Unit 2
Threat modeling exercise
Read Tarandach and Coles (2020), chapters 2 and 3, which cover STRIDE and DREAD, Attack Trees and Attack libraries. Read Spring et al (2021), which discusses the history and some failings with CVSS. Then create a threat model based on one of the following scenarios:
- A large international airport based in the United States of America.
- A large international bank based in the UK.
- A large nuclear power station in France.
You should use the Threat Modelling Manifesto, the OWASP Threat Modelling Cookbook and the ATT&CK libraries to inform your model design. Be prepared to share and discuss your designs at the seminar session this week.
This analysis will focus on evaluating the security of a large international bank based in the UK. STRIDE methodology allows to systematically analyse and categorise the threats and analyse their impacts on the different systems relevant to the bank (Microsoft, 2022). OWASP Risk Rating methodology supplements the analysis with means to prioritise the risks by their severity. Although this methodology includes a factor of subjectivity in the scores, is still robust and includes diverse factors, which makes it a good option for this exercise (OWASP Foundation, no date).
Information assets included in the analysis
This analysis will focus on the following subsystems and associated assets:
- Core IT infrastructure
- Data servers — staff and customer databases
- Employee credentials
- Workstations
- ATMs
- Network equipment
- Logging and monitoring systems
- Online banking system
- Customer credentials
- Web & mobile applications
- Application servers and APIs
- Transactions processing
- Transaction gateways
- Transaction processing systems
- Keys and certificates
STRIDE-based analysis
Below are the threats for each of the subsystems organised by category from the STRIDE framework. Ratings are calculate following the OWASP methodology with the use of OWASP Risk Rating Calculator by Beagle Security (no date)
Core IT infrastructure
| Category | Action | Rating |
|---|---|---|
| Spoofing | impersonation of employees using stolen credentials | Critical |
| Tampering | modification of records (financial/employee/customer) or configurations | High |
| Repudiation | erasure or modification of access logs | Medium |
| Information disclosure | exfiltration of data from the databases | Critical |
| Denial of service | disruption of network connectivity with the bank or with ATMs | Medium |
| Elevation of privilege | lateral movement from a regular employee account to admin account | High |
Online banking system
| Category | Action | Rating |
|---|---|---|
| Spoofing | phishing, use of stolen credentials | High |
| Tampering | injection attacks | High |
| Repudiation | lack of action attribution | High |
| Information disclosure | exposure of privately identifiable information due to improper access control | Critical |
| Denial of service | attacks overwhelming the servers/gateways rendering the service unusable | Medium |
| Elevation of privilege | exploiting app/server vulnerabilities to gain access | High |
Transaction processing
| Category | Action | Rating |
|---|---|---|
| Spoofing | fake transaction orders | High |
| Tampering | forgery of transaction data | High |
| Repudiation | lack of audit logs for transactions | High |
| Information disclosure | transaction details made public due to broken cryptography | High |
| Denial of service | overloading transaction systems with excessive requests to degrade performance | Critical |
| Elevation of privilege | injection attack on transaction processing software to gain unauthorised control | High |
Recommended mitigations
Authentication & authorization
- Enforce multi-factor authentication
- Monitor for anomalies
- Ensure proper authorization for resource access
- Run customer awareness programs to prevent phishing incidents
Logging
- Implement logs for configuration updates
- Implement logs backup policy
- Enforce immutable logs
- Audit logs for integrity
- Strengthen logging and logs correlation
Conclusion
This crude threat model for an international bank demonstrates how the STRIDE model can be combined with the OWASP Risk Rating to evaluate security of an enterprise.
The major risks for the bank come from the information disclosure, which results in GDPR non-compliance and significant financial and reputational losses, especially for a financial institution. Mitigations emphasize strengthening security and action attribution: preventing unauthorised access and associating actions performed in the system with specific accounts.
References
Beagle Security (no date) Beagle Security: OWASP Risk Calculator, Beagle Security. Available at: https://beaglesecurity.com/owasp-risk-calculator (Accessed: October 19, 2025).
Microsoft (2022) Threats - Microsoft Threat Modeling Tool - Azure. Available at: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats (Accessed: October 19, 2025).
OWASP Foundation (no date) OWASP Risk Rating Methodology. Available at: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology (Accessed: September 4, 2025).
Tarandach, I. and Coles, M.J. (2020) Threat modeling: a practical guide for development teams. First edition. Beijing Boston Farnham Sebastopol Tokyo: O’Reilly. Available at: https://learning.oreilly.com/library/view/threat-modeling/9781492056546/ (Accessed: October 10, 2025).
Threat Modeling Manifesto (no date). Available at: https://www.threatmodelingmanifesto.org/ (Accessed: October 19, 2025).