Threat Modeling | STRIDE, DFD, DREAD

01 — FUNDAMENTALS

What is Threat Modeling?

Threat modeling is the structured process of identifying potential security threats to a system, understanding their impact, and designing mitigations — performed at the design phase before implementation begins.

Every enterprise banking platform — from Core Banking to the Websites Portal — undergoes rigorous threat modeling before architecture is approved. It is the single most cost-effective security control in the SSDLC.

          Why Threat Model Early?
          Design phase fix: ~$80 per vulnerability
Development fix: ~$240 per vulnerability
Production fix: ~$7,600+ per vulnerability
Post-breach: $4.2M average incident cost (IBM 2024)

        

1

📋

Scope & Assets

Define system boundaries, identify assets, trust levels

2

🗺️

Data Flow Diagram

Map all data flows, processes, stores, external entities

3

⚡

STRIDE Analysis

Enumerate threats per trust boundary crossing

4

⚖️

DREAD Scoring

Prioritise threats by damage, exploitability, scope

5

🛡️

Mitigations

Design controls — technical, procedural, detective

6

✅

Validation

Verify controls, update DFD, schedule re-assessment

02 — STRIDE FRAMEWORK

STRIDE Threat Categories

Developed by Microsoft, STRIDE is the most widely used threat categorisation framework. Each letter represents a threat category — applied to every element of the Data Flow Diagram to systematically enumerate threats.

S

Spoofing

Can an attacker impersonate a user, service, or component?

MITIGATIONS

Authentication controls, digital certificates, mutual TLS, MFA

T

Tampering

Can data be modified in transit, at rest, or in process?

MITIGATIONS

Digital signatures, HMAC, encryption, integrity checks, write-protection

R

Repudiation

Can a user deny performing an action without traceability?

MITIGATIONS

Audit logging, non-repudiation, digital signatures, WORM storage

I

Information Disclosure

Can sensitive data be exposed to unauthorised parties?

MITIGATIONS

Encryption at rest/transit, access control, data masking, DLP

D

Denial of Service

Can the system be made unavailable to legitimate users?

MITIGATIONS

Rate limiting, autoscaling, WAF, DDoS protection, circuit breakers

E

Elevation of Privilege

Can a low-trust user gain higher permissions?

MITIGATIONS

Least privilege, RBAC, privilege separation, sandbox environments

03 — DATA FLOW DIAGRAM

Animated DFD Example

A Data Flow Diagram (DFD) maps all data movements in a system. Every crossing of a trust boundary (dashed line) is a potential threat surface requiring STRIDE analysis. Below is an interactive DFD for a typical banking API architecture.

Process

External Entity

Data Store

Trust Boundary

Data Flow

04 — RISK PRIORITISATION

DREAD Risk Scoring

DREAD scoring assigns a numerical risk level to each identified threat, enabling security teams to prioritise which threats to mitigate first. Each dimension is scored 1–10.

DIMENSION	DESCRIPTION	SCORE 1	SCORE 5	SCORE 10
Damage	Impact if successfully exploited	Minimal data exposure	Sensitive data leaked	Full system compromise
Reproducibility	How easy is it to reproduce?	Rarely succeeds	Sometimes succeeds	Always succeeds
Exploitability	Skill needed to exploit	Expert skill needed	Skilled attacker	Script kiddie
Affected Users	How many users impacted?	Single user	Some users	All users
Discoverability	How easy to discover?	Very difficult	Possible with research	Publicly known

WORKED EXAMPLE — SQL Injection on Login Endpoint

Damage

9/10

Reproducibility

8/10

Exploitability

7/10

Affected Users

10/10

Discoverability

9/10

TOTAL RISK SCORE:43/50 — CRITICAL

05 — ATTACK TREE ANALYSIS

Attack Tree Methodology

Attack trees model the ways an attacker could achieve a goal in a tree structure. The root is the attacker's objective; branches are the paths to achieve it. This helps security architects visualise all possible attack vectors systematically.

🎯 Compromise Banking API

OR: Credential Theft

Phishing Attack

Brute Force Login

Session Hijacking

OR: Injection

SQL Injection

NoSQL Injection

Command Injection

AND: Priv Escalation

Auth Bypass

IDOR Exploit

OR

OR node — any child achieves parent

AND

AND node — all children required

Leaf

Atomic attack action

06 — TOOLS & FRAMEWORKS

Threat Modeling Toolchain

🛠️

Microsoft Threat Modeling Tool

Industry-standard free tool using STRIDE methodology. Generates DFDs, automatically enumerates STRIDE threats, produces reports for security reviews and compliance documentation. Used extensively at IT Industry.

Microsoft

🐉

OWASP Threat Dragon

Open-source web-based threat modeling tool with DFD support. Integrates with GitHub for version-controlled threat models. Supports STRIDE, CIA triad, and custom threat categories.

OWASP

🍝

IriusRisk

Enterprise threat modeling platform with automated threat and countermeasure generation. Integrates with Jira for security story creation and compliance requirement tracking.

Enterprise

🌳

PyTM

Python-based threat modeling framework that generates DFDs, sequence diagrams, and threat reports programmatically. Ideal for DevSecOps pipelines — threat models as code.

DevSecOps

Threat Modeling at IT — Real-World Application

Every major project at IT Industry undergoes a formal threat modeling review before architecture sign-off. The process includes: DFD creation in Microsoft Threat Modeling Tool, STRIDE enumeration across all trust boundaries, DREAD scoring for prioritisation, and mitigation mapping to NIST CSF controls. Threat model artifacts are maintained in Confluence and revisited at each sprint review for high-risk components.