Embedded Files
THREAT
Att&CK Matrix
The MITRE ATT&CK Matrix organizes attacker behavior across phases of an intrusion.
It maps tactics (the “why”) to techniques (the “how”)—enabling defenders to detect and respond to threats more effectively.
STRIDE & DREAD
STRIDE and DREAD are threat modeling frameworks used in to identify, categorize, and prioritize potential threats during system design or security reviews.
STRIDE helps security teams systematically identify types of threats that may affect a system based on the violation of specific security properties.
S - Spoofing: Strong Authentication, Authorization.
T - Tampering: Integrity Checks, Access Controls.
R - Repudiation: Audit Logging, Digital Signatures.
I - Information Disclosure: Encryption, Access Controls.
D - Denial of Service: Rate Limiting, Firewalls.
E - Elevation of Privilege: Least Privilege, RBAC.
DREAD is a risk assessment model that assigns numerical values to threats identified (often from STRIDE) to prioritize them based on potential impact and exploitability.
OWASP Framework
While not technically a threat model, the OWASP framework can be used to align our security stack with appropriate measures of defense.
A1: Broken Access Control Control: Role-Based Access Control (RBAC), Principle of Least Privilege, Access Control Lists (ACLs), Policy Enforcement Points (PEPs)
A2: Cryptographic Failures Control: Strong Encryption Algorithms (AES, TLS 1.3), Secure Key Management, Proper Hashing (Argon2, bcrypt)
A3: Injection Control: Input Validation, Output Encoding, Parameterized Queries/Prepared Statements, Web Application Firewall (WAF)
A4: Insecure Design Control: Threat Modeling, Secure Development Lifecycle (SDLC), Security Architecture Reviews, Secure Design Principles
A5: Security Misconfiguration Control: Hardening, Patch Management, Secure Default Configurations, Security Headers, Configuration Management
A6: Vulnerable and Outdated Components Control: Software Composition Analysis (SCA), Dependency Management, Patching, Component Inventory
A7: Identification and Authentication Failures Control: Multi-Factor Authentication (MFA), Strong Password Policies, Secure Session Management, Rate Limiting
A8: Software and Data Integrity Failures Control: Code Signing, Software Supply Chain Security, Integrity Checks, Secure CI/CD Pipelines
A9: Security Logging and Monitoring Failures Control: Centralized Logging, Security Information and Event Management (SIEM), Alerting, Incident Response Planning
A10: Server-Side Request Forgery (SSRF) Control: Input Validation for URLs, Allow Lists for Outbound Connections, Network Segmentation
Report abuse