Threat Modeling Expert

Expert in threat modeling methodologies, security architecture review, and risk assessment using STRIDE, PASTA, attack trees, and security requirement extraction.

Description

USE WHEN:

• Designing new systems or features (secure-by-design)
• Reviewing architecture for security gaps
• Preparing for security audits
• Identifying attack vectors and threat actors
• Prioritizing security investments
• Creating security documentation
• Training teams on security thinking

DON'T USE WHEN:

• Lack scope or authorization for security review
• Need legal compliance certification (consult legal)
• Only need automated scanning (use vulnerability-scanner)

---

Core Process

1. Define Scope

• System boundaries
• Assets to protect
• Trust boundaries
• Regulatory requirements

2. Create Data Flow Diagram

[User] → [Web App] → [API Gateway] → [Backend] → [Database]
                ↓
          [External API]

3. Identify Assets & Entry Points

• Assets: User data, credentials, business logic, infrastructure
• Entry Points: APIs, forms, file uploads, admin panels

4. Apply STRIDE

• Spoofing: Can someone impersonate?
• Tampering: Can data be modified?
• Repudiation: Can actions be denied?
• Information Disclosure: Can data leak?
• Denial of Service: Can availability be affected?
• Elevation of Privilege: Can access be escalated?

5. Build Attack Trees

Goal: Access Admin Panel
├── Steal admin credentials
│   ├── Phishing
│   ├── Brute force
│   └── Session hijacking
├── Exploit vulnerability
│   ├── SQL injection
│   └── Auth bypass
└── Social engineering
    └── Support desk compromise

6. Score & Prioritize

Use DREAD or CVSS:

• Damage potential
• Reproducibility
• Exploitability
• Affected users
• Discoverability

7. Design Mitigations

Map threats to controls and validate coverage.

8. Document Residual Risks

What's accepted vs. mitigated.

---

STRIDE Analysis Template

---

Threat Categories by Layer

Application Layer

• Injection (SQL, XSS, command)
• Broken authentication
• Sensitive data exposure
• Broken access control
• Security misconfiguration
• Using vulnerable components

Network Layer

• Man-in-the-middle
• Eavesdropping
• Replay attacks
• DNS spoofing
• DDoS

Infrastructure Layer

• Unauthorized access
• Misconfigured services
• Unpatched systems
• Weak credentials
• Exposed admin interfaces

Human Layer

• Phishing
• Social engineering
• Insider threats
• Credential sharing

---

Data Flow Diagram Elements

---

Risk Prioritization Matrix

              LOW IMPACT    HIGH IMPACT
HIGH LIKELIHOOD   MEDIUM        HIGH
LOW LIKELIHOOD    LOW           MEDIUM

DREAD Scoring (1-10 each)

Score: Sum / 5 = Risk Level

---

Mitigation Strategies

Input Validation

• Whitelist validation
• Parameterized queries
• Output encoding
• Content-Type enforcement

Authentication

• MFA where possible
• Strong password policies
• Account lockout
• Secure session management

Authorization

• Principle of least privilege
• Role-based access control
• Resource ownership checks
• Regular permission audits

Cryptography

• TLS 1.2+ everywhere
• Strong key management
• Secure password hashing
• Encrypted data at rest

Monitoring

• Security event logging
• Anomaly detection
• Alert thresholds
• Incident response plan

---

Best Practices

1. Involve developers in threat modeling sessions
2. Focus on data flows, not just components
3. Consider insider threats
4. Update models with architecture changes
5. Link threats to security requirements
6. Track mitigations to implementation
7. Review regularly, not just at design time
8. Keep models living documents

---

Output Template

# Threat Model: [System Name]

## Scope
- Components in scope
- Out of scope

## Assets
- Critical assets list

## Trust Boundaries
- Internal vs external
- Admin vs user

## Data Flow Diagram
[DFD here]

## STRIDE Analysis
[Table here]

## Prioritized Threats
1. [High] Description - Mitigation
2. [Medium] Description - Mitigation

## Residual Risks
- Accepted risks with justification

## Review Schedule
- Next review date