Threat Modelling

Threat Modelling

Step 1 - Identifying Threats:

• Focused on potential attackers
• Focused on safeguarding assets
• Focused on system or software vulnerabilities

Step 2 - Categorising Threats:

• Utilising STRIDE framework: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), Elevation of Privilege

Step 3 - Determining and Illustrating Potential Attacks:

• Employing data flow diagrams, delineating privilege boundaries, and identifying involved elements

Step 4 - Performing Reduction Analysis:

• Decomposing the application, system, or environment
• Considering trust boundaries, security stance and approach, data flow paths, privilege operations, and input points

Step 5 - Prioritisation and Response:

• Assessing threats using the DREAD rating system
• Evaluating Damage potential, Reproducibility, Exploitability, Affected Users, and Discoverability
• Responding to threats in prioritized order
•