RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


A Practical Approach to Threat Modeling : Page 3

Protecting your systems requires more than just a firewall and a password; you need a documented process.

Creating and Using Data Flow Diagrams
Data flow diagrams are just one of many options that help people grasp the data flow through a system. Taking the time to prepare these diagrams will save time in the long run, because they quickly communicate all the aspects previously discussed. To prepare a data flow diagram you approach the system hierarchically. A "context diagram" expresses the entire data flow of a system at the highest level; to explore specific processes of a system, you would use "lower level" diagrams.

Figure 1. Context Diagram for Sample Music CD Library System: Included in this diagram are the trust boundaries of the system indicated with dotted lines.
Figure 1 shows a context diagram for the sample system of a music CD library. The diagram identifies each user entity along with the trust boundaries over which they communicate with the system. This context diagram represents the system at its highest level; the double-lined circle indicates that there are multiple processes involved.

Know Your Adversary
War is not something usually considered a desirable state, but it is the reality when it comes to protecting a system's valuable assets. There are many types of adversaries out in the world, all of whom want to either steal those assets or render them useless. An effective defense requires understanding the system's adversaries. There are three types of adversaries:

  • Informed Adversary: This is an adversary that either is given or has obtained information that gives them an advantage when approaching the system. An example of this information would be a login/password or a data diagram that describes the relationships of the tables that make up the database.
  • Uninformed Adversary: This is an adversary that possesses no information regarding the system and is attempting to compromise the system through random attacks. An example of this type of adversary who employs a network sniffer to capture traffic that may reveal information that will aid the attack.
  • Accidental Adversary: This is an adversary who exploits a vulnerability of a system without malicious intent. Often this will be a valid user entity that runs across a flaw in the system or interfaces with the system in an unexpected way. An example of this type of adversary would be a valid user who, while entering data, accidentally updates the incorrect record compromising the integrity of the data.
Viewing the system from the point of view of these types of adversaries greatly aids in the threat modeling effort.

Threat Trees
Threat trees are a hierarchical method for exploring system threats and vulnerabilities. Their organization aids in the process of understanding how an attack may be executed and how any resulting identified vulnerabilities may be mitigated. You can document threat trees using either graphical flow charts or simple outlines.

Reviewing the asset listing aids in the development of threat trees.
The process of developing threat trees begins with the identification of the root threats to the system, then identifying sub-threats, which detail exactly how an adversary may execute the root threat. The level below the sub-threat is known as the atomic threat. An atomic threat is the specific step that facilitates the successful execution of the sub-threat. Finally, the lowest level in a threat tree is the threat vector. This level identifies the vulnerabilities that allow the previous levels to be executed.

Here's a very limited threat tree that addresses the member data asset for the sample music CD library system. The root threat is that an attacker might be able to view confidential member data. The sub-threats, atomic threats, and threat vectors identify how an attacker might gain such access:

Threat Tree Example


View confidential member data



Valid member login/password is spoofed.




Capture valid user keystrokes.

Anti-Spyware does not exist on server.




Member login/password easily determined.

Strong passwords are not enforced.

System allows unlimited password attempts.

Forgotten password provides a generic temporary password.




Member login/password is shared with another person.

System does not force a new password after a period of time.

By studying this threat tree, you can see how the various levels work together to define threats.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date