Each letter violates a specific CIA+ property: Spoofing→Authentication, Tampering→Integrity, Repudiation→Non-repudiation, Info Disclosure→Confidentiality, DoS→Availability, Elevation→Authorization.
| STRIDE | Threat Scenario |
|---|---|
| S - Spoofing | Attacker logs in using stolen credentials |
| T - Tampering | User modifies form data to change prices |
| R - Repudiation | User performs a transaction and denies it later |
| I - Info Disclosure | Sensitive user data exposed via API |
| D - Denial of Service | Flooding the server with requests to crash it |
| E - Elevation of Privilege | Regular user exploits a bug to become admin |
| STRIDE | Threat Scenario |
|---|---|
| S - Spoofing | Attacker logs in using stolen credentials |
| T - Tampering | Modifying transfer amount in transit |
| R - Repudiation | Denying a fraudulent transfer was made |
| I - Info Disclosure | Account balances exposed via unsecured API |
| D - Denial of Service | Flood login page to prevent user access |
| E - Elevation of Privilege | Exploit bug to access admin panel |
A hospital's web portal allows patients to view test results, schedule appointments, and message doctors.
| STRIDE | Threat Scenario |
|---|---|
| S - Spoofing | Attacker impersonates a doctor using stolen credentials to access patient records |
| T - Tampering | Malicious insider modifies patient medication dosage in the database |
| R - Repudiation | Doctor denies changing a prescription; no audit log exists |
| I - Info Disclosure | Patient medical records sent over unencrypted HTTP connection |
| D - Denial of Service | Ransomware encrypts hospital systems, blocking access to critical patient data |
| E - Elevation of Privilege | Patient exploits bug to view and edit other patients' records |
Other Threat Models
Besides STRIDE, several other frameworks exist. Know what each one focuses on.
PASTA
Process for Attack Simulation and Threat Analysis. A risk-centric, 7-stage framework that simulates attacker perspectives and aligns threat modeling with business objectives and risk.
LINDDUN
Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance. Privacy-focused threat model - ideal for systems handling personal data.
CVSS
Common Vulnerability Scoring System. A numeric scoring system (0 - 10) that rates the severity of vulnerabilities. Used to prioritize which vulnerabilities to fix first. Critical = 9.0 - 10.0.
Attack Trees
Visual, hierarchical diagrams that model how an attacker can reach a goal. The root is the attack goal; branches show different paths or methods to achieve it. Great for systematic analysis.
Persona non Grata
Focuses on identifying misuse patterns by defining the "anti-user" - someone who intentionally misuses the system. Creates negative personas to discover abuse cases.
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation. An organization-wide, self-directed approach that focuses on operational risk and organizational practices rather than just technical vulnerabilities.
Exam Tip: Model Selection
Know the name and core focus of each model. STRIDE = classify threats. CVSS = score severity. LINDDUN = privacy. PASTA = risk-centric simulation. OCTAVE = organizational risk. Attack Trees = visual attack paths.
Modern Threat Modeling Approaches
As systems evolve, so do threat modeling approaches. Modern systems require additional lenses beyond the classic models.
1. System / Architecture-Focused
Focuses on system components, interactions, and trust boundaries. Critical for distributed systems, microservices, and cloud architectures.
- Exposed internal APIs in a cloud app allow data exfiltration
- Misconfigured firewall rules between containers → lateral movement
- IoT devices on same network segment as critical servers
2. Data-Focused
Focuses on sensitive data - how it's stored, transmitted, or processed. Data breaches are the most common impact of modern cyber incidents.
- Customer PII stored unencrypted in a cloud database
- Logs containing PII sent over unsecured channels
- GDPR-regulated data processed by third-party SaaS without consent
3. Supply Chain / Third-Party Focused
Focuses on vendors, libraries, APIs, and external dependencies. Attackers increasingly exploit weak links outside the organization.
- Compromised third-party software update used in corporate software (SolarWinds-style attack)
- Malicious npm package injected into a widely-used open-source library
4. Environment / Deployment-Focused
Looks at where the system runs - cloud, on-premises, hybrid, containerized. Misconfigurations are a top attack vector in modern systems.
- S3 bucket left public exposing sensitive files
- Unpatched container image used in production
5. Emerging Technology Focus
Addresses AI-powered systems and IoT/OT environments - new attack surfaces that classic models don't cover.
- Agentic-AI automated decisions exploited by adversarial inputs
- IoT sensors attacked physically or via network to disrupt industrial control systems
Threat Modeling in the Supply Chain
🔗 What Is a Supply Chain?
A network between a company and its suppliers to produce and distribute a product. Most computers, devices, and systems are not built by a single entity - they rely on dozens of external vendors and components.
🔒 Secure Supply Chain
A supply chain where all vendors are reliable, trustworthy, reputable organizations that disclose their practices. The goal: finished product meets quality, performance, and security standards - with no counterfeiting or unauthorized manipulation at any link.
The cybersecurity team should inspect connected systems using these methods:
On-Site Assessment
Visit the supplier's physical location to interview personnel and observe their operating habits and security practices firsthand.
Document Exchange and Review
Investigate how datasets and documentation are exchanged. Review their formal assessment and review processes.
Process / Policy Review
Request copies of their security policies, procedures, and incident response documentation for evaluation.
Third-Party Audit
Engage an independent third-party auditor to objectively evaluate the supplier's security posture and practices.
Key Principle
Integrating security assessments when working with external entities is just as important as ensuring a product was designed with security in mind. Trust boundaries extend beyond internal systems.
Exam Tips & Tricks 🎯
Proactive = Always Better
If asked which approach is preferred, the answer is always proactive (defensive). It's better to design security in than to patch it later.
STRIDE Acronym Drill
Spoofing · Tampering · Repudiation · Info Disclosure · DoS · Elevation. Know the property each one violates.
Threat ≠ Attack
Threat = potential. Attack = actual. If a question says "an attacker sent a flood of packets," that's an attack, not a threat.
CVSS = Numbers
CVSS is the only model that produces a numeric score (0 - 10). If a question asks about scoring/rating vulnerabilities, think CVSS.
Repudiation = Non-repudiation Violated
Repudiation means someone can deny they did something. The fix is non-repudiation controls: digital signatures + logging.
Supply Chain = External Threats
If a question involves a third-party vendor, supplier, or library being compromised, think Supply Chain threat modeling.
Quick Reference - Everything at a Glance
| Topic | Key Point |
|---|---|
| Threat Modeling Purpose | Identify threats before they become real attacks; structured process |
| Proactive Approach | Defensive; during design; preferred and more effective |
| Reactive Approach | Adversarial; after deployment or incident; less effective |
| STRIDE Origin | Developed by Microsoft |
| S - Spoofing | Violates Authentication → fix with digital signatures, MFA |
| T - Tampering | Violates Integrity → fix with hashing, digital signatures |
| R - Repudiation | Violates Non-repudiation → fix with logging, digital signatures |
| I - Info Disclosure | Violates Confidentiality → fix with encryption, ACLs |
| D - Denial of Service | Violates Availability → fix with load balancers, rate limiting |
| E - Elevation of Privilege | Violates Authorization → fix with sandboxing, input validation |
| CVSS | Numeric severity scoring (0 - 10) for vulnerabilities |
| LINDDUN | Privacy-focused threat model |
| OCTAVE | Organizational/operational risk self-assessment |
| Supply Chain | Threats from external vendors; inspect via on-site, docs, audit |
| Risk Elements | Threat + Vulnerability + Asset + Damage |