Threat modeling is a key component within any security operation center (SOC) and security environment as a whole, and just as with any SOC environment, there is no one size fits all for threat models.

This chapter will cover multiple threat models, their use cases, and their advantages and disadvantages. Doing so will allow the reader to apply the one that makes the most sense for their environment as well as provide a comparison point for comparing those threat models to ATT&CK:

• Reviewing the PASTA threat model and use cases
• Reviewing the STRIDE threat model and use cases
• Reviewing the VAST threat model and use cases
• Reviewing the Trike threat model and use cases
• Reviewing attack trees

For this specific chapter, there are no installations or specific technologies that are required.

Threat modeling is a critical part of any SOC environment and team. It can be used as discussed to identify risks and gaps and for strategy, or it can be used for informational campaigns. Like all things, there are multiple different types of threat models, and there is no one size fits all for the types. The first threat model that we’ll analyze and talk through use cases is the Process for Attack Simulation and Threat Analysis (PASTA) threat model. PASTA is a risk-centered threat model that combines risk analysis and the surrounding context into your risk mitigation and security strategy. In development terms, thinks of PASTA as an incremental development process where you constantly go through cycles and make changes without having to start at the beginning of the model again. The main steps of the PASTA method are as follows:

1. Define the objective: This means setting the overall purpose for the threat model. This could...

The Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) threat model is unique in that it is primarily used for development environments and, for a while, was known for being synonymous with Microsoft because it was created by two Microsoft employees, Loren Kohnfelder and Praerit Garg. Each of the six categories in this model can be correlated to a core security concept that the authors tried to focus on. The concepts are like the confidentiality, integrity, and availability (CIA) triad.

The CIA triad is used to guide security policies and guidelines based on what is more important in your organization. This simple model is the basis for all security in that it provides a core focus for making security decisions based on how you value those three principles. Confidentiality is the principle of keeping data and systems private and can be linked to items like the principle...

The Visual, Agile, and Simple Threat (VAST) threat model is an approach that casts a wide net, as the word vast suggests. It’s a threat model that attempts to look at all possible threats in all scenarios and, as we may imagine, it can be a daunting task to take on. The basis of this model, similar to other models, is based on an open source threat analysis tool, in this case, called ThreatModeler. In the case of the VAST model, you use a data flow diagram for the organization as well as an organizational flow diagram to identify any operational threats. One of the benefits of the VAST model is that it addresses operational risks, whereas some of the other models do not. Another benefit of this model is that it is far-reaching, so you can look at an organization as a whole and both technical and non-technical components to complete the threat model. Some of the downsides of the VAST threat model are that it can be overwhelming, depending...

The Trike threat model is focused on the objective of threat modeling from a risk standpoint. This type of threat model is typically paired with risk registries so that it can be targeted to the specific risks and needs that you perceive. Most of the time, these threat models are tied to auditing or compliance requirements, and they are based on the specific requirements of the organization. It combines those requirements with risk owners and establishes the level of acceptable risk. It differs from the PASTA and STRIDE models because it is a risk-based approach instead of utilizing the systems and attack approach of the other models. The point of this model is to accomplish the following:

• Communicate what the risks are within the organization
• Determine the acceptable risk threshold with input from all stakeholders for the organization
• Establish the risk owners for the applicable risks, to be held accountable for mitigations...

As with all threat models, there are visual representations that coincide with the respective threat models, and attack trees are no different. An attack tree is a logical and step-based way to represent a threat and how it would affect an organization or system. It starts with the initial vector; for example, a phishing email is received, and an employee falls for the malicious email. The next level of the tree shows the possible outcomes; so, in this case, one branch could be for the malicious user to gain access to the system or account. Another branch could be that credentials are compromised, and it would continue from there. If we wanted to see an example of a simple phishing attack tree from a risk perspective, it would look like this:

Figure 3.6 – Simple phishing risks attack chart

Again, the preceding example is strictly based around documenting risks, whereas you can also use attack trees to document how the attacks...

In this chapter, we reviewed the PASTA, STRIDE, VAST, and Trike threat models as well as attack trees from both a risk- and attack-identification perspective. Throughout your career, you will use a combination of the threat models discussed, or even others, to find the best combination to fit your organization because, like most things, there is no true “one size fits all” for threat models. Threat models are also a concept that you want to be comfortable with because they are a constant task; whether it’s creating the initial models or validating them to ensure they are still accurate; threat models are constantly changing. For a quick reference on the different models, use this chart:

The rest of the chapter is locked

You have been reading a chapter from

Aligning Security Operations with the MITRE ATT&CK Framework

Published in: May 2023Publisher: PacktISBN-13: 9781804614266

© 2023 Packt Publishing Limited All Rights Reserved

Author (1)

Rebecca Blair

Rebecca Blair currently serves as the SOC Manager at a Boston-based tech company, where she is in the process of building out a SOC team to include analyst workflows, playbooks, and processes. Also, she served at IronNet as the Director of SOC Operations, at Tenable Inc as a Test Engineer, and at the Army Research Lab as a Technical Compliance Lead, among other things. She has deep expertise in technology integrations and security operations and holds a BS degree from Norwich University in Computer Security and Information Assurance, an MS degree from the University of Maryland Global Campus in Cybersecurity and an MBA from Villanova University. She has found a niche in building SOC environments and maturing them in fast-paced environments.
Read more about Rebecca Blair

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages