In the first part of this article, we discussed the domain expertise that threat modeling requires and the DFD (DataFlow Diagram) methodology of threat modeling. In this article, we'll focus on identifying and countering vulnerabilities.

Threat mnemonics and intelligence knowledge base — divide sub-domains and conduct threat topics

With a basic framework, how to identify vulnerabilities? First, we need to start using the analogy of DDD thinking, and then proceed to the process of dividing sub-domains. Finally, we will have a threat model.

We all know that dividing subdomains is a challenging thing to domain experts. Fortunately, there are alot of methods that can guide us in a structured way. A large number of threats are summarized into enumerated types. Among them, the STRIDE model is most widely adopted:

  • Spoofing

  • Tampering

  • Repudiation

  • Information disclosure

  • Denial of service

  • Elevation of privilege

Many threat modeling beginners use the STRIDE model to conduct threat modeling of the system architecture, trying to describe a threat around particular components. This is actually a misunderstanding. STRIDE is actually a generalization of a large number of threat ontologies. They are summarized into mnemonic words. We should not establish ​​the assumption a particular framework or component may have specific risks. Instead, we should apply all threat types to each asset and component, and iterate the model as much as possible. That is, for most cases because the threats usually came from a specific attacking path, STRIDE modeling for each point and connection, rather than analyze a certain aspect for a certain point.

For example, for the "authentication service" in the system, we often subconsciously think that "spoofing" and "elevation of privilege" are its main threats.n fact "denial of service", "information disclosure", "denial of service" and even "tampering" can all impact that service.  For instance, when the authentication service encounters a DDoS attack, do we reserve enough cache or redirect traffic to prevent other systemic impact? Is it possible to leak users’ information on the site due to improper response, like registration status?

When thinking about the solutions or mitigation measures, you can consider the desired properties behind the different threats. It helps us to consider these threats in a problem-driven way, rather than only relying on the introduction of tools or controls.

Here are the desired properties of each threat: