Threat Modeling & Threat Intelligence
Mô hình Mối đe dọa & Tình báo Bảo mật
What is Threat Modeling?
Threat modeling is the process of systematically identifying potential threats to a system and designing countermeasures — ideally done before building the system, not after. It answers: "What could go wrong? Who would attack? How?"
STRIDE Framework (Microsoft)
STRIDE is an asset/system-centric framework that categorizes threats into 6 types. Each letter represents a threat category.
| Letter | Threat | Tiếng Việt | Violates | Platform C Example |
|---|---|---|---|---|
| S | Spoofing | Giả mạo danh tính | Authenticity | Fake Partner D API call without valid HMAC signature — attacker impersonates Partner D |
| T | Tampering | Giả mạo dữ liệu | Integrity | Attacker modifies loan disbursement amount in transit between Platform C and Bank A H2H |
| R | Repudiation | Phủ nhận hành động | Non-repudiation | Customer denies signing Partner A loan contract — mitigated by eSign Vendor eSign audit trail |
| I | Information Disclosure | Tiết lộ thông tin | Confidentiality | PII (NRIC, income data) exposed via misconfigured API endpoint without auth |
| D | Denial of Service | Từ chối dịch vụ | Availability | Flood of fake KYC initiation requests exhausts eKYC Vendor API quota, blocking real users |
| E | Elevation of Privilege | Leo thang đặc quyền | Authorization | Bypass credit check stage in Temporal workflow — client sends "approved" status without server validation |
DREAD — Risk Rating Framework
DREAD is a risk scoring framework (not threat categorization like STRIDE). Used to RATE the severity of identified threats. Each category scored 1-10; total = priority score.
| Letter | Category | Tiếng Việt | Question to Ask | Score Guide |
|---|---|---|---|---|
| D | Damage Potential | Mức độ thiệt hại | How severe if exploited? | 1=minimal, 10=full system compromise |
| R | Reproducibility | Khả năng tái tạo | How easy to reproduce the attack? | 1=very hard, 10=always works |
| E | Exploitability | Khả năng khai thác | How much skill needed? | 1=expert only, 10=automated tool available |
| A | Affected Users | Số người dùng bị ảnh hưởng | How many users impacted? | 1=single user, 10=all users |
| D | Discoverability | Khả năng phát hiện bởi kẻ tấn công | How easy to find the vulnerability? | 1=very hard, 10=publicly known |
DREAD vs STRIDE: STRIDE = categorizes threat types (what kind of attack?); DREAD = rates risk severity (how bad is this threat?). Use both together: STRIDE to identify, DREAD to prioritize.
Example: OTP brute-force on Platform C login endpoint
D=8 (account takeover), R=9 (automated tool), E=7 (scripting skill), A=10 (all users), D=10 (publicly known endpoint) → DREAD score = 44/50 → HIGH priority to fix
Mitigation: 5/hr OTP rate limit + sliding window → reduces R=2, E=2 → new score = 29/50 → much lower priority
Other Threat Modeling Methods
Threat Intelligence
Intelligence Types by Audience
| Type | Audience | Content | Example |
|---|---|---|---|
| Strategic | Executives, Board | High-level trends, adversary motivations, business risk context | "Nation-state actors increasingly targeting fintech in SEA" |
| Tactical | Security architects, CISOs | Adversary TTPs (Tactics, Techniques, Procedures) | "APT group uses spear phishing followed by Cobalt Strike lateral movement" |
| Operational | SOC, incident response | Specific ongoing campaigns and threat actor activity | "Campaign targeting PH fintech loan apps via fake SMS OTP links this week" |
| Technical | Engineers, security tools | IOCs: IPs, domains, file hashes, YARA rules | Blocklist of known malicious IPs targeting eKYC APIs |
IOC vs IOA
Known artifacts from previous attacks: IP addresses, file hashes, domain names, registry keys, email addresses. Used to detect known threats.
Behavioral patterns suggesting an attack is in progress: unusual privilege escalation, mass file access, beaconing patterns, lateral movement. Detects unknown attacks.
APT vs Opportunistic Attacker
| Characteristic | APT (Advanced Persistent Threat) | Script Kiddie / Opportunistic |
|---|---|---|
| Motivation | Strategic (espionage, disruption, financial theft at scale) | Notoriety, quick gain, experimentation |
| Resources | Nation-state level — well-funded, skilled teams | Low skill; uses pre-built tools |
| Patience | Long dwell time — months to years in network | Hit-and-run; quick scans |
| Targeting | Specific high-value targets | Opportunistic — targets whoever is vulnerable |
| Stealth | Highly stealthy; designed to evade detection | Noisy; often detected quickly |
MITRE ATT&CK Framework
A publicly available knowledge base of adversary tactics and techniques observed in real-world attacks. Used for threat hunting, detection rule development, and security gap analysis.
Key Terms
| Term | Tiếng Việt | Definition |
|---|---|---|
| STRIDE | Mô hình STRIDE | Microsoft threat categorization: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation |
| PASTA | Phân tích PASTA | 7-stage attacker-centric threat modeling focused on business risk and attack simulation |
| Threat Modeling | Mô hình hóa mối đe dọa | Systematic process to identify threats and design countermeasures before building systems |
| IOC | Chỉ số xâm phạm | Artifacts from known attacks: IPs, hashes, domains — used for detection |
| IOA | Chỉ số tấn công | Behavioral patterns indicating an attack is in progress — detects unknowns |
| APT | Mối đe dọa dai dẳng nâng cao | Sophisticated, patient, well-funded threat actor (typically nation-state sponsored) |
| TTP | Chiến thuật, kỹ thuật, quy trình | Tactics, Techniques, Procedures — the how and why of adversary behavior |
| MITRE ATT&CK | Ma trận ATT&CK | Public knowledge base of adversary tactics and techniques for threat hunting |
- 1. STRIDE mnemonic: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Each maps to a CIA/security property violation.
- 2. STRIDE vs PASTA: STRIDE is asset-centric (what can happen to this component?); PASTA is attacker-centric (what does the attacker want to achieve?). PASTA is more comprehensive but more complex.
- 3. IOC = past/present evidence of compromise (file hash, IP) — backward-looking. IOA = behavioral indicators of active attack — forward-looking. "Detecting known malware by hash" = IOC. "Detecting unusual privilege escalation pattern" = IOA.
- 4. APT = patient + stealthy + targeted — opposite of noisy opportunistic attackers. APT dwell time may be months before detection. Nation-state actors are typically APTs.
- 5. MITRE ATT&CK is used for threat hunting and detection rule building, not for vulnerability assessment (that's more CVSS/CVE territory).
Running STRIDE against the Platform C eKYC Vendor eKYC integration:
| STRIDE | Threat in Platform C eKYC | Mitigation |
|---|---|---|
| Spoofing | Attacker submits fake liveness video to pass biometric check | eKYC Vendor liveness detection; certificate pinning on SDK |
| Tampering | Modify eKYC result (PASS→FAIL or vice versa) in transit from eKYC Vendor to Platform C | mTLS channel + result payload signed by eKYC Vendor private key |
| Repudiation | Customer denies submitting selfie for eKYC; claims it was forged | Audit trail: timestamp + OTP authorization at KYC step; eSign Vendor consent record |
| Info Disclosure | Biometric data (face scan, NRIC) exposed in transit or in logs | mTLS; no PII in application logs; encrypted payload storage |
| DoS | Bulk fake KYC requests exhaust eKYC Vendor API quota, blocking real users | Rate limiting per user/IP; per-customer KYC session tokens with TTL |
| EoP | Skip KYC stage in Temporal workflow — client signals "KYC complete" without server validation | Server-side stage enforcement; Temporal activities validate KYC result from eKYC Vendor directly, never trusting client payload |
Practice Questions
Q1. An attacker steals a user's valid session token and makes requests as that user without knowing their password. Which STRIDE category does this represent?
A) Spoofing — the attacker is impersonating the legitimate user using stolen credentials/tokensQ2. A security team needs to model threats based on what an attacker is trying to achieve (their goals and motivations) rather than what could happen to specific system components. Which framework is most appropriate?
A) PASTA — Process for Attack Simulation and Threat Analysis; attacker-centric, focuses on attacker goals and business riskQ3. The Platform C security team is told that a known malware campaign uses a specific file hash (SHA256: abc123...). They add this to their EDR blocklist. What type of intelligence indicator is the file hash?
A) IOC (Indicator of Compromise) — a known artifact from a previous/current attack used to detect known threatsQ4. A threat actor targeting FinTech Company X's Platform C platform maintains access for 8 months without detection, slowly exfiltrating loan applicant data. Which threat actor type does this describe?
A) APT (Advanced Persistent Threat) — patient, stealthy, targeted, and resourced for long-duration operationsQ5. Which primary use case is the MITRE ATT&CK framework designed for?
A) Threat hunting and detection engineering — mapping attacker TTPs to detection rules and coverage gaps