Skip to main content
Settings
Search
Appearance
Theme Mode
About
Jekyll v3.10.0
Environment Production
Last Build
2026-07-02 18:51 UTC
Current Environment Production
Build Time Jul 02, 18:51
Jekyll v3.10.0
Build env (JEKYLL_ENV) production
Page Location
Page Info
Layout quest
Collection quests
Path _quests/1011/threat-modeling.md
URL /quests/1011/threat-modeling/
Date 2025-11-29
Theme Skin
SVG Backgrounds
Layer Opacity
0.6
0.04
0.08

Threat Modeling: STRIDE Framework and Attack Trees Analysis

Master threat modeling with STRIDE, data-flow diagrams, trust boundaries, and attack trees to find security flaws systematically before attackers do.

🔥 Lvl 1011Warrior 🏰 Main Quest 🔴 Hard 90-120 minutes

Threat Modeling: STRIDE Framework and Attack Trees Analysis

Find security threats systematically using STRIDE, data-flow diagrams, trust boundaries, and attack trees

Primary Tech
🛠️ security
Skill Focus
Security
Series
Security Mastery
Author
IT-Journey Team
XP Range
⚡ 5250-6000

Greetings, brave adventurer! A wise defender never waits for the siege to discover where the walls are weak. In this quest, Threat Modeling, you learn the cartographer’s art: to draw your system as it truly is, mark every gate and trust boundary, and ask of each one - “How would I, the attacker, break in here?” You will wield STRIDE, the six-fold lens of threats, and the branching logic of attack trees.

Threat modeling is the cheapest security work you will ever do, because it happens on paper, before the code is written. A flaw found in a diagram costs a meeting; the same flaw found in production costs a breach.

📖 The Legend Behind This Quest

Long ago, the architects of Microsoft’s great codebases faced an impossible question: how do you secure a system too large for any one mind to hold? Their answer was STRIDE - a checklist of six threat categories applied methodically to every part of a design. Where intuition missed flaws, the method caught them. Today STRIDE, data-flow diagrams, and attack trees remain the backbone of how serious teams reason about security before disaster strikes.

🎯 Quest Objectives

By the time you complete this journey, you will have mastered:

Primary Objectives (Required for Quest Completion)

  • Data-Flow Diagrams (DFDs) - Draw your system’s processes, data stores, and flows
  • Trust Boundaries - Mark where data crosses from less-trusted to more-trusted zones
  • STRIDE Enumeration - Apply the six threat categories to every element of the design
  • Attack Trees - Decompose an attacker’s goal into concrete, rankable steps

Secondary Objectives (Bonus Achievements)

  • Risk Ranking - Prioritize threats using likelihood and impact (e.g., DREAD-style scoring)
  • Mitigation Mapping - Pair each significant threat with a control
  • Living Threat Models - Keep the model current as the design evolves

Mastery Indicators

You’ll know you’ve truly mastered this quest when you can:

  • Map each STRIDE letter to the security property it violates
  • Place trust boundaries correctly on a DFD
  • Build an attack tree for a goal and identify its cheapest leaf
  • Hand a developer a prioritized list of threats and mitigations

🗺️ Quest Prerequisites

📋 Knowledge Requirements

  • Completion of Security Fundamentals (recommended)
  • Ability to describe how a system’s components talk to each other
  • Familiarity with the CIA triad

🛠️ System Requirements

  • Modern operating system (Windows 10+, macOS 10.14+, or Linux)
  • A diagramming tool, or pen and paper (Mermaid examples render on GitHub)
  • A text editor or IDE (VS Code recommended)

🧠 Skill Level Indicators

This 🔴 Hard quest expects:

  • You can reason about system architecture and component interactions
  • You are ready to adopt the attacker’s perspective
  • Ready for 90-120 minutes of focused analysis

🌍 Choose Your Adventure Platform

Threat modeling is mostly thinking and drawing. Set up a diagramming workflow you enjoy.

🍎 macOS Kingdom Path

Click to expand macOS instructions ```bash # Use VS Code with a Mermaid preview extension to diagram in plain text brew install --cask visual-studio-code code --install-extension bierner.markdown-mermaid # Optionally try the Microsoft Threat Modeling Tool in a Windows VM, # or the cross-platform OWASP Threat Dragon (web/desktop). ```

🪟 Windows Empire Path

Click to expand Windows instructions ```powershell # The Microsoft Threat Modeling Tool is free and STRIDE-native on Windows winget install Microsoft.ThreatModelingTool # Or use VS Code + Mermaid like every other platform winget install Microsoft.VisualStudioCode ```

🐧 Linux Territory Path

Click to expand Linux instructions ```bash # OWASP Threat Dragon runs as a desktop app or in the browser # Install VS Code for text-based Mermaid diagrams sudo snap install code --classic code --install-extension bierner.markdown-mermaid ```

☁️ Cloud Realms Path

Click to expand Cloud/Container instructions ```bash # OWASP Threat Dragon has a hosted web version — no install needed. # Open https://www.threatdragon.com/ in any browser and start a model. echo "Open https://www.threatdragon.com/ to model in the cloud" ```

🧙‍♂️ Chapter 1: Map the Terrain - Data-Flow Diagrams and Trust Boundaries

You cannot defend what you cannot see. The first act of threat modeling is to draw the system as a data-flow diagram: the processes that act, the data stores that hold, the external entities that interact, and the flows between them.

⚔️ Skills You’ll Forge in This Chapter

  • The four DFD element types
  • Where and why to place trust boundaries

🏗️ The Four Elements of a DFD

  • External entity (a user, a third-party API) - outside your control
  • Process (a service, a function) - transforms data
  • Data store (a database, a file, a cache) - holds data
  • Data flow (an arrow) - moves data between the above

A trust boundary is a line the data crosses where the level of trust changes - for example, between the public internet and your application, or between your app and the database. Threats cluster on these boundaries.

graph LR
    User([User / Browser]) -->|HTTPS request| Web[Web App Process]
    Web -->|SQL query| DB[(User Database)]
    Web -->|API call| Pay([Payment Provider])

    subgraph Internet [Untrusted: Internet]
        User
        Pay
    end
    subgraph DMZ [Semi-trusted: App Tier]
        Web
    end
    subgraph Internal [Trusted: Data Tier]
        DB
    end

The two boundaries here - Internet→App and App→Data - are exactly where you will hunt for threats in the next chapter.

🔍 Knowledge Check: DFDs

  • Name the four DFD element types
  • What changes when data crosses a trust boundary?
  • Why is the payment provider an external entity rather than a process?

🧙‍♂️ Chapter 2: STRIDE - The Six-Fold Lens

STRIDE is a mnemonic for six categories of threat. Apply each one to every element and flow in your DFD, and you systematically surface the threats intuition would miss.

⚔️ Skills You’ll Forge in This Chapter

  • The meaning of each STRIDE letter
  • Mapping threats to the security property they violate

🏗️ The Six Categories

Letter Threat Violates Example Mitigation
S Spoofing Authentication Pretending to be another user Strong auth, MFA
T Tampering Integrity Modifying data in transit or at rest Hashing, signatures, input validation
R Repudiation Non-repudiation Denying an action was performed Audit logs, signed records
I Information Disclosure Confidentiality Leaking data Encryption, access control
D Denial of Service Availability Exhausting resources Rate limiting, redundancy
E Elevation of Privilege Authorization Gaining unauthorized rights Least privilege, authorization checks

Walk the diagram element by element. For the Web App → User Database flow above, STRIDE prompts you to ask:

Spoofing:               Can someone forge the app's identity to the DB?      -> mutual TLS / credentials
Tampering:              Can the query or response be altered?                 -> TLS, parameterized queries
Repudiation:            Are sensitive DB writes logged?                       -> audit table
Information Disclosure: Is the connection and data at rest encrypted?         -> TLS + encryption at rest
Denial of Service:      Can a flood of queries exhaust the DB?               -> connection pooling, rate limits
Elevation of Privilege: Does the app login have more rights than it needs?    -> least-privilege grants

This single flow already yielded six concrete questions - and several real mitigations.

🔍 Knowledge Check: STRIDE

  • Which STRIDE category violates authorization?
  • Match Tampering and Information Disclosure to their CIA pillars
  • Why is repudiation about logging more than prevention?

🧙‍♂️ Chapter 3: Attack Trees and Prioritization

Where STRIDE is breadth, an attack tree is depth. You start from a single attacker goal at the root and branch downward into the steps required to achieve it, until you reach concrete leaves you can defend.

⚔️ Skills You’ll Forge in This Chapter

  • Decomposing a goal into AND/OR sub-goals
  • Finding the cheapest path for an attacker
  • Ranking threats by likelihood and impact

🏗️ A Simple Attack Tree

GOAL: Read another user's private messages
├── OR: Steal their session
│   ├── XSS to exfiltrate the session cookie        (mitigated by: HttpOnly + CSP)
│   └── Network sniffing on an open Wi-Fi           (mitigated by: TLS everywhere)
├── OR: Bypass access control
│   └── Change the user_id in the API URL (IDOR)    (mitigated by: server-side authz check)
└── OR: Compromise the database directly
    ├── SQL injection                               (mitigated by: parameterized queries)
    └── Stolen DB credentials from a leaked .env    (mitigated by: secrets manager + rotation)

OR-nodes mean any one child suffices; AND-nodes mean all children are required. The attacker takes the cheapest viable leaf - so you defend the cheapest leaves first.

🏗️ Prioritize What to Fix

Rank each threat by likelihood × impact. A lightweight scoring model such as DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) works, but even a simple High/Medium/Low matrix beats fixing things at random:

Threat                         Likelihood   Impact   Priority
IDOR on messages API           High         High     P0 — fix first
SQL injection                  Medium       High     P1
Session theft via open Wi-Fi   Low          High     P2
DoS via query flood            Low          Medium   P3

🔍 Knowledge Check: Attack Trees

  • What is the difference between an AND-node and an OR-node?
  • Why fix the cheapest attacker leaf first?
  • How does likelihood × impact change your fix order?

🎮 Mastery Challenges

🟢 Novice Challenge: Draw a DFD

Objective: Pick a small app you know and draw its data-flow diagram with at least two trust boundaries.

Requirements:

  • All four element types appear
  • At least two trust boundaries are marked
  • Every flow has a direction

Validation: A peer can identify the boundaries without your explanation.

🟡 Intermediate Challenge: Run STRIDE

Objective: For one flow that crosses a trust boundary, enumerate threats across all six STRIDE categories.

Requirements:

  • One concrete threat per applicable STRIDE letter
  • A proposed mitigation for each
  • Note any categories that do not apply and why

Validation: Each threat ties to a CIA/AAA property.

🔴 Advanced Challenge: Build and Rank an Attack Tree

Objective: Choose an attacker goal for your app, build an attack tree, and produce a prioritized fix list.

Requirements:

  • Root goal with at least two OR-branches
  • Concrete leaves with mitigations
  • A priority table using likelihood × impact

Validation: Your P0 item is genuinely the cheapest, highest-impact path.

🏆 Quest Rewards & Achievements

🎖️ Badges Earned:

  • 🏆 Cartographer of Threats - You mapped a system’s full attack surface
  • 🛡️ Seer of Weakness - You predicted attacks before they happened

🛠️ Skills Unlocked:

  • STRIDE Threat Enumeration - Systematic, repeatable threat discovery
  • Attack Tree Construction - Goal-driven adversarial analysis

🔓 Unlocked Quests:

  • Penetration Testing - Prove your threat model by attacking the system
  • Compliance Standards - Use the model as audit evidence of risk assessment

📊 Progression Points: +90 XP

🗺️ Next Steps in Your Journey

Continue the Main Story:

Explore Side Adventures:

Character Class Recommendations

💻 Software Developer: Continue to Secure Coding Practices
🏗️ System Engineer: Explore Penetration Testing
🛡️ Security Specialist: Advance to Compliance Standards

📚 Resources

Official Documentation

Community Resources

Learning Materials

🤝 Quest Completion Checklist

  • ✅ Completed all primary objectives
  • ✅ Produced a STRIDE threat model for a real system
  • ✅ Answered all knowledge check questions
  • ✅ Completed at least one mastery challenge
  • ✅ Explored the resource library
  • ✅ Identified your next quest in the journey

🕸️ Knowledge Graph

Structured wiki-links connect this quest to the IT-Journey knowledge graph. Open the Obsidian Graph View to explore connections.

Level hub: [[Level 1011 - Security & Compliance]] Overworld: [[🏰 Overworld - Master Quest Map]] Prerequisites: [[Security Fundamentals: CIA Triad and Defense in Depth Strategies]] Unlocks: [[Penetration Testing: Tools and Ethical Hacking Methodologies]] Related quests: [[Secure Coding Practices: OWASP Top 10 Vulnerability Prevention]] Obsidian docs: [[Obsidian Knowledge Graph and Wiki Links]]

🎁 Rewards

90 XP

Badges

  • 🏆 Cartographer of Threats - Mapped a system's attack surface with STRIDE
  • 🛡️ Seer of Weakness - Predicted attacks before they happened

Skills unlocked

  • 🛠️ STRIDE Threat Enumeration
  • 🌳 Attack Tree Construction

Features unlocked

  • Ability to threat model a design before a single line of code ships

🕸️ Quest Network

Loading quest graph…

Click a node to open the quest · ⌘/Ctrl-click for a new tab · drag to reposition · scroll to zoom.