Introduction to Threat Modelling in cyber security
minhajulislammoon
0 views
42 slides
Sep 01, 2025
Slide 1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
About This Presentation
Introduction to Threat Modelling in cyber security
Slide Content
9
C3 SECURITY
C3 SECURITY
C3 SECURITY
WHAT IS A
THREAT MODEL?
CYBER SECURITY HYGIENE
WHAT IS A
THREAT MODEL?
CYBER SECURITY HYGIENE
WHAT IS A THREAT MODEL? S
C3 SECURITY
OBJECTIVES OF A THREAT MODEL
IDENTIFY
» potential vulnerabilities and/or threats
DESCRIBE
» counter-measures to mitigate risk
PRIORITISE
» resources to maximise system security
O C3 SECURITY LTD 2020 https;
C3 SECURITY
OBJECTIVES OF A THREAT MODEL
IDENTIFY
» potential vulnerabilities and/or threats
DESCRIBE
» counter-measures to mitigate risk
PRIORITISE
» resources to maximise system security
O C3 SECURITY LTD 2020 https;
WHAT IS A THREAT MODEL? S
C3 SECURITY
OBJECTIVES OF A THREAT MODEL
DOCUMENTING RISK
C3 SECURITY
OBJECTIVES OF A THREAT MODEL
DOCUMENTING RISK
WHAT IS A THREAT MODEL? S
C3 SECURITY
THE VALUE PROPOSITION: RISK MITIGATION
REPUTATION
» loss of customer confidence and trust; a weakened brand
OPERATIONS
» disruption of business operations
FINANCIAL
» loss of earnings, fines & restitution
GOVERNANCE & COMPLIANCE
> GDPR, Data Protection Act 2008, ISO27001 et. al.
O C3 SECURITY LTD 2020 https;
C3 SECURITY
THE VALUE PROPOSITION: RISK MITIGATION
REPUTATION
» loss of customer confidence and trust; a weakened brand
OPERATIONS
» disruption of business operations
FINANCIAL
» loss of earnings, fines & restitution
GOVERNANCE & COMPLIANCE
> GDPR, Data Protection Act 2008, ISO27001 et. al.
O C3 SECURITY LTD 2020 https;
C3 SECURITY
JUST LIKE THE FUNCTIONAL, DESIGN AND TEST
SPECS, A THREAT MODEL IS A LIVING DOCUMENT —
AS YOU CHANGE THE DESIGN,
TO SEE IF ANY
NEW THREATS HAVE ARISEN SINCE YOU STARTED.
JUST LIKE THE FUNCTIONAL, DESIGN AND TEST
SPECS, A THREAT MODEL IS A LIVING DOCUMENT —
AS YOU CHANGE THE DESIGN,
TO SEE IF ANY
NEW THREATS HAVE ARISEN SINCE YOU STARTED.
C3 SECURITY
THREAT
MODELLING
DOCUMENTING RISK
THREAT
MODELLING
DOCUMENTING RISK
O C3 SECURITY LTD 2020
CREATING A THREAT MODEL S
C3 SECURITY
FUNDAMENTAL QUESTIONS: ASK YOURSELF
» What are we working on?
» What can go wrong?
» What are we going to do about it?
» Did we do a good job?
Adapted from “Application Threat Modelling” by OWASP
hutps:/owasp.ore/www-community/Application Threat "3
CREATING A THREAT MODEL S
C3 SECURITY
FUNDAMENTAL QUESTIONS: ASK YOURSELF
» What are we working on?
» What can go wrong?
» What are we going to do about it?
» Did we do a good job?
Adapted from “Application Threat Modelling” by OWASP
hutps:/owasp.ore/www-community/Application Threat "3
CREATING A THREAT MODEL S
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
CLASSIFY
» Using S.T.R.I.D.E and ATTACK TREES
QUANTIFY
» Using D.R.E.A.D methodology
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
CLASSIFY
» Using S.T.R.I.D.E and ATTACK TREES
QUANTIFY
» Using D.R.E.A.D methodology
CREATING A THREAT MODEL S
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
9
C3 SECURITY
\ 1. STORE
SN
DATA BUCKET
eam
1e)
e
A
>
E
S
+
ae | sess
=
5 DATA
| ©
z. /
GATEWAY
3. FE TCH DATA
4. RETURN
DATA
C3 SECURITY
\ 1. STORE
SN
DATA BUCKET
eam
1e)
e
A
>
E
S
+
ae | sess
=
5 DATA
| ©
z. /
GATEWAY
3. FE TCH DATA
4. RETURN
DATA
CREATING A THREAT MODEL S
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
CLASSIFY
» Using S.T.R.I.D.E and ATTACK TREES
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
CLASSIFY
» Using S.T.R.I.D.E and ATTACK TREES
CREATING A THREAT MODEL S
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
> DENIAL (of service)
» ELEVATION (of privilege)
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
> DENIAL (of service)
» ELEVATION (of privilege)
CREATING A THREAT MODEL S
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
C3 SECURITY
S.T.R.1.D.E.
SPOOFING
S.T.R.1.D.E.
SPOOFING
CREATING A THREAT MODEL S
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
C3 SECURITY
S.T.R.1.D.E.
TAMPERING
S.T.R.1.D.E.
TAMPERING
CREATING A THREAT MODEL S
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
S.T.R.1.D.E.
REPUDIATION
REPUDIATION
CREATING A THREAT MODEL S
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
C3 SECURITY
S.T.R.I.D.E.
INFORMATION DISCLOSURE
S.T.R.I.D.E.
INFORMATION DISCLOSURE
CREATING A THREAT MODEL S
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
> DENIAL (of service)
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
> DENIAL (of service)
C3 SECURITY
S.T.R.I.D.E.
DENIAL OF SERVICE (DOS)
S.T.R.I.D.E.
DENIAL OF SERVICE (DOS)
CREATING A THREAT MODEL S
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
> DENIAL (of service)
» ELEVATION (of privilege)
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
> DENIAL (of service)
» ELEVATION (of privilege)
C3 SECURITY
S.T.R.I.D.E.
ELEVATION OF PRIVILEGE
S.T.R.I.D.E.
ELEVATION OF PRIVILEGE
CREATING A THREAT MODEL S
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
> DENIAL (of service)
» ELEVATION (of privilege)
C3 SECURITY
THE S.T.R.I.D.E. METHODOLOGY
» SPOOFING
» TAMPERING
» REPUDIATION
> INFORMATION (disclosure)
> DENIAL (of service)
» ELEVATION (of privilege)
CREATING A THREAT MODEL S
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
CLASSIFY
» Using S.T.R.I.D.E and ATTACK TREES
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
CLASSIFY
» Using S.T.R.I.D.E and ATTACK TREES
9
C3 SECURITY
Learn
Combination Pick Lock Drill Lock
Code
Get Code from
written down Target
Bribe Blackmail Surveillan
Target Target (Eavesdrop)
Adapted from “Attack Trees” by Bruce Schneier, Dr. Dobb's Journal, 1999
C3 SECURITY
Learn
Combination Pick Lock Drill Lock
Code
Get Code from
written down Target
Bribe Blackmail Surveillan
Target Target (Eavesdrop)
Adapted from “Attack Trees” by Bruce Schneier, Dr. Dobb's Journal, 1999
CREATING A THREAT MODEL S
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
CLASSIFY
» Using S.T.R.I.D.E and ATTACK TREES
QUANTIFY
» Using D.R.E.A.D methodology
C3 SECURITY
THREAT MODELLING: A PROCESS
IDENTIFY
» Using DATA FLOW DIAGRAMS
CLASSIFY
» Using S.T.R.I.D.E and ATTACK TREES
QUANTIFY
» Using D.R.E.A.D methodology
CREATING A THREAT MODEL S
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
> R EPRODUCIBILITY
» E XPLOITABILITY
» AFFECTED (users)
> D ISCOVERABILITY
‘© C3 SECURITY LTD 2020
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
> R EPRODUCIBILITY
» E XPLOITABILITY
» AFFECTED (users)
> D ISCOVERABILITY
‘© C3 SECURITY LTD 2020
CREATING A THREAT MODEL S
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
CREATING A THREAT MODEL =]
D.R.E.A.D.
DAMAGE
D.R.E.A.D.
DAMAGE
CREATING A THREAT MODEL S
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
> DAMAGE
> R EPRODUCIBILITY
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
> DAMAGE
> R EPRODUCIBILITY
D.R.E.A.D.
REPRODUCIBILITY
REPRODUCIBILITY
CREATING A THREAT MODEL S
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
> DAMAGE
» REPRODUCIBILITY
» E XPLOITABILITY
O C3 SECURITY LTD 2020
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
> DAMAGE
» REPRODUCIBILITY
» E XPLOITABILITY
O C3 SECURITY LTD 2020
C3 SECURITY
D.R.E.A.D.
EXPLOITABILITY
D.R.E.A.D.
EXPLOITABILITY
CREATING A THREAT MODEL S
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
> R EPRODUCIBILITY
» E XPLOITABILITY
> AFFECTED (users)
O C3 SECURITY LTD 2020
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
> R EPRODUCIBILITY
» E XPLOITABILITY
> AFFECTED (users)
O C3 SECURITY LTD 2020
D.R.E.A.D.
AFFECTED USERS
AFFECTED USERS
CREATING A THREAT MODEL S
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
> R EPRODUCIBILITY
» E XPLOITABILITY
» AFFECTED (users)
> D ISCOVERABILITY
‘© C3 SECURITY LTD 2020
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
> R EPRODUCIBILITY
» E XPLOITABILITY
» AFFECTED (users)
> D ISCOVERABILITY
‘© C3 SECURITY LTD 2020
D.R.E.A.D.
DISCOVERABILITY
DISCOVERABILITY
CREATING A THREAT MODEL S
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
> R EPRODUCIBILITY
» E XPLOITABILITY
» AFFECTED (users)
> D ISCOVERABILITY
‘© C3 SECURITY LTD 2020
C3 SECURITY
THE D.R.E.A.D. RISK ASSESSMENT
» DAMAGE
> R EPRODUCIBILITY
» E XPLOITABILITY
» AFFECTED (users)
> D ISCOVERABILITY
‘© C3 SECURITY LTD 2020
C3 SECURITY
ITIS AND IT IS
TO DOCUMENT RISK. THE
BEST TIME TO THREAT MODEL IS
ITIS AND IT IS
TO DOCUMENT RISK. THE
BEST TIME TO THREAT MODEL IS
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 0
- Slides 42
- Age 93 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views