![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2020\/11\/Blog-AMP-Images-4-1024x535.png\" "\\"Threat")
\nThreat modeling is creating a buzz that everyone wants to talk about it. Every organization wants to remodel its overhaul information. It will help them in producing a priority list for security improvements for their requirements, concepts, design, and implementation.<\/p>\n
<\/p>\n
Hackers are constantly looking for any type of exposure to attack organizations. If the attempts are successful, then the organization\u2019s sensitive data are at risk. They can even prevent the systems and servers from properly functioning. As technology is growing, the threats are also evolving.<\/p>\n
<\/p>\n
Threat modeling is a means to identify, communicate, and understand threats. It includes architectural vulnerabilities, lack of appropriate safeguards, and mitigations. It helps create proper documentation with profiling on hackers and other attack vectors that will assist system analysts and defenders with better understanding and increase efficiency.<\/p>\n
Implementation of threat modeling is possible in a variety of things like software applications, systems, networks, IoT, distributed systems, business processes, and much more. Though this procedure can be carried out at any development stage it is preferred to be done early at the design time.<\/p>\n <\/p>\n The procedure of threat modeling begins with the designing of a visual representation of an application or system analysis. There are two means of creating a visual representation.<\/p>\n DFDs are the tools that provide a high-level visualization of the application that works within the system to store, move or manipulate the data by system engineers. It has three core steps:<\/p>\n The threats determined by the DFD method are limited. So, it is considered to be a poor starting point for modeling and it is imprinted as a weakness. Some of them are listed below:<\/p>\n Risk displays that are DFD-based do not have a standard methodology. It results in various individuals creating threat models with multiple outputs for a similar situation.<\/p>\n Fig: 1.1 DFD of an online college application<\/p>\n They are the tools that permit software developers to create threat models based on the application design process. It provides a visual representation specially designed for depicting a hacker’s thought process. Attackers do not analyze the data flow, but they may draw a roadmap on proceeding through different applications. PFD follows three core steps:<\/p>\n Fig: 1.2 PFD of an online banking application<\/p>\n <\/p>\n The methodology is required to model the threats independently of the attacker-centric, asset-centric, and software-centric. Here are the top three methods from which organizations can choose depending upon their project needs.<\/p>\n It is one of the primitive threat-modeling methods to be used. It was designed by Microsoft. It delivers an imprint for the basic set of threats that are categorized into six categories. They are:<\/p>\n Fig: 1.3 STRIDE Threat Categories<\/p>\n STRIDE performs system detail design evaluation. This procedure is carried by creating DFDs (Data Flow Diagram). It then identifies the system entities, events, and system boundaries. It is an easy to adopt method but is time-consuming. There is an issue of a rapid increase in threats as the system complexity increases.<\/p>\n P.A.S.T.A. was designed in 2012, which is a risk-centric threat modeling framework. It is the abbreviation for Process for Attack Simulation and Threat Analysis. It is divided into seven categories. Each category is designed for multiple activities. They are:<\/p>\n Fig: 1.4 PASTA Threat Categories<\/p>\n he main function of P.A.S.T.A. is to bring technical prerequisites and business destinations together. Multiple plans and tools are used in different stages. Using this strategy, the threat modeling cycle is divided into many vital levels i.e., administration engineering, key decision-makers, acquiring security contribution from tasks, and improvement. P.A.S.T.A. is generally viewed as a risk-driven structure, and it utilizes viewpoint driven by an attacker to create an asset-driven output for threat scoring and identification.<\/p>\n Its full form is Linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness, noncompliance. It focuses on the user\u2019s privacy and data security. It consists of six core steps and provides a seamless approach towards privacy settlement.<\/p>\n Fig: 1.5 LINDDUN Methodology Steps<\/p>\n The LINDDUN process begins with a DND of the system where it explains the system\u2019s information flow, data storage, external entities, and procedures. LINDDUN users can easily distinguish threat appropriateness in the framework and then build threat trees by deliberately repeating every model component and breaking them down from their respective threat classifications.<\/p>\n <\/p>\n Threat modeling makes your item more reliable and secure. It displays significant risk demonstration techniques and procedures. They can be used for individual purposes as well as for others. There are instances where multiple strategies are combined. To perform threat modeling, you need to be clear about your target (risk, security, and privacy), to what extent you need to carry out this process, your experience with it, how deeply your partners are to be included in the spry environment, contingent time for running and how frequently the modeling is rehashed.<\/p>\n We offer several cybersecurity services to counter these cyber-attacks and risks. Services like\u00a0Audit and Compliance<\/a>,\u00a0SOC and Global Threat Management Services<\/a>,\u00a0Information Security Maturity Assessment<\/a>,\u00a0Special Security Services<\/a>, and much more. Our tailored security services will help organizations secure their information and enhance their defensive security systems.<\/p>\n <\/p>\n <\/p>\n Author,<\/p>\n Sankalp Mahajan<\/strong><\/em><\/p>\n Attack & Pen Test Team<\/em><\/p>\n Varutra Consulting Pvt. Ltd.<\/em><\/p>","protected":false},"excerpt":{"rendered":" Threat modeling is creating a buzz that everyone wants to talk about it. Every organization wants to remodel its overhaul information. It will help them…<\/p>\n","protected":false},"author":4,"featured_media":18160,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[285,273],"tags":[301,298,302,300,299,297],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t![\"Threat](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/Threat-Scenario.png\")
Fig: 1.0 Threat Scenario<\/em><\/p>\nProcess of Creating a Threat Model<\/strong><\/h3>\n
\n
\n
\n
![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/DFD-of-an-online-college-application-1.png\")
<\/p>\n\n
\n
![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/PFD-of-an-online-banking-application.png\")
<\/p>\nThreat Modelling Methodologies<\/strong><\/h3>\n
1.STRIDE Methodology<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/STRIDE-Threat-Categories.png\")
<\/p>\n2. P.A.S.T.A. Methodology<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/PASTA-Threat-Categories.png\")
<\/p>\n3. LINDDUN<\/strong><\/h3>\n
![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/LINDDUN-Methodology-Steps.png\")
<\/p>\nConclusion<\/strong><\/h3>\n
References:<\/strong><\/h3>\n
\n
![https:\/\/threatmodeler.com\/wp-content\/uploads\/2017\/08\/Online-Banking-Application-Threat-Model-v2-e1523416136759.jpg<\/a><\/li>\n<\/ul>\n <\/p>\nAuthor,<\/p>\nSankalp Mahajan<\/strong><\/em><\/p>\nAttack & Pen Test Team<\/em><\/p>\nVarutra Consulting Pvt. Ltd.<\/em><\/p>","protected":false},"excerpt":{"rendered":"Threat modeling is creating a buzz that everyone wants to talk about it. Every organization wants to remodel its overhaul information. It will help them…<\/p>\n","protected":false},"author":4,"featured_media":18160,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[285,273],"tags":[301,298,302,300,299,297],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t](\"https:\/\/threatmodeler.com\/wp-content\/uploads\/2017\/08\/Online-Banking-Application-Threat-Model-v2-e1523416136759.jpg\"){kind=link}