Task 2: Four Questions and Three Frameworks
1. What is the name of the framework that uses six threat categories including Spoofing and Tampering?
STRIDE
Task 3: The Building Blocks: Assets, Data Flows, and Trust Boundaries
1. What DFD element is represented by a dashed line?
A trust boundary marks a location where the level of trust changes. Data crossing a trust boundary must be validated because attackers often target these transitions.
Trust boundary
2. Which DFD element type is used to represent application logic that transforms or acts on data?
A process represents application logic that receives, transforms, validates, or forwards data. Examples include web applications, API gateways, and authentication services.
Process
Task 4: STRIDE: Systematic Threat Identification
1. Which STRIDE category directly violates the security property of integrity?
Tampering occurs when an attacker modifies data, code, configurations, or communications without authorization. Because integrity ensures that data remains accurate and unchanged, tampering is the STRIDE category that directly violates integrity.
Tampering
2. During your STRIDE analysis of the StratPay Portal, you discover that the application does not log failed authentication attempts. Which STRIDE category does this logging gap fall under?
Repudiation occurs when actions cannot be reliably traced back to a user or system. Without proper logging, attackers may perform actions and later deny responsibility because there is no trustworthy audit trail.
Repudiation
3. According to the DFD-to-STRIDE mapping table, which DFD element type is susceptible to all six STRIDE categories?
A Process represents application logic that receives, transforms, validates, and forwards data. Because it handles authentication, authorization, data processing, and communications, it is vulnerable to all six STRIDE categories.
Process
Task 5: Scoring Threats with DREAD
1. What does the “A” in DREAD stand for?
This category measures how many users or systems are impacted when a threat is successfully exploited.
Affected Users
2. You are scoring a Denial of Service vulnerability in the StratPay Portal. The vulnerability can be triggered by anyone on the Internet, requires no authentication, and crashes the entire payment portal affecting all customers. However, it causes no data loss, and the system recovers automatically on restart. Which DREAD category would receive the lowest score?
The vulnerability causes service disruption but no data loss, permanent damage, or lasting compromise. Therefore, the damage impact is relatively low.
Damage
Task 6: PASTA: Risk-Centric Threat Modeling
1. After completing your threat model, the client asks your pentest team to justify why you are prioritizing the payment portal over the internal company wiki. Which PASTA stage provides the business-risk evidence to support this prioritization?
Stage 7 analyzes business impact, financial loss, compliance consequences, and operational risks to justify security priorities.
Stage 7
2. During a PASTA analysis for Stratford Systems, your team discovers that financial sector threat intelligence reports show a 300% increase in API-targeted attacks over the past year. In which PASTA stage would you incorporate this finding?
Stage 4 uses threat intelligence and industry-specific attack trends to identify realistic threats facing the organization.
Stage 4
Task 7: MITRE ATT&CK for Threat Modeling
1. How many tactics are in the MITRE ATT&CK Enterprise matrix (v18)?
The ATT&CK Enterprise Matrix contains 14 tactics that describe an attacker’s goals throughout the intrusion lifecycle.
14
2. What is the first ATT&CK tactic (alphabetically) that has no direct equivalent in the Cyber Kill Chain?
Credential Access is one of several ATT&CK tactics that are not explicitly represented in the Cyber Kill Chain, making ATT&CK more detailed for post-compromise activities.
Credential Access
Task 8: Putting It All Together: Threat Modeling Stratford Systems
After reviewing all trust boundaries in the Data Flow Diagram, we traced the CISO’s attack scenario step by step.
The scenario starts with an attacker using stolen employee credentials to access the company’s VPN from the Internet. In the DFD, this connection passes through TB4 (Internet ↔ VPN Tunnel) before reaching any internal systems.
Because TB4 is the first trust boundary crossed in the attack path, it is the correct answer.
Answer: TB4 (Internet ↔ VPN Tunnel)
The VPN Authentication Service verifies employee identities using Active Directory credentials. Since the CISO’s primary concern involves phishing attacks and stolen employee credentials, the greatest risk is an attacker impersonating a legitimate employee to gain VPN access.
In STRIDE, pretending to be another user or system is classified as Spoofing, which directly targets the authentication process.
Answer: Spoofing
This data flow carries sensitive customer payment information between the API Gateway and the SQL Server Database. If an attacker intercepts, accesses, or exposes this communication, confidential payment data could be disclosed to unauthorized parties.
In STRIDE, unauthorized exposure of sensitive information is classified as Information Disclosure.
Answer: Information Disclosure
The Admin Dashboard contains privileged functionality such as account management, refund processing, and access to transaction records. The greatest risk is that an attacker or low-privileged user gains access to functions beyond their intended permissions.
In STRIDE, gaining unauthorized permissions or higher-level access is classified as Elevation of Privilege.
Answer: Elevation of Privilege
Audit logs provide evidence of authentication attempts, transactions, and administrative actions. If attackers can alter, remove, or bypass logging, they may deny performing malicious activities and investigators would be unable to prove what happened.
In STRIDE, threats involving the inability to trace actions or prove accountability are classified as Repudiation.
Answer: Repudiation
1. In the DREAD scoring exercise (Step 3), which of the two threats received the higher risk rating: the phished VPN credentials or the SQL injection in the transaction search feature?
Test First
- Default credentials on Internal API Gateway
- DREAD Score: 8.8
Test Second
- Stored XSS in StratPay customer feedback form
- DREAD Score: 7.6
Test Third
- SQL Injection in StratPay payment search
- DREAD Score: 8.2
Test Last
- Verbose error messages on Admin Dashboard
- DREAD Score: 6.0
However, the exercise prioritizes threats based on both severity and testing strategy. Although SQL Injection has a higher numerical score than Stored XSS, the lab considers Stored XSS a higher testing priority because it directly affects customers and can be used to steal sessions, impersonate users, and launch further attacks against multiple victims.
SQL injection
2. In the ATT&CK mapping exercise (Step 4), which tactic did you assign to the step where the attacker uses stolen VPN credentials to access the internal network?
Initial Access
3. What flag did you get after going through all the steps?
1 → B
2 → C
3 → D
4 → A
THM{Thr347-Modeling}
