Understand Threat Modeling Concepts and How to Apply its Methodologies.

When you perform threat modeling for your organization, you document potential threats and prioritize those threats (often by putting yourself in an attacker’s mindset). There are four well-known methods. STRIDE, introduced at Microsoft in 1999, focuses on spoofing of user identity, tampering, repudiation, information disclosure, denial of service and elevation of privilege. PASTA (process for attack simulation and threat analysis) provides dynamic threat identification, enumeration and scoring. Trike uses threat models based on a requirements model. VAST (visual, agile and simple threat modeling) applies across IT infrastructure and software development without requiring security experts.

Threat Modeling Methodologies.

Part of the job of the security team is to identify threats. You can identify threats using different methods:

A Focus on Attackers.

This is a useful method in specific situations. For example, suppose that a developer’s employment is terminated. After extracting data from the developer’s computer, you determine that the person was disgruntled and angry at the management team. You now know this person is a threat and can focus on what he or she might want to achieve. However, outside of specific situations like this, organizations are usually not familiar with their attackers.

What is Assets.

Your organization’s most valuable assets are likely to be targeted by attackers. For example, if you have a large number of databases, the database with the HR and employee information might be the most sought after.

Focus on Software.

Many organizations develop applications in house, either for their own use or for customer use. You can look at your software as part of your threat identification efforts. The goal isn’t to identify every possible attack, but instead to focus on the big picture, such as whether the applications are susceptible to DoS or information disclosure attacks.

The Concepts (Threat Modeling).

If you understand the threats to your organization, then you are ready to document the potential attack vectors. You can use diagramming to list the various technologies under threat. For example, suppose you have a SharePoint server that stores confidential information and is therefore a potential target. You can diagram the environment integrating with SharePoint. You might list the edge firewalls, the reverse proxy in the perimeter network, the SharePoint servers in the farm and the database servers. Separately, you might have a diagram showing SharePoint’s integration with Active Directory and other applications. You can use these diagrams to identify attack vectors against the various technologies.

27 thoughts on “Understand Threat Modeling Concepts and How to Apply its Methodologies.”

  1. This article provides clear idea designed for the new users of blogging,
    that genuinely how to do blogging and site-building.

  2. Silvia- Squirrel Trap

    My family members always say that I am wasting my time here at web, however I know I am getting familiarity all the time by reading such fastidious posts.|

  3. I’m very pleased to uncover this site. I wanted to thank you for your time just for this fantastic read!! I definitely enjoyed every bit of it and I have you book marked to see new things on your site.

  4. Felix- Ultrasonic Repeller

    Thank you for sharing superb informations. Your web-site is so cool. I am impressed by the details that you’ve on this blog. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for more articles. You, my pal, ROCK! I found simply the information I already searched all over the place and just couldn’t come across. What a great web site.

  5. Its like you learn my mind! You seem to grasp so much approximately this, such as you wrote the e book in it or something. I think that you can do with some p.c. to drive the message house a little bit, but instead of that, this is excellent blog. A fantastic read. I’ll certainly be back.

  6. I needed to thank you for this excellent read!! I absolutely enjoyed every bit of it. I have you bookmarked to look at new stuff you post…

  7. I and also my guys have already been examining the excellent items from your website and all of a sudden I had a horrible suspicion I had not expressed respect to the web site owner for them. My young boys came consequently passionate to read through them and now have quite simply been using them. Appreciate your simply being so kind and for picking this form of fantastic things millions of individuals are really eager to discover. Our own honest regret for not saying thanks to earlier.

  8. Gaynell Chiropractic

    Your style is really unique compared to other folks I have read stuff from. Thank you for posting when you have the opportunity, Guess I will just book mark this page.

  9. Shakia Chiropractic

    Please allow me to know if you’re looking for an writer for your internet site. You have some fantastic posts, and I believe I might be a great asset. In case you at any time would like to get many of the load off, I’d like to jot down some product for your personal web site in Trade for the url back again to mine. Be sure to shoot me an email if interested. Thanks.

  10. I have been exploring for a little bit for any high-quality
    articles or blog posts on this kind of space . Exploring in Yahoo I at last
    stumbled upon this website. Studying this information So i am glad to
    exhibit that I’ve a very just right uncanny
    feeling I discovered exactly what I needed. I so much indubitably will make sure
    to do not forget this website and provides it a glance

  11. Hey there. I found your blog by way of Google while looking for a similar subject, your web site came up. It seems to be great. I have bookmarked it in my google bookmarks to visit then.

  12. veta työntekijä

    Terveisiä! Erittäin hyödyllinen neuvo tässä artikkelissa! Pienet muutokset tekevät suurimmat muutokset. Kiitos paljon jakamisesta!

  13. kaksitoistavuotiaalta miinus

    Vau se oli outoa. Kirjoitin juuri pitkän kommentin, mutta kun klikkasin Lähetä kommenttini ei ilmestynyt. Grrrr… no en kirjoita kaikkea uudestaan. Joka tapauksessa, halusin vain sanoa, että mahtava blogi!

  14. kastanjanpaahtaja albert

    huh tämä blogi on ihana, tykkään lukea artikkeleitasi. Jatka hyvää työtä! Tiedät, että monet ihmiset etsivät tätä tietoa, voit auttaa heitä suuresti.

  15. Thank you, I’ve recently been looking for info approximately this topic for a while and yours is the greatest I’ve discovered till now.
    But, what in regards to the bottom line? Are you sure concerning the supply?

Leave a Comment

Your email address will not be published. Required fields are marked *

error: Content is protected !!