Threat Modeling

Threat modeling is a structured approach to identifying, categorizing, and prioritizing potential threats to a system or application. By systematically analyzing how an attacker might compromise a system, organizations can design and implement targeted security controls before vulnerabilities are exploited. It shifts security thinking from reactive to proactive.

Common Methodologies

• STRIDE — Developed by Microsoft, categorizes threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Widely used for application threat modeling.
• PASTA — Process for Attack Simulation and Threat Analysis. A seven-stage risk-centric methodology that aligns technical threats with business objectives.
• DREAD — Rates threats based on Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. Useful for risk scoring.
• LINDDUN — Focused specifically on privacy threats: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, and Non-compliance.

The Threat Modeling Process

1. Define the scope — Identify the system, application, or process to be analyzed
2. Create a model — Develop data flow diagrams showing components, data stores, external entities, and trust boundaries
3. Identify threats — Use a methodology to systematically identify potential threats at each component and interaction
4. Assess risk — Evaluate the likelihood and impact of each identified threat
5. Define mitigations — Determine controls or design changes to address each threat
6. Validate — Verify that mitigations are effective and update the model as the system evolves

Why It Matters for Compliance

While no framework mandates threat modeling by name, the practice supports multiple compliance requirements. NIST CSF's Identify function includes understanding threats to organizational assets. ISO 27001 requires identification of threats and vulnerabilities as part of risk assessment. SOC 2 evaluates whether the organization identifies and assesses threats that could affect system security.

Threat modeling is particularly valuable for organizations developing software products. It provides systematic evidence that security was considered during design — a principle auditors increasingly evaluate.

When to Threat Model

Perform threat modeling during the design phase of new systems, before major architectural changes, and periodically for existing critical systems. Integrating threat modeling into the software development lifecycle catches security issues when they are cheapest to fix.