Threat Modeling Diagram
Introduction to Threat Modeling
Threat modeling is a systematic process to identify, evaluate, and mitigate security risks in a system. By leveraging frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), it maps critical assets, identifies attack surfaces, and defines mitigation strategies. This approach enables organizations to prioritize security efforts, proactively address vulnerabilities, and ensure compliance with standards like OWASP, ISO 27001, and NIST 800-53 in cloud-based or distributed systems.
STRIDE offers a structured framework to categorize threats and align mitigations with system assets for robust security.
Threat Modeling Diagram
The diagram below illustrates the threat modeling process using the STRIDE framework. Critical assets (e.g., databases, applications) are exposed to attack surfaces (e.g., APIs, user inputs), with threats categorized by STRIDE and addressed through specific mitigation strategies (e.g., encryption, rate limiting). Arrows are color-coded: orange-red for attack surface exposure, blue (dotted) for threat identification, and green (dashed) for mitigation application.
graph TD
A[Asset: Database] -->|Exposed to| B[Attack Surface: API Endpoint]
A -->|Exposed to| C[Attack Surface: User Input]
B -->|STRIDE: Spoofing| D[Mitigation: OAuth2 + MFA]
B -->|STRIDE: Tampering| E[Mitigation: TLS 1.3]
B -->|STRIDE: Repudiation| F[Mitigation: SIEM Logging]
C -->|STRIDE: Information Disclosure| G[Mitigation: Data Masking]
C -->|STRIDE: Denial of Service| H[Mitigation: Rate Limiting]
C -->|STRIDE: Elevation of Privilege| I[Mitigation: RBAC]
subgraph System
A[Database]
B[API Endpoint]
C[User Input]
end
subgraph Mitigations
D[OAuth2 + MFA]
E[TLS 1.3]
F[SIEM Logging]
G[Data Masking]
H[Rate Limiting]
I[RBAC]
end
subgraph Cloud Environment
A
B
C
D
E
F
G
H
I
end
classDef asset fill:#2ecc71,stroke:#2ecc71,stroke-width:2px,rx:5,ry:5;
classDef attack fill:#ff6f61,stroke:#ff6f61,stroke-width:2px,rx:10,ry:10;
classDef mitigation fill:#ffeb3b,stroke:#ffeb3b,stroke-width:2px;
class A asset;
class B,C attack;
class D,E,F,G,H,I mitigation;
linkStyle 0 stroke:#ff6f61,stroke-width:2.5px
linkStyle 1 stroke:#ff6f61,stroke-width:2.5px
linkStyle 2 stroke:#405de6,stroke-width:2.5px,stroke-dasharray:4,4
linkStyle 3 stroke:#405de6,stroke-width:2.5px,stroke-dasharray:4,4
linkStyle 4 stroke:#405de6,stroke-width:2.5px,stroke-dasharray:4,4
linkStyle 5 stroke:#2ecc71,stroke-width:2.5px,stroke-dasharray:6,6
linkStyle 6 stroke:#2ecc71,stroke-width:2.5px,stroke-dasharray:6,6
linkStyle 7 stroke:#2ecc71,stroke-width:2.5px,stroke-dasharray:6,6
STRIDE categorizes threats per attack surface, enabling targeted mitigations to protect critical system assets.
Key Components of Threat Modeling
The core components of threat modeling using STRIDE include:
- Assets: Critical system components such as databases, applications, user data, or cryptographic keys.
- Attack Surfaces: Potential entry points for attacks, including APIs, user interfaces, network ports, or file inputs.
- STRIDE Framework: A methodology to categorize threats: Spoofing (impersonation), Tampering (data alteration), Repudiation (denying actions), Information Disclosure (data leaks), Denial of Service (disrupting availability), and Elevation of Privilege (gaining unauthorized access).
- Mitigation Strategies: Security controls like OAuth2, TLS, RBAC, rate limiting, or SIEM logging to address identified threats.
- Threat Analysis: Assessing threats based on likelihood, impact, and exploitability to prioritize mitigation efforts.
- Documentation: Detailed records of threats, mitigations, and residual risks for compliance and future reference.
- Stakeholder Collaboration: Involves developers, architects, and security teams to ensure comprehensive threat coverage.
Benefits of Threat Modeling
- Proactive Risk Management: Identifies vulnerabilities early in the system lifecycle, reducing remediation costs.
- Prioritized Security: Focuses resources on high-risk threats and critical assets for efficient protection.
- Compliance Alignment: Supports adherence to OWASP, ISO 27001, NIST 800-53, and GDPR through structured risk management.
- Improved Collaboration: Aligns development, operations, and security teams on shared security goals.
- Enhanced Resilience: Mitigates potential attack vectors, reducing the likelihood and impact of breaches.
- Continuous Improvement: Enables iterative updates to address evolving threats and system changes.
Implementation Considerations
Effective threat modeling requires careful planning and execution:
- System Scope Definition: Clearly outline system boundaries, components, and data flows to focus the analysis.
- Framework Selection: Use STRIDE for threat categorization or combine with DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) for risk scoring.
- Attack Surface Mapping: Identify all entry points, including APIs, user inputs, network interfaces, and third-party integrations.
- Mitigation Validation: Test controls through penetration testing, code reviews, or vulnerability scans to ensure effectiveness.
- Continuous Modeling: Update threat models regularly to account for new features, dependencies, or emerging threats.
- Tooling Support: Leverage tools like OWASP Threat Dragon, Microsoft Threat Modeling Tool, or IriusRisk for streamlined analysis.
- Stakeholder Engagement: Involve cross-functional teams to ensure comprehensive threat identification and mitigation.
- Documentation and Review: Maintain detailed records of threats, mitigations, and residual risks, with periodic reviews for accuracy.
Continuous threat modeling and validation ensure systems remain secure against evolving attack vectors and compliance requirements.
Example: STRIDE Threat Model Table
Below is a sample STRIDE-based threat model for a web application’s user database:
Asset: User Database
Attack Surface: API Endpoint
Threats:
- Spoofing: Unauthorized access via stolen credentials
Mitigation: Implement OAuth 2.0 with MFA and token revocation
- Tampering: Data modification during transit
Mitigation: Enforce TLS 1.3 with HTTP Strict Transport Security (HSTS)
- Repudiation: Untraceable user actions
Mitigation: Enable tamper-proof audit logging with SIEM (e.g., Splunk, AWS CloudTrail)
- Information Disclosure: Exposure of sensitive PII
Mitigation: Encrypt data at rest with AES-256 and apply data masking
- Denial of Service: Overloading API with requests
Mitigation: Implement rate limiting and WAF (e.g., AWS WAF, Cloudflare)
- Elevation of Privilege: Gaining admin access
Mitigation: Enforce RBAC with least privilege and regular role audits
This STRIDE table maps threats to a user database and defines specific mitigations for each STRIDE category.
Example: Threat Modeling with Python and OWASP Threat Dragon
Below is a Python script to generate a basic threat model report compatible with OWASP Threat Dragon’s JSON format:
import json
threat_model = {
"summary": {
"title": "Web Application Threat Model",
"owner": "Security Team",
"description": "Threat model for user database and API endpoints"
},
"detail": {
"assets": [
{
"id": "asset-1",
"name": "User Database",
"type": "Data Store",
"description": "Stores user PII and credentials"
}
],
"attackSurfaces": [
{
"id": "surface-1",
"name": "API Endpoint",
"description": "Public-facing API for user data access"
}
],
"threats": [
{
"id": "threat-1",
"title": "Spoofing via Stolen Credentials",
"type": "Spoofing",
"status": "Open",
"severity": "High",
"mitigation": "OAuth 2.0 with MFA",
"assetId": "asset-1",
"surfaceId": "surface-1"
},
{
"id": "threat-2",
"title": "Data Tampering in Transit",
"type": "Tampering",
"status": "Mitigated",
"severity": "Medium",
"mitigation": "TLS 1.3 with HSTS",
"assetId": "asset-1",
"surfaceId": "surface-1"
}
]
}
}
# Save threat model to JSON file
with open('threat_model.json', 'w') as f:
json.dump(threat_model, f, indent=2)
print("Threat model saved to threat_model.json")
This Python script generates a JSON-based threat model compatible with OWASP Threat Dragon for visualization and analysis.
Comparison: STRIDE vs. DREAD
The table below compares the STRIDE and DREAD frameworks for threat modeling:
| Feature | STRIDE | DREAD |
|---|---|---|
| Purpose | Categorizes threats by type | Quantifies risk severity |
| Components | Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege | Damage, Reproducibility, Exploitability, Affected Users, Discoverability |
| Complexity | Moderate, structured categorization | Higher, subjective scoring metrics |
| Use Case | Identifying and classifying threats | Prioritizing threats by risk impact |
| Output | Threat list with mitigations | Risk scores for prioritization |
STRIDE excels at threat identification, while DREAD focuses on risk prioritization, often used together for comprehensive analysis.
Security Best Practices
To ensure effective threat modeling, adhere to these best practices:
- Comprehensive Scope: Include all system components, data flows, and third-party dependencies in the threat model.
- Regular Updates: Revisit threat models with every system change, new feature, or emerging threat landscape.
- Cross-Functional Input: Engage developers, architects, and security teams to capture diverse perspectives.
- Automated Tooling: Use tools like OWASP Threat Dragon or Microsoft Threat Modeling Tool to streamline analysis.
- Validation Testing: Perform penetration tests and vulnerability scans to verify mitigation effectiveness.
- Prioritization Framework: Combine STRIDE with DREAD or CVSS to prioritize high-impact threats.
- Documentation Standards: Maintain clear, actionable records of threats, mitigations, and residual risks.
- Training and Awareness: Educate teams on threat modeling concepts and STRIDE/DREAD methodologies.
Iterative threat modeling, combined with testing and team collaboration, ensures proactive and resilient system security.