Threat Modeling Process

The three types of cyber threat modeling, meant to counter the malicious actor threat, are asset-based, software-based, and attacker-based (Hardy, 2012). All are underscored by continuous monitoring1 for situational awareness.

Asset-based modeling generates an understanding of the vulnerability of an asset to the threat by conducting continuous monitoring on the asset, e.g., on a system file configuration. Software-based modeling is likewise a vulnerability analysis, based on software application scanning. Attacker-based threat modeling attempts to understand the mind and motivation of attackers and figure out how they might attack.

Attacker-based threat modeling attempts to get ahead of an attacker by predicting his behavior using presumed goals and methods and known or presumed means. This "predictive analysis" involves using statistical models and decision tools, current and historical data. After generating threat action scenarios, cyber defenders can block or disrupt by manipulating information system controls.

The SANS Institute, an organization concerned with security training, certification and information security research, has produced resources on threat modeling. Besides SANS, MITRE Corporation has made significant advances in attack modeling with its Common Attack Pattern Enumeration and Classification (CAPEC)2 taxonomy and the newer Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)3 framework.

SANS and MITRE have devised concepts, methods, and tools for attacker-based threat modeling. In combination with asset-based and software-based methods, threat modeling provides opportunities to defend information systems by disrupting and defeating malicious actions, mitigating risk, and resulting in sustainability.

References

Hardy, G. M. (2012, October). Beyond continuous monitoring: Threat modeling for real-time response. https://www.sans.org/reading-room/whitepapers/analyst/continuous-monitoring-threat-modeling-real-time-response-35185

MITRE .(n.d.). Common attack pattern enumeration and classification. https://capec.mitre.org/

MITRE ATT&CK. (n.d.) Adversarial tactics, techniques, & common knowledge.  https://attack.mitre.org/wiki/Main_Page

1CM, in this case, measures the effects of changes in the information system caused by threat activities.
2See CAPEC at https://capec.mitre.org/
3ATT&CK is described at https://attack.mitre.org/wiki/Main_Page