Hacking Book | Free Online Hacking Learning


threat modeling system tutorial

Posted by truschel at 2020-02-29


Many people are unfamiliar with threat modeling. What is a threat? What is modeling? Is it related to security threat intelligence? What is the relationship with architecture risk analysis? Can kill chain be used instead?

Threat modeling is a basic security practice. The definition is to optimize and improve security by identifying system and potential threats, and set countermeasures to prevent and mitigate the impact of system threats. Software development process: the internal and external scenarios are constantly changing, applications are modified, upgraded, and user requirements are also changing. It is necessary to identify potential threats, corresponding priorities, record risks and take measures for each application.

It is necessary to sort out a "security analysis method of architecture design" for readers to understand the work done in this step more easily from the top-level design. Architecture security analysis focuses on three phases: security control, system design, software development process, and threat modeling is part of the second phase. One of the barriers for us to implement security defense and utilize information asymmetry is security control, including identity authentication, authorization, encryption principle, etc., which is also the focus of penetration test and security audit. When designing and analyzing the system, we should first plan and master the architecture diagram and DFD data diagram (which can be borrowed from gdpr)

, refine components, middleware and logic. Then three small stages are executed: 1. Known attack analysis. Microsoft's stride methodology is a useful tool. The design level is based on this stride principle to understand what threats have been faced (I strongly recommend that the business explain what attacks have been faced by the company in the training stage and then describe the extraction risks to summarize the threats). Develop your own threat list, and then calculate and consider how to evaluate (read) fixes and designs to reduce, transfer, and accept risks. 2. To identify specific attacks, the previous step is general principle, and each existing system is different. 3. Analyze the software bottom layer dependence and supply level. The best stage of software threat detection is the above three stages. If the above work is implemented, the cost of security repair will be reduced several times.

The threat model can be displayed, documented, tabulated and charted in any way, but at least it needs to include the description of software components, trust boundary, security control measures, data and the priority of corresponding risks; the possibility ranking of non occurring threats; the review of existing risks, possible attack strategies and measures; and the remedial measures to reduce threats.

We have to realize that SDLC is not a silver bullet. There is no best practice at all. There are objective difficulties in implementing threat modeling. The following changes need to be made in software development from waterfall flow mode to agile practice promoted by the company: from focusing on documents in each stage to focusing on defects and communication response quickly; from modeling stage as the key investment direction of the overall system to incorporating security features into small iteration cycle as far as possible, accepting threat driven design; from some heavy tools (stride) to supporting regular processing Threats generated by iteration; from relying on orderly test plan release to achieving ultimate tool automation; from experience based archive threat library to new threats supporting machine learning, Internet of things and cloud era.


The gradient of this safety ability learning increases sharply. Practitioners need to have professional safety, development, system knowledge and few auxiliary automation programs. However, it needs deep understanding to create a complete security threat model. An accurate model also relies on a clear understanding of the attack cases and attack patterns (mitre att & CK) faced by the business in the past.

Open source and commercial tools can help us build threat models and output threat documents quickly, aesthetically and systematically. We can't always start with a picture on the whiteboard, and everything else depends on saying. Most of the tools mentioned in the book "threat modeling: design and delivery of more secure software" are out of date, but from the side, we can understand that threat modeling must be called stride without saying. As an expert, we should use the threat modeling idea as a tool to practice with deep security domain skills. "Blind people are better off looking at the flowers than they are looking at the flowers. They are better off looking at the flowers than they are looking at the flowers. They are better off looking at the flowers when they are looking at the flowers when they are looking at the flowers when they are looking at the flowers when they are standing at the horses." the next hard work is to go deep into the front line, close to business, rich experience, enrich and accumulate, and create valuable modeling knowledge. This series will introduce some cases and tools, through a large number of articles, lead you to discuss whether this expert driven analysis technology can be applied to tool automation?


Octotrike is a methodology of different stride. Http://www.octotrike.org/tools.shtml is a separate Excel file, which can help improve the efficiency and effectiveness of threat modeling. Trike is a unified conceptual framework of security audit. From the perspective of risk management and asset centered, the threat model is implemented in a relatively reliable and repeatable way with tools, which can describe the security characteristics of the system from its advanced architecture to its implementation details. It includes some automatic attack derivation functions. Not recommended.

Seasponge is produced by Mozilla, https://github.com/mozilla/seasponge, written by nodejs, can be dragged, and supports project file management. The disadvantage is that it does not realize the automatic generation of threat list. Although there is no maintenance in recent years, it is recommended to use it.

Seamonster https://sourceforge.net/projects/seamonster/an attack based on the attack tree and abuse cases (users abuse or exploit the weaknesses in software functions to attack applications) model, which is used to supplement the barely available thinking, with some backward thinking.

OWASP thread dragon http://docs.threaddragon.org/ is a new tool, which uses electron to realize the client. It is an ambitious incubation project of OWASP. Highly recommended.

PTA tool http://www.ptatechnologies.com/ is a business tool participated in consultation by Adam Shostack, which is perfect for all details and items. Recommend.

Microsoft's official threat modeling tool. Https://docs.microsoft.com/zh-cn/azure/security/azure-security-thread-modeling-tool can be accessed at https://github.com/azurearchitecture/thread-model-templates to download the latest template containing IOT information. The tool can automatically generate threat identification reports, with threat library templates, and is highly recommended.

Https://github.com/izar/pytm is a python library, which can be used to build data flow diagrams and output threat lists.

Https://github.com/stevespringett/threatmodel-sdk a Java SDK, the same function.

In the next series, this article will take TMT and other tools as examples to introduce the methods based on attack tree and stride to implement the modeling activities for the application program centered on attackers and assets. It can be divided into six steps: organizing to promote, identifying assets, outlining the architecture of valuable assets, analyzing the processes and subprocesses within the application, creating data flow diagrams, describing and identifying threats in a tabular way for further processing, classifying threats, reusing the method, assessing the severity of threats and taking measures.

A friend reported that he could understand the contents of the safety series every time, but could not understand the combined concept. Considering that we are writing to improve our organizational ability and consolidate our experience, I will try my best to write more easily.