一、Definition(定义)

Threat modeling is a structured process with these objectives: 

威胁建模是一个结构化的过程，具有以下目标。

    identify security requirements, （ 确定安全要求）

    pinpoint security threats and potential vulnerabilities, （找出安全威胁和潜在的漏洞）

    quantify threat and vulnerability criticality, （量化威胁和漏洞的严重程度）

    and prioritize remediation methods.（并对补救方法进行优先排序）

二、步骤

    1、分解应用程序；

    2、确定威胁并对其排序；

    3、确定对策和缓解措施

三、Threat modeling methods and tools

CIA method

As a starting point, use the CIA (confidentiality, integrity, availability) method to define what needs protecting in the organization. For example, there may be sensitive customer information (confidentiality), company operational or proprietary data (integrity), or reliability of a service such as a web portal (availability).

Attack trees

Attack trees are a graphic representation of systems and possible vulnerabilities. The trunk of the attack tree is the asset, while entry points and threats are branches or roots. Attack trees are often combined with other methods.

STRIDE

Developed by Microsoft, STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) is one of the oldest and most widely used frameworks for threat modeling. STRIDE is a free tool that will produce DFDs and analyze threats.

PASTA

PASTA (process for attack simulation and threat analysis) is a framework designed to elevate threat modeling to the strategic level, with input from all stakeholders, not just IT or security teams. PASTA is a seven-step process that begins with defining objectives and scope. It includes vulnerability checks, weakness analysis, and attack modeling, and ends with risk and impact analysis expressed through scoring.

Trike

An open-source tool available as a spreadsheet template or stand-alone program, Trike consists of a matrix combining assets, actors, actions, and rules. When parameters and data are entered in this matrix, the program produces a score-based analysis of risks and probabilities.

VAST

VAST (visual, agile, and simple threat) modeling consists of methods and processes that can be easily scaled and adapted to any scope or part of an organization. The results produce benchmarks that can be used to make reliable comparisons and measurements of effective risk across a whole organization.

Persona non grata

This method is similar to criminal profiling in law enforcement. To anticipate attacks in more detail, brainstorming exercises are performed to create a detailed picture of a hypothetical attacker, including their psychology, motivations, goals, and capabilities.

LINDDUN

The LINDDUN framework focuses on analysis of privacy threats, based on the categories that form its acronym: linkability, identifiability, non-repudiation, detectability, disclosure of information, unawareness, and non-compliance. It uses threat trees to help users choose the relevant privacy controls to apply.