Invisibits, profile picture
Uploaded byInvisibits
1,845 views

Attack modeling vs threat modelling

Threat modeling involves identifying potential threats to a system from the defender's perspective in order to mitigate risks. It includes identifying system assets, potential threats using frameworks like STRIDE, and how threats could be realized. Attack modeling takes the attacker's perspective to show how an attacker would exploit vulnerabilities to compromise a system. It involves identifying vulnerabilities, rewards for attacks, and ways to exploit vulnerabilities. While threat modeling is important for protection, attack modeling helps understand attacks more fully to improve security.

Embed presentation

Downloaded 68 times
AppCrypto Team 12/8/2015
What is the difference between threat modeling and attack modeling in software system?
Let’s first try to understand the difference between a threat and an attack? guru
guru A threat is the possibility of something bad happening. An example threat: sensitive customer data getting exposed to unauthorized parties. In other words, a potential violation of security. A personal life example: there is a possibility that your car get hijacked.
guru An attack is any action that exploit a vulnerability to realize a threat. There won’t be any attacks without a threat. Example attack: Exploiting SQL injection vulnerability to access sensitive customer data stored in the database. If there is nothing to gain, then there is nothing to attack. In other words, an event that results in a security violation. A personal life example: Use a fake key to hijack the car (fake key works because of a vulnerability).
Attacks Active Attacks Passive Attacks They do not alter resources while trying to learn information. E.g. wiretapping, port scanning They alter resources. E.g. spoofing, DoS attacks, buffer overflows guru There are two types of attacks based on the intention of the attacker.
Attacks Outside Attacks Inside Attacks Attacks initiate within the security perimeter by an authorized user. E.g. Insider attacks (A privileged DBA copying customer information.) Attacks initiates from the outside of security perimeter by an unauthorized user. E.g. An attacker performing a SQL injection attack via a vulnerable app. guru Also, there are two types of attacks based on the origin of the attacker.
Now that we have a good grip on a threat vs. an attack, Let’s go back to our original question: threat modeling vs. attack modeling? guru
guru Threat modeling is thinking ahead of time what could go wrong and acting accordingly. Threat modeling is done from the defender’s perspective. In formal terms, threat modeling is the process of identifying your system (assets), potential threats against your system. Defender Attacker Asset
Identify your system Threat Modeling is a process… System Architecture Entities Processes Data Data Flows Identify the threats Eg: STRIDE framework Spoofing Tampering Repudiation Information disclosureDoS Elevation of privileges Identify how the threats could be realized Quantify Risks associated with the threats Come up with mitigation techniques Eg: DREAD classification Eg: Attack Trees
Identify your system Identify the threats Identify how the threats could be realized Quantify Risks associated with the threats Come up with mitigation techniques Three tier e-commerce web site (browser, app server, database) User authentication credentials get disclosed. Wiretapping the connection between browser and app server. High risk Always use TLS between browser and app server. Let’s look at an example…
Now we understand what threat modeling is. Let’s get our hands on attack modeling and identify how it is different from threat modeling? guru
guru Attack modeling is thinking how the system can be broken by exploiting vulnerabilities. Attack modeling is done from the attacker’s perspective. In other words, it shows how an attacker would go about breaking the system exploiting vulnerabilities.
Identify the system to be attacked Attack Modeling is also a process… Identify vulnerabilities Quantify the rewards of the attack Learn about the system by playing with it and going through documentation. E.g.: old version x of a database Study publicly available vulnerability database. E.g. identify a vulnerability in an unpatched version of database x that allows to escalate privileges. E.g. use the escalated privilege to infiltrate sensitive customer data. Come up with ways to exploit the vulnerabilities E.g. gain access to the database x as a regular user and escalate privilege exploiting the vulnerability. As a defender, you will be looking into counter measurements. E.g. Patch the database x.
As an architect/designer/developer/tester, you will most likely be using threat modeling to protect your system. However, it is important to think from the point of view of attackers in order truly protect your system. guru

More Related Content

PDF
Threat Modelling
byn|u - The Open Security Community
 
PDF
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
PPTX
Threat modelling with_sample_application
byUmut IŞIK
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
PDF
Real World Application Threat Modelling By Example
byNCC Group
 
PDF
Application Threat Modeling
byPriyanka Aash
 
PPTX
Threat Hunting - Moving from the ad hoc to the formal
byPriyanka Aash
 
PDF
Threat Modeling Everything
byAnne Oikarinen
 
Threat Modelling
byn|u - The Open Security Community
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
Threat modelling with_sample_application
byUmut IŞIK
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Real World Application Threat Modelling By Example
byNCC Group
 
Application Threat Modeling
byPriyanka Aash
 
Threat Hunting - Moving from the ad hoc to the formal
byPriyanka Aash
 
Threat Modeling Everything
byAnne Oikarinen
 

What's hot

PPTX
Threat Modeling And Analysis
byLalit Kale
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PPSX
Introduction to threat_modeling
byPrabath Siriwardena
 
PDF
Threat Intelligence Workshop
byPriyanka Aash
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PPT
Application Threat Modeling
byMarco Morana
 
PDF
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPTX
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
PPTX
7 Steps to Threat Modeling
byDanny Wong
 
PDF
Red Team Framework
by👀 Joe Gray
 
DOCX
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
byFalgun Rathod
 
PPTX
What is Threat Hunting? - Panda Security
byPanda Security
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PDF
Web Application Security
byMarketingArrowECS_CZ
 
PPTX
The Zero Trust Model of Information Security
byTripwire
 
PPTX
Effective Security Operation Center - present by Reza Adineh
byReZa AdineH
 
PPTX
Malware Analysis
byRamin Farajpour Cami
 
PDF
Threat Intelligence & Threat research Sources
byLearningwithRayYT
 
Threat Modeling And Analysis
byLalit Kale
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
Introduction to threat_modeling
byPrabath Siriwardena
 
Threat Intelligence Workshop
byPriyanka Aash
 
Introduction to MITRE ATT&CK
byArpan Raval
 
Web application vulnerability assessment
byRavikumar Paghdal
 
Application Threat Modeling
byMarco Morana
 
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
7 Steps to Threat Modeling
byDanny Wong
 
Red Team Framework
by👀 Joe Gray
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
byFalgun Rathod
 
What is Threat Hunting? - Panda Security
byPanda Security
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Web Application Security
byMarketingArrowECS_CZ
 
The Zero Trust Model of Information Security
byTripwire
 
Effective Security Operation Center - present by Reza Adineh
byReZa AdineH
 
Malware Analysis
byRamin Farajpour Cami
 
Threat Intelligence & Threat research Sources
byLearningwithRayYT
 

Viewers also liked

PPTX
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
byClubHack
 
PDF
Sem 004
bySelectedPresentations
 
PPT
Unauthorized access, Men in the Middle (MITM)
byBalvinder Singh
 
PPTX
Lan internetworking devices
byQAU ISLAMABAD,PAKISTAN
 
PPT
Troubleshooting basic networks
byArnold Derrick Kinney
 
PPTX
Types of VPN
byNetProtocol Xpert
 
PPTX
Vulnerability Assessment
byprimeteacher32
 
PPTX
Network sniffers & injection tools
byvishalgohel12195
 
PPT
Computer Networking: Subnetting and IP Addressing
byBisrat Girma
 
PPT
Basic Network Concepts
byAbhishek Singh
 
PPTX
Sql injection
byZidh
 
PDF
Hoover.2016 Texas Bankers CFO Conference
byTerry Hoover CPA, CGMA, CIA
 
PPTX
Http Vs Https .
bysimplyharshad
 
PDF
IP Addressing and Subnetting
bycbtvid
 
PPT
CCNA Advanced Routing Protocols
byDsunte Wilson
 
PPTX
VPN, Its Types,VPN Protocols,Configuration and Benefits
byqaisar17
 
PPT
CCNA Routing Protocols
byDsunte Wilson
 
PPTX
Ppt of routing protocols
byBhagyashri Dhoke
 
PPTX
Subnetting
byswascher
 
PPT
Ip address and subnetting
byIGZ Software house
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
byClubHack
 
Sem 004
bySelectedPresentations
 
Unauthorized access, Men in the Middle (MITM)
byBalvinder Singh
 
Lan internetworking devices
byQAU ISLAMABAD,PAKISTAN
 
Troubleshooting basic networks
byArnold Derrick Kinney
 
Types of VPN
byNetProtocol Xpert
 
Vulnerability Assessment
byprimeteacher32
 
Network sniffers & injection tools
byvishalgohel12195
 
Computer Networking: Subnetting and IP Addressing
byBisrat Girma
 
Basic Network Concepts
byAbhishek Singh
 
Sql injection
byZidh
 
Hoover.2016 Texas Bankers CFO Conference
byTerry Hoover CPA, CGMA, CIA
 
Http Vs Https .
bysimplyharshad
 
IP Addressing and Subnetting
bycbtvid
 
CCNA Advanced Routing Protocols
byDsunte Wilson
 
VPN, Its Types,VPN Protocols,Configuration and Benefits
byqaisar17
 
CCNA Routing Protocols
byDsunte Wilson
 
Ppt of routing protocols
byBhagyashri Dhoke
 
Subnetting
byswascher
 
Ip address and subnetting
byIGZ Software house
 

Similar to Attack modeling vs threat modelling

PDF
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
PDF
Null bachav
byNaga Venkata Sunil Alamuri
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPTX
Threat modelling
byRajeev Venkata
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PDF
Session2-Application Threat Modeling
byzakieh alizadeh
 
PPTX
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
PPTX
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PPTX
Architecting for Security Resilience
byJoel Aleburu
 
PPTX
Secure-Software-Design-Development-lecture-08.pptx
byHammadAli989482
 
PPTX
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
PPTX
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
PPTX
Lecture-10 about language of community.pptx
byMUHAMMADAHMAD173574
 
PPTX
Secure Design: Threat Modeling
byCigital
 
PDF
Application Threat Modeling In Risk Management
byMel Drews
 
PPTX
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
DOCX
Research Paper on STRIDEPresented By.docx
byronak56
 
PPTX
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
byDharmalingam Ganesan
 
PDF
System Security Beyond the Libraries
byEoin Woods
 
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
Null bachav
byNaga Venkata Sunil Alamuri
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Threat modelling
byRajeev Venkata
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Session2-Application Threat Modeling
byzakieh alizadeh
 
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Architecting for Security Resilience
byJoel Aleburu
 
Secure-Software-Design-Development-lecture-08.pptx
byHammadAli989482
 
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
byNorth Texas Chapter of the ISSA
 
Lecture-10 about language of community.pptx
byMUHAMMADAHMAD173574
 
Secure Design: Threat Modeling
byCigital
 
Application Threat Modeling In Risk Management
byMel Drews
 
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
Research Paper on STRIDEPresented By.docx
byronak56
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
byDharmalingam Ganesan
 
System Security Beyond the Libraries
byEoin Woods
 

Recently uploaded

PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
final.pdf
byomarbishtawi04
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 

Attack modeling vs threat modelling

  • 1.
  • 2.
    What is thedifference between threat modeling and attack modeling in software system?
  • 3.
    Let’s first tryto understand the difference between a threat and an attack? guru
  • 4.
    guru A threat isthe possibility of something bad happening. An example threat: sensitive customer data getting exposed to unauthorized parties. In other words, a potential violation of security. A personal life example: there is a possibility that your car get hijacked.
  • 5.
    guru An attack isany action that exploit a vulnerability to realize a threat. There won’t be any attacks without a threat. Example attack: Exploiting SQL injection vulnerability to access sensitive customer data stored in the database. If there is nothing to gain, then there is nothing to attack. In other words, an event that results in a security violation. A personal life example: Use a fake key to hijack the car (fake key works because of a vulnerability).
  • 6.
    Attacks Active Attacks Passive Attacks Theydo not alter resources while trying to learn information. E.g. wiretapping, port scanning They alter resources. E.g. spoofing, DoS attacks, buffer overflows guru There are two types of attacks based on the intention of the attacker.
  • 7.
    Attacks Outside Attacks Inside Attacks Attacksinitiate within the security perimeter by an authorized user. E.g. Insider attacks (A privileged DBA copying customer information.) Attacks initiates from the outside of security perimeter by an unauthorized user. E.g. An attacker performing a SQL injection attack via a vulnerable app. guru Also, there are two types of attacks based on the origin of the attacker.
  • 8.
    Now that wehave a good grip on a threat vs. an attack, Let’s go back to our original question: threat modeling vs. attack modeling? guru
  • 9.
    guru Threat modeling isthinking ahead of time what could go wrong and acting accordingly. Threat modeling is done from the defender’s perspective. In formal terms, threat modeling is the process of identifying your system (assets), potential threats against your system. Defender Attacker Asset
  • 10.
    Identify your system ThreatModeling is a process… System Architecture Entities Processes Data Data Flows Identify the threats Eg: STRIDE framework Spoofing Tampering Repudiation Information disclosureDoS Elevation of privileges Identify how the threats could be realized Quantify Risks associated with the threats Come up with mitigation techniques Eg: DREAD classification Eg: Attack Trees
  • 11.
    Identify your system Identifythe threats Identify how the threats could be realized Quantify Risks associated with the threats Come up with mitigation techniques Three tier e-commerce web site (browser, app server, database) User authentication credentials get disclosed. Wiretapping the connection between browser and app server. High risk Always use TLS between browser and app server. Let’s look at an example…
  • 12.
    Now we understandwhat threat modeling is. Let’s get our hands on attack modeling and identify how it is different from threat modeling? guru
  • 13.
    guru Attack modeling isthinking how the system can be broken by exploiting vulnerabilities. Attack modeling is done from the attacker’s perspective. In other words, it shows how an attacker would go about breaking the system exploiting vulnerabilities.
  • 14.
    Identify the systemto be attacked Attack Modeling is also a process… Identify vulnerabilities Quantify the rewards of the attack Learn about the system by playing with it and going through documentation. E.g.: old version x of a database Study publicly available vulnerability database. E.g. identify a vulnerability in an unpatched version of database x that allows to escalate privileges. E.g. use the escalated privilege to infiltrate sensitive customer data. Come up with ways to exploit the vulnerabilities E.g. gain access to the database x as a regular user and escalate privilege exploiting the vulnerability. As a defender, you will be looking into counter measurements. E.g. Patch the database x.
  • 15.
    As an architect/designer/developer/tester,you will most likely be using threat modeling to protect your system. However, it is important to think from the point of view of attackers in order truly protect your system. guru