What Is Threat Modeling

What is Threat Modeling

95 views

Embed
Email

From

Username or Email (please add comma after each username or email)

Name	Email

Back

Menu 3

Eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo.

Infosectrain

Uploaded on Apr 14, 2023

Category Education

Threat modeling is a process used by cybersecurity professionals to identify the application, system, network, or business process security vulnerabilities and to develop effective measures to prevent or mitigate threats. It consists of a structured process with these objectives: identify security threats and potential vulnerabilities, define threat and vulnerability criticality, and prioritize remediation methods.

Category Education

Comments

                     What is Threat Modeling
                     What is Threat Modeling?
www.infosectrain.com | [email protected]
With the enhancement of technology, cyber attackers use the latest tricks and techniques to 
access unauthorized data and perform malicious activities in the organization’s system or 
network. Unfortunately, this is due to many security vulnerabilities that go undetected, 
forming the attack surface.
www.infosectrain.com | [email protected]
Table of Contents
What is threat modeling?
How does threat modeling work?
Threat modeling methods
Advantages of threat modeling
Due to the impact of security vulnerabilities, cybersecurity professionals are 
deploying countermeasures to safeguard the systems, networks, or data. For such 
instances, threat modeling emerged to identify the vulnerabilities left undetected 
even after performing traditional security testing methods.
What is threat modeling?
Threat modeling is a process used by cybersecurity professionals to identify the 
application, system, network, or business process security vulnerabilities and to 
develop effective measures to prevent or mitigate threats. It consists of a 
structured process with these objectives: identify security threats and potential 
vulnerabilities, define threat and vulnerability criticality, and prioritize remediation 
methods.
www.infosectrain.com | [email protected]
How does threat modeling work?
Threat modeling works by identifying the various types of threats that can affect 
an application or system. Organizations analyze software architecture, business 
context, and other artifacts while accomplishing threat modeling. In general, 
organizations perform threat modeling in the designing stage of an application to 
help developers identify the security vulnerabilities in their design, code, or 
deployment.
www.infosectrain.com | [email protected]
Threat modeling methods
Various types of threat modeling methods are used to protect from cyber 
threats. They are as follows:
Attack tree: The attack tree is one of the oldest and most commonly used 
threat modeling methodologies, designed to develop a conceptual diagram 
illustrating how an asset or target is attacked, with the root node, leaves, and 
children nodes. This methodology is often combined with other threat 
modeling methods such as PASTA, STRIDE, etc.
Common Vulnerability Scoring System (CVSS): CVSS is a standard threat 
modeling method used to help security teams access threats, identify the 
impact, and develop countermeasures. It helps organizations assess and 
prioritize vulnerability management processes.
www.infosectrain.com | [email protected]
DREAD: It was also developed by Microsoft, which dropped in 2008 due to a lack of 
consistent ratings. Many other organizations use the DREAD methods to rank and 
assess security threats.
•Damage potential: Ranks the severity of the threat
•Reproducibility: Ranks how the attack is reproducing easily
•Exploitability: Rating the effort required to initiate the attack
•Affected users: Collecting the number of users affected if an attack becomes widely 
available
•Discoverability: Rate how easy to identify the threat
www.infosectrain.com | [email protected]
OCTAVE: The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) 
threat modeling methodology is a risk-based strategic assessment and planning 
method. It aims at assessing organizational risks in three phases:
•Creating asset-based threat profiles
•Identifying vulnerabilities
•Developing and planning a security strategy
PASTA: Process for Attack Simulation and Threat Analysis (PASTA) is a risk-centric 
methodology that provides threat identification, enumeration, and scoring. Because of 
its static framework, it is easy to implement and understands the risks of the 
application.
STRIDE: It is a well-known threat modeling methodology developed by Microsoft that 
provides a mnemonic approach for identifying security threats in six types:
•Spoofing: An attacker pretending as another user, component, or system feature to 
steal the data in the system.
•Tampering: Replicating data in the system to achieve a malicious goal.
•Repudiation: Due to the lack of evidence, the attacker can deny the malicious 
activities performed in the system.
•Information disclosure: Making protected data accessible to unauthorized users.
•Denial of Service: An attacker uses illegitimate methods to exhaust services required 
to serve users.
www.infosectrain.com | [email protected]
TRIKE: TRIKE is a unique and open source threat modeling method that 
aims at security auditing processes from cyber risk management. It offers a 
risk-based approach with an individual risk modelling process. The Data 
Flow Diagram (DFD) is generated with the requirements to understand 
how the system stores and manipulates data—implementing mitigation 
controls to prioritize the threats and then developing a risk model based 
on the actions, roles, assets, and threats.
VAST: Visual, Agile, Simple Threat Modeling (VAST) is an automated threat 
modeling method to differentiate the application and operational threat 
models. It is designed to integrate the workflows that require stakeholders 
such as developers, application architects, cybersecurity professionals, etc.
www.infosectrain.com | [email protected]
Threat Hunting Professional training with InfosecTrain
InfosecTrain is one of the best security and technology training providers 
that offer a wide range of IT security training and Information Security (IS) 
consulting services. It conducts a Threat Hunting Professional online training 
course to provide participants with a complete understanding of the threat 
hunting methodologies and frameworks.
www.infosectrain.com | [email protected]
About InfosecTrain
• Established in 2016, we are one of the finest 
Security and Technology Training and 
Consulting company
• Wide range of professional training programs, 
certifications & consulting services in the IT 
and Cyber Security domain
• High-quality technical services, certifications 
or customized training programs curated with 
professionals of over 15 years of combined 
experience in the domain
www.infosectrain.com | [email protected]
Our Endorsements
www.infosectrain.com | [email protected]
Why InfosecTrain Global Learning Partners
Certified and Flexible modes Access to the 
Experienced Instructors of Training recorded 
sessions
Post training Tailor Made 
completion Training
www.infosectrain.com | [email protected]
Our Trusted Clients
www.infosectrain.com | [email protected]

Contact us
Get your workforce reskilled 
by our certified and 
experienced instructors!
IND: 1800-843-7890 (Toll Free) / US: +1 657-221-
1127  / UK : +44 7451 208413
[email protected]
www.infosectrain.com