
1. *Systematic Approach to identifying, prioritizing, and addressing potential security threats *
1.1. Threat: potential occurrence or actor w/ capacity to compromise CIA
1.2. Vuln: weakness/flaw in an app, process, or system that is exploitable
1.3. Risk: posibility of compromise from threat exploiting a vulnerability
2. [Process]
2.1. Define scope
2.1.1. Understand org's risk tolerance and security objectives
2.2. Identify Assets
2.3. Identify Threats
2.4. Analyze Vulnerabilities in Assets
2.5. Prioritize Risks
2.6. Implement Mitigation Plans
2.7. Monitor & Evaluate
3. {Essential Stakeholders}
3.1. SecOps Team
3.2. Dev Team
3.3. Ops and IT
3.4. GRC Team
3.5. Business Units (Product)
3.6. End Users
4. ./Attack Tree
4.1. Root Node: All Threats
4.2. First-level: High-level threat actor strategies
4.3. Second-level: Generic implementations of strategies for a vector
4.4. Third-level: Specific procedures and targets
4.5. N-th level: Substeps for each parent
5. {Frameworks}
5.1. MITRE ATT&CK
5.1.1. Elaborates Adversarial Tactics
5.1.2. Describes attacker methods for reaching objectives
5.1.3. Provides detection and mitigation strategies
5.1.4. Map org's identified threats to tactics and techniques
5.1.4.1. Identify potential attack paths
5.1.4.2. Simulate threat scenarios
5.1.4.3. Align with vuln remediation prioritization
5.2. DREAD
5.2.1. D.R.E.A.D.
5.2.1.1. Discoverability
5.2.1.2. Affected Users
5.2.1.3. Exploitability
5.2.1.4. Reproducability
5.2.1.5. Damage
5.2.2. ./Use
5.2.2.1. Rate vulns based on each DREAD category
5.2.2.1.1. Average category for final rating of vuln
5.2.2.2. Improve accuracy with open discussion and justification
5.2.2.3. X-reference w/ other frameworks
5.3. STRIDE
5.3.1. S.T.R.I.D.E
5.3.1.1. Spoofing
5.3.1.2. Tampering
5.3.1.3. Repudiation
5.3.1.4. Information Disclosure
5.3.1.5. Denial of Service
5.3.1.6. Elevation of Privilege
5.3.2. ./Use
5.3.2.1. Reduce systems to components: architectures, trust boundaries, attack surfaces
5.3.2.2. Analyze potential of each category per component
5.3.2.3. Evaluate impact and likelihood or each risk
5.3.2.4. Create compensating security controls for each risk
5.3.2.5. Test effectiveness and report
5.3.2.6. Feedback results and takeaways
5.4. PASTA
5.4.1. Define objectives
5.4.2. Define the Technical Scope
5.4.2.1. Asset Inventory
5.4.2.2. Outline System Architecture
5.4.2.3. Understand Dependecies and Data Flows
5.4.3. Decompose the Application
5.4.3.1. Reduce system to components
5.4.4. Analyse the Threats
5.4.4.1. Consider various threat sources, frameworks, and attack libraries
5.4.5. Vulerabilities and Weakness Analysis
5.4.5.1. Perform discovery for misconfigs, bugs, unpatched systems
5.4.6. Analyze the Attacks
5.4.6.1. Evaluate likelihood and impact -> prioritize risks
5.4.7. Risk and Impact Analysis
5.4.7.1. Implement mitigating security controls