cyber revision

Threat modelling

STRIDE, attack surfaces, attack trees and the kill chain: structured ways to work out what can go wrong before it does.

~4 min read

The idea

Threat modelling is asking, in a structured way: what are we building, what can go wrong, what are we doing about it, and did we do enough? It happens at design time, when fixing a flaw costs a whiteboard marker rather than an incident response retainer.

You need three inputs: a picture of the system (usually a data flow diagram), a list of the assets worth protecting, and an idea of who might attack (from threat actor analysis).

Attack surface

The attack surface is every point where an attacker can interact with the system: open ports, login pages, file upload forms, APIs, USB sockets, employees who answer the phone. Smaller surface, fewer opportunities. Reducing it is often free: close unused ports, remove dead code and default accounts, disable services nobody needs. "Why is this exposed at all?" is the best first question in any review.

Trust boundaries are where data crosses from a less trusted zone to a more trusted one: internet to web server, user input to database query, employee laptop to internal network. Threats cluster at trust boundaries, so a data flow diagram with boundaries drawn on it practically generates your threat list for you.

STRIDE

Microsoft's STRIDE is the most-taught threat enumeration framework. Each letter is a category of threat, and each maps to the security property it violates:

Threat Property violated Example
Spoofing Authenticity Logging in with stolen credentials; fake login page
Tampering Integrity Modifying a request parameter to change a price
Repudiation Non-repudiation "I never sent that order", with no logs to prove otherwise
Information disclosure Confidentiality Stack trace revealing internals; readable backups
Denial of service Availability Flooding an endpoint; filling a disk with uploads
Elevation of privilege Authorisation Normal user reaching admin functions

Method: walk each element and trust boundary of your diagram and ask which STRIDE categories apply. It feels mechanical, and that's the point. Mechanical beats relying on inspiration.

Attack trees

An attack tree puts the attacker's goal at the root ("read customer database") and branches into the ways of achieving it ("steal DBA credentials", "SQL injection", "steal a backup"), each refined further down to concrete steps. Branches can be AND (all children needed) or OR (any child works). Annotating leaves with cost or difficulty shows you the cheapest attack path, which is the one you defend first, because it's the one a rational attacker takes.

The Cyber Kill Chain

Lockheed Martin's Cyber Kill Chain describes the stages of an intrusion from the attacker's side:

  1. Reconnaissance: researching the target
  2. Weaponisation: building the malicious payload
  3. Delivery: getting it there (email, web, USB)
  4. Exploitation: triggering the vulnerability
  5. Installation: establishing persistence
  6. Command and control (C2): remote channel back to the attacker
  7. Actions on objectives: the actual goal: steal, encrypt, destroy

The defensive insight: breaking any link stops the chain, and earlier is cheaper. Email filtering at delivery beats forensics at stage seven. The kill chain's weakness is that it fits malware-style intrusions best. For richer, real-world behaviour mapping, MITRE ATT&CK (covered in Threats & Malware) has largely taken over, since it catalogues hundreds of observed techniques rather than seven abstract stages.

DREAD and risk ranking

Once you have threats, you rank them, because you can't fix everything first. DREAD scores each threat on Damage, Reproducibility, Exploitability, Affected users, and Discoverability. It's subjective and somewhat out of fashion (even Microsoft moved away from it), but it appears in courses. In practice many teams just score likelihood × impact on a simple matrix, consistent with their wider risk management approach.

Quick recall

  • Threat modelling: what are we building / what can go wrong / what do we do / did it work; done at design time.
  • Attack surface: every interaction point; reduce it before defending it. Threats cluster at trust boundaries.
  • STRIDE: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege; each violates one property (authenticity, integrity, non-repudiation, confidentiality, availability, authorisation).
  • Attack trees find the cheapest path to the attacker's goal; defend that first.
  • Kill chain: recon → weaponise → deliver → exploit → install → C2 → objectives. Break any link, preferably early.
PreviousNext