This post is to collect Internet resources regarding threat modeling. There are some other similar posts regarding Threat Intelligence and Threat hunting. Search my blog you will find more.




Threat Modeling Methodologies for IT Purposes
Conceptually a threat modeling practice flows from a methodology. Numerous threat modeling methodologies are available for implementation. Based on volume of published online content, the four methodologies discussed below are the most well known.

STRIDE Methodology

The  STRIDE approach to threat modeling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find ‘threats to our products’ . STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to “the” Microsoft methodology commonly mean STRIDE.

P.A.S.T.A.

The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology. [10] It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

Trike

The focus of the Trike methodology [11] is using threat models as a risk-management tool. Within this framework, threat models are used to satisfy the security auditing process. Threat models are based on a “requirements model.” The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.

VAST

VAST is an acronym for Visual, Agile, and Simple Threat modeling. [12] The underlying principle of this methodology is the necessity of scaling the threat modeling process across the infrastructure and entire SDLC, and integrating it seamlessly into an Agile software development methodology. The methodology seeks to provide actionable outputs for the unique needs of various stakeholders: application architects and developers, cybersecurity personnel, and senior executives. The methodology provides a unique application and infrastructure visualization scheme such that the creation and use of threat models do not require specific security subject matter expertise.

Threat Modeling Tools

There are currently five tools available for organizational threat modeling:
  • Microsoft’s free threat modeling tool – the Threat Modeling Tool (formerly SDL Threat Modeling Tool). This tool also utilizes the Microsoft threat modeling methodology, is DFD-based, and identifies threats based on the STRIDE threat classification scheme. It is intended primarily for general use.
  • MyAppSecurity offers the first commercially available threat modeling tool – ThreatModeler It utilizes the VAST methodology, is PFD-based, and identifies threats based on a customizable comprehensive threat library.It is intended for collaborative use across all organizational stakeholders.
  • IriusRisk offers both a community and a commercial version of the tool. This tool focus on the creation and maintenance of a live Threat Model through the entire SDLC. It drives the process by using fully customizable questionnaires and Risk Pattern Libraries, and connects with other several different tools (OWASP ZAP, BDD-Security, Threadfix…) to empower automation.
  • securiCAD is a threat modelling and risk management tool by the Scandinavian company foreseeti. It is intended for company cyber security management, from CISO, to security engineer, to technician. securiCAD conducts automated attack simulations to current and future IT architectures, identifies and quantifies risks holistically including structural vulnerabilities, and provides decision support based on the findings. securiCAD is offered in both commercial and community editions. 
  • SD Elements by Security Compass is a software security requirements management platform that includes automated threat modeling capabilities. A set of threats is generated by completing a short questionnaire about the technical details and compliance drivers of the application. Countermeasures are included in the form of actionable tasks for developers that can be tracked and managed throughout the entire SDLC.
Attack tree modeling software
Several commercial
packages and open source products are available.

Open Source
ADTool from
University of Luxembourg

Ent

SeaMonster

Commercial
AttackTree+ from
Isograph

SecurITree from Amenaza
Technologies

Threat Modeling vs Threat Intelligence

Some Other Terms:

  • Tactics, Techniques and Procedures (TTPs) : TTPs are the “patterns of activities or methods associated with a specific threat actor or group of threat actors,”
  • Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).
  • Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models.

References:

  • Threat Modeling: What, Why, and How?
  • Tactics, Techniques and Procedures (TTPs) Within Cyber Threat Intelligence