Zum Light-Mode wechseln Zum Dark-Mode wechseln
EN | DE
Suche Suche Suche Suche

Threat-modeling

HomeBlogThreat-modeling
05.05.2025
Cyber Security

Protection against hacker attacks and criminal activities is one of the key challenges in the development of future systems. The use of optimal protective measures enables potential illegal intrusions into systems to be identified at an early stage and protects them from harmful actions.

1.1. Definition

Threat modeling is a structured approach used in cybersecurity. Security mechanisms include identifying, evaluating, prioritizing, and eliminating potential security threats to a system or application. Threat modeling helps develop secure systems by implementing effective countermeasures at an early stage. Threat analysis is now common in all industries, including the automotive and medical industries, with a focus on information security, enterprise risk management, and data security.

1.2. Motivation

Threat modeling is used for:

  • Early identification of vulnerabilities: Through continuous analysis, security gaps can be identified and remedied during the planning phase before they become embedded in the system.
  • Cost and time efficiency: Addressing security issues and risks early in the development phase is much more cost-effective than making corrections after the system has been deployed. Early threat modeling minimizes extensive rework and saves time and resources.
  • Improved security requirements: Understanding potential threats helps define and implement clear security requirements.
  • Resource efficiency: By prioritizing risks, companies can allocate their resources in a targeted manner and focus on the most critical threats.
  • Improved communication and collaboration: Threat modeling is a proactive approach to software development and promotes a culture of security awareness among developers, testers, and other stakeholders.

2. Scope and objectives

2.1. Scope

First, it must be determined what is to be protected (e.g., data, applications, networks). This is the system to be secured. Then, potential attackers must be identified (e.g., hackers, insiders, competitors). This refers to potential attackers of the system to be secured. It is also very important to identify the possible motivations and objectives of the attackers. For example, hackers could manipulate patient results in order to damage the reputation of a medical device manufacturer. In a bank, hackers could access customer data in order to make illegal cash withdrawals. This defines the impact of potential threats on the system.

2.2. Goals

The objectives are defined. A decision is made as to whether, for example, potential vulnerabilities need to be identified, the security architecture improved, and legal requirements complied with. Defining and setting clear objectives is an important first step in the threat modeling process. The objectives vary depending on specific requirements and context. Possible objectives are:

  • Identification of potential vulnerabilities: The system is analyzed to uncover possible security gaps that could be exploited by attackers.
  • Improving the security architecture: The aim is to optimize the existing architecture to make it more robust against potential threats.
  • Compliance with regulations: Ensuring that the system complies with relevant legal and industry-specific standards.

The definition of these objectives guides the further course of threat modeling and determines which methods and tools are used.

3. Threat modeling tools

Here are some of the most popular tools that support the threat modeling process:

  • Enterprise Architect: A tool that supports cybersecurity assessment by providing threat modeling functionality based on the STRIDE methodology.
  • OWASP Threat Dragon: A tool available as both a web and desktop application for visual threat modeling.
  • Microsoft Threat Modeling Tool: A tool for creating data flow diagrams and identifying threats using STRIDE.
  • IriusRisk: A tool for automated threat modeling and risk assessment.

4. Threat modeling frameworks

There are several established frameworks that support the threat modeling process. Here are the best known:

  • STRIDE: Stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. This model helps to systematically identify different threat categories.
  • DREAD: Stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. This model is used to assess the risk of security threats.
  • PASTA: Stands for Process for Attack Simulation and Threat Analysis. This model is used to identify threats from an attacker's perspective and prioritize them.
  • VAST: Stands for Visual, Agile, and Simple Threat Modeling and is scalable for agile and DevOps environments.

For beginners, STRIDE is often the easiest way to get started in threat modeling because it offers a clear structure and is easy to understand. It helps identify and address potential vulnerabilities early on, resulting in more secure systems.

STRIDE stands for the following categories of threats:

  1. Spoofing: Pretending to be someone else in order to gain access to systems or data.
  2. Tampering: Modification or manipulation of data or code, compromising the integrity of the system.
  3. Repudiation: The ability of users to deny having performed actions without the system being able to prove otherwise.
  4. Information Disclosure: Disclosure of confidential information to unauthorized parties.
  5. Denial of Service: Impairment of the availability of a system or service.
  6. Elevation of Privilege: Obtaining access at a higher level than is permitted.

5. Basic steps in threat modeling

5.1. System description

  • Identify assets: Determine which hardware, software, and data need to be protected (e.g., servers, intellectual property, patents, protected documents).
  • List actors: List all users, administrators, external systems, and attackers who interact with the system.
  • Gather information: The threat model only allows analysis of the relationships between system components, not analysis of the system components themselves. It is crucial to know which ports, connection types, and protocols the system components are connected to and how authentication is regulated.

5.2. Creation of a data flow diagram

Data flow diagrams play a central role in analyzing and documenting the architecture of a system. They provide a visual representation of the data movements within an application or network and illustrate how information flows between different components, users, or external devices.

By creating a detailed data flow diagram, developers and security experts gain valuable insights into the structure and functioning of a system. This enables them to identify critical interfaces where sensitive data is processed or forwarded. By identifying such potential vulnerabilities at an early stage, targeted measures can be taken to secure these points.

A well-structured data flow diagram not only serves as technical documentation, but is also an essential basis for a sound security assessment. It helps to systematically analyze threat scenarios and develop effective security strategies based on them. Particular focus should be placed on areas where unsecured data transfers take place or where external influences could potentially compromise the system.

In addition, a clear and understandable representation of data flows facilitates collaboration between different actors. Developers, security officers, and specialist departments can use the diagram to better understand how data is moved within the system and where additional security measures are required. Regular review and updating of the data flow diagram ensures that it always corresponds to the current system requirements and threat situation.

Example data flow diagram of the system

5.3. Identification of threats

The identification of threats is a crucial step in threat modeling. In order to detect security risks at an early stage, it is necessary to comprehensively analyze the entire system and apply structured methods or proven frameworks. This systematic approach makes it possible to identify potential attack points and vulnerabilities before they can be exploited by attackers.

A proven model for identifying threats is, for example, the STRIDE model described above.

Graphical example of the “elevation of privilege” attack type

Example of a “privilege elevation” attack

5.4. Classification characteristics

For the standard-compliant development of products, e.g., medical devices, classification characteristics must be defined as part of risk management to assess the probability and severity of the threat.

Definition of classification characteristics:

Classification characteristics are specific criteria used to assess the probability of a risk occurring and the potential severity of the impact of that risk. These characteristics enable an objective and traceable assessment of risks and form the basis for prioritizing risk management measures.

Examples of classification characteristics:

  1. Probability:
    • Awareness of the vulnerability: How widespread is knowledge of a specific vulnerability?
    • Motivation of potential attackers: How attractive is the target to potential attackers?
    • Accessibility: How easy is it for attackers to access the system?
    • Availability of exploits: Are there publicly available tools or methods that facilitate exploitation of the vulnerability?
  2. Severity:
    • Impact on health: For example, death, permanent disability, or temporary impairment.
    • Need for medical intervention: Does the incident require medical treatment or hospitalization?
    • Impact on quality of life: For example, permanent pain or limitations.
    • Reduction in life expectancy: Does the risk reduce the patient's expected lifespan?

Process for defining classification characteristics:

  1. Identification of relevant characteristics: Determination of the criteria that are most relevant to the specific risks of the product.
  2. Establishment of assessment scales: Definition of scales or categories for assessing the identified characteristics, for example, numerical values or qualitative descriptions.
  3. Assignment of values: Evaluation of the probability and severity of each identified risk using the defined scales.
  4. Documentation and communication: Careful documentation of the evaluations and communication of the results to all relevant stakeholders.

Regulatory requirements:

According to ISO 14971, the international standard for risk management of medical devices, manufacturers are required to systematically identify, evaluate, and control risks. The standard emphasizes the importance of defining severity classes and establishing criteria for assessing the probability of risks. A structured approach to defining classification characteristics supports compliance with this standard and facilitates the performance of risk analyses.

Conclusion

Careful definition and application of classification criteria for assessing the probability and severity of risks are fundamental steps in the risk management process for medical devices. They help to identify potential hazards at an early stage and implement appropriate risk mitigation measures to ensure the safety and effectiveness of the products.

5.5. Assessing risks and prioritizing countermeasures

Once potential threats have been identified, the next step is to assess the associated risks. This is done by analyzing two key factors: the probability of occurrence and the potential extent of damage (severity). A risk matrix is often used to present these factors in a structured way.

A risk matrix helps to visually capture risks and prioritize them more easily. Threats are classified into categories such as “low,” “medium,” or “high” based on their probability and potential damage. This categorization makes it possible to allocate resources specifically to the most important security measures and address the most urgent vulnerabilities first.

By prioritizing risks, targeted countermeasures can be implemented efficiently. Critical security gaps should be addressed first to minimize potential damage to the system or organization. Various measures can be taken, such as implementing additional security controls, training employees, or introducing monitoring systems for early detection of attacks.

risk matrix

The priority of the countermeasure is determined according to the risk value.

Risk prioritization

5.6. Threat prevention

To ensure the security of a system, it is crucial to mitigate identified threats with appropriate countermeasures. Basic security mechanisms include:

  • Input validation: Checking and cleaning user input to ensure that only expected and secure data is processed. This prevents attacks such as SQL injections or cross-site scripting (XSS).
  • Encryption: Securing the confidentiality of data by converting it into an unreadable format that can only be restored with the appropriate key. Encryption protects data from unauthorized access both during transmission and at rest.
  • Authentication: Verifying the identity of users or systems to ensure that only authorized entities have access to specific resources. Common methods include passwords, biometric data, or two-factor authentication.
  • Authorization: Defining and enforcing access rights based on authenticated identity to ensure that users can only access the resources they are authorized to access.
  • These mechanisms work together to create a robust security net that protects the integrity, confidentiality, and availability of systems and data.

5.7. Best practices

Threat modeling is an essential part of software and system security. To maximize its effectiveness, it should not be viewed as a one-time task, but rather as an ongoing process integrated into the entire development cycle.

Early integration into the development process

The optimal time to create a threat model is as early as possible, ideally during the planning phase of a project. By analyzing potential threats early on, security risks can be identified and appropriate risk mitigation measures implemented at an early stage. This helps avoid costly security issues later on.

Continuous maintenance and adaptation

Threat landscapes are constantly changing, which is why one-time modeling is not sufficient. Regular updates to the threat model ensure that new threats can be identified and addressed. This means that the model should be reviewed and adapted not only during initial development, but also whenever significant changes are made to the system.

Collaboration between different teams

A successful threat model is the result of close collaboration between various stakeholders. Developers, security experts, and specialist departments should continuously exchange information to ensure a comprehensive analysis of potential risks. This interdisciplinary collaboration leads to a more in-depth security assessment and better protective measures.

Regular training and awareness

General security awareness among all responsible parties is one of the most effective lines of defense against cyber threats. Through continuous awareness measures and training, all participants can expand their knowledge of current threats and best practices. This enables actors to identify potential vulnerabilities earlier and respond appropriately.

By following these best practices, you can establish sustainable and effective threat modeling that not only improves system security but also strengthens cybersecurity awareness throughout the organization.

6. Conclusion

Threat modeling is a structured and proactive approach to protecting systems against potential security threats at an early stage. By systematically analyzing vulnerabilities, assessing risks, and prioritizing appropriate countermeasures, security gaps can be identified and remedied during the development phase. This not only improves the security architecture, but also saves time and money in the long term.

The use of established frameworks such as STRIDE, DREAD, PASTA, or VAST, as well as specialized tools (e.g., Microsoft Threat Modeling Tool, OWASP Threat Dragon), supports the efficient implementation of modeling. STRIDE is particularly suitable for beginners, as it provides a clear categorization of the most common threats.

Key elements of the process include describing the system, visualizing it using data flow diagrams, conducting a structured threat analysis, and prioritizing defensive measures based on risk. This is supplemented by defining classification characteristics, which are particularly important in regulated industries such as medical technology, in line with standards such as ISO 14971.

However, threat modeling is not a one-time event, but should be integrated as a continuous process throughout the entire life cycle of a system. This is the only way to ensure that new threats are identified and addressed in a timely manner. Close cooperation between all parties involved and continuous training and awareness-raising on IT security are equally crucial.

Overall, threat modeling plays a key role in making systems more resilient, compliant with the law, and secure in the long term, while also creating a common security foundation within development teams and organizations.