Threat modelling methodologies:
STRIDE:
- Spoofing: Pretending to be someone else in the system.
- Tampering: Unauthorized modification of data for malicious purposes.
- Repudiation: Denying malicious activities without proof.
- Information Disclosure: Unintended exposure of protected data.
- Denial of Service (DoS): Attempts to prevent legitimate users from accessing a service.
DREAD:
- Damage potential: Evaluates the extent of damage if a vulnerability is exploited.
- Reproducibility: Assesses how easy it is to reproduce an attack.
- Exploitability: Assigns a number to the effort required to launch an attack.
- Affected Users: Estimates the number of people impacted by an exploit.
- Discoverability: Measures how easy it is to discover the threat.
PASTA (Process for Attack Simulation and Threat Analysis):
- Risk-centric methodology focusing on dynamic threat identification and scoring.
- Detailed analysis of identified threats helps develop asset-centric mitigation strategies.
Trike:
- Uses threat models as a risk management tool based on a requirement model.
- Assigns acceptable risk levels to each asset class based on stakeholder-defined criteria.
VAST (Visual, Agile, and Simple Threat Modelling):
- Provides actionable outputs suitable for various stakeholders.
- Employs a unique visualization scheme for application and infrastructure threat models.
Attack Tree:
- Conceptual diagram showing how an asset might be attacked.
- Multi-level structure with root, leaves, and children nodes representing attack conditions.
CVSS (Common Vulnerability Scoring System):
- Captures characteristics of vulnerabilities and produces a numerical severity score.
- Helps organizations assess and prioritize vulnerability management.
T-MAP (Threat Modeling for Attack Path):
- Used in Commercial Off-The-Shelf (COTS) systems to calculate attack path weights.
- Developed using UML class diagrams and other visualizations for better understanding.