Frameworks of Defense: A Quick Look at Key Threat Modeling Frameworks

 


What are threat modeling frameworks?

They are structured methodologies we can use to help us identify, categorize, and mitigate security risks in:

·       Systems

·       Applications

·       Data flows

From these frameworks we can build test plans to think like an attacker so that we can build defenses against them.

Key Frameworks

There are quite a few frameworks, but here are some key ones:       

DFD = Data Flow Diagram

Framework

Type / Focus

Key Idea

How It Works (Simplified)

Best Use Case

STRIDE

Threat identification model

Categorizes threats using a mnemonic

Six threat categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

Analyzing specific application components or features; commonly used with DFDs and tools like OWASP Juice Shop

PASTA (Process for Attack Simulation and Threat Analysis)

Risk-centric threat modeling framework

Connects technical threats to business impact

7 stages:

1) Business objectives 

2) Technical scope

3) App decomposition (DFDs)

4) Threat analysis

5) Vulnerability analysis

6) Attack simulation 

7) Risk/impact analysis

Enterprise assessments and communicating risk to executives or non-technical stakeholders

LINDDUN

Privacy threat modeling

STRIDE-like model, but focused on privacy risks

Categories: 

Linkability, 

Identifiability,

Non-repudiation, 

Detectability, 

Disclosure, 

Unawareness,

Non-compliance

Systems handling personal data, privacy engineering, GDPR-related applications

DREAD

Risk scoring model (not threat discovery)

Assigns numerical risk scores to threats

Rates threats on Damage, Reproducibility, Exploitability, Affected users, Discoverability

Prioritizing threats once identified; mostly seen in legacy Microsoft documentation

MITRE ATT&CK

Adversary behavior knowledge base

Maps real attacker tactics and techniques

Large matrix of tactics (e.g., Persistence, Privilege Escalation) and techniques observed in real attacks

Red teaming, SOC detection engineering, mapping tests to known adversary behavior

TRIKE

Risk-based threat modeling

Define defensive requirements first, then identify threats violating them

Builds a risk model tied to system assets and acceptable risk levels

Systems requiring strict risk management and compliance alignment

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

Organizational risk framework

Focuses on protecting critical organizational assets

Evaluates assets, threats, and vulnerabilities through structured organizational assessment

Enterprise security strategy and organizational risk management

Attack Trees

Visual threat modeling technique

Hierarchical representation of attack goals

Root = attacker goal; branches = methods to achieve it

Modeling specific attack scenarios and attacker paths

How They Relate to Each Other

STRIDE    → What threats exist at each component?

PASTA     → What's the business risk of those threats?

DREAD     → How do we prioritize which threats to fix first?

MITRE ATT&CK    → How do real attackers actually execute those threats?

LINDDUN   → Are we also protecting privacy, not just security?

Attack Trees → What attack paths exist?

TRIKE → What risks violate our security requirements?

OCTAVE  Which critical assets are at risk and how do organizational practices affect them?


For application security and pentesting, the most relevant are:

Priority

Framework

Why It Matters

⭐⭐⭐

STRIDE

Most widely taught application threat modeling approach

⭐⭐⭐

MITRE ATT&CK

Industry standard for mapping attacker techniques

⭐⭐

Attack Trees

Useful for visualizing attacker paths

⭐⭐

PASTA

Good for risk-based enterprise modeling

LINDDUN

Important if privacy/data protection is involved

I wanted to give a quick overview of frameworks because I am trying to map my QA background to threat modeling. I will be covering this in my next blog post where I explore STRIDE.


Additional Threat Modeling Frameworks Worth Knowing

BONUS! Here are a few additional frameworks / methodologies professionals use. 

Framework

Type / Focus

Key Idea

Best Use Case

VAST (Visual, Agile, and Simple Threat Modeling)

Scalable threat modeling for DevOps

Designed for large organizations and automated pipelines

Enterprises integrating threat modeling into Agile/DevSecOps workflows

CVSS (Common Vulnerability Scoring System)

Vulnerability scoring model

Standardized numerical score for vulnerability severity

Prioritizing vulnerability remediation; widely used in vulnerability management

NIST Risk Management Framework (RMF)

Government risk framework

Structured lifecycle for managing security risk

U.S. government and regulated industries

Kill Chain Model

Attack lifecycle model

Describes stages of a cyberattack from recon to exfiltration

Threat detection strategy and defensive planning

Cyber Threat Modeling Language (CTML)

Structured modeling approach

Formal language for defining threats and mitigations

More academic or architecture-heavy environments

Comments

Post a Comment

Popular posts from this blog

Resources, Tips, and Techniques that Helped Me Pass the CompTIA Security+ Exam

Image
After completing the Google Cybersecurity Certificate program, the next step on my to-do list was to pass the CompTIA Security+ Exam. Exam Prep Time How long does it take to study and prep for the exam? It depends on your knowledge, experience, and background. It also depends on how quickly you can study and learn. I have seen Reddit comments that give the range from 1-2 weeks to several months.  ​ My Background I am going to be upfront and say that the Google cybersecurity program was NOT enough to pass the Security+ exam. Don’t get me wrong, it was a very informative course with lots of practical knowledge. However, the CompTIA Security+ exam covers A LOT! Also, I did not do the Network+ certification nor did I have two years of network admin experience. My background in software development and IT has mainly been in technical writing, manual QA testing, and doing computer troubleshooting and fixing for myself and friends and family. I decided to set two goals:    ...
Read more

Protecting Our Elders: A Comprehensive Look at Social Engineering Threats and Proactive Steps for Families

Image
As our parents get older we will often find our roles reversed. Us (adult) kids aren’t just tech support, now it’s our responsibility to parent our parents through monitoring their online activity and protecting them from scams. Social Engineering Scams It’s not just tech. Criminals know it is easier to trick a person than to hack a computer. From the age old ‘ don’t talk to (internet) strangers ’ to ‘ don’t click suspicious ’ links, here are the seven social engineering psychology principles scammers will use (which I learned from studying for the CompTIA Security+ Exam), the possible scams they’ll try to pull, and how to thwart or prevent the scams. Psychology Principle Scam Example (Targeting Senior Citizens) How to Thwart or Prevent the Scam Authority IRS or Social Security Impersonation: Attacker calls claiming to be from the IRS or Social Security Administration (SSA).  They state the victim owes back taxes or that...
Read more

Network+ Deep Dive: Where Firewalls, Load Balancers, and APs Fit in the OSI Model

Image
OSI Model or Open Systems Interconnect model: It is important to remember that this is a theoretical framework, meaning that it is just one way of thinking about networking. What happens at each layer? The table below shows examples of what exists at each layer, mainly hardware at the physical layer and protocols on the other layers. OSI Layers Which Headers Can Be Added at this Layer What happens on these layers Application SMTP, HTTP, FTP, HTTPS, P2P, DNS, etc. Header is added to the data (whether it is an HTTP header, SMTP, etc.) Presentation   Handles data formatting, encryption, and compression to ensure data is in a usable format for the application layer. Session   Managing and controlling connections between devices, including establishing, maintaining, and terminating sessions. Transport TCP, UDP, etc. ...
Read more