The PROTECT framework acknowledges that no single methodology covers every aspect of modern security. Instead of choosing one, PROTECT orchestrates the industry's best specific-use models into a cohesive lifecycle. It leverages VAST for visibility, STRIDE for coverage, DREAD for prioritization, LINDDUN for privacy, and PASTA for defense.
PROTECT Threat Model Steps
1. Profile System and Assets (The Lens: VAST)
Objective: Visualize the architecture to establish scope.
- The "Why": You cannot secure what you cannot understand. Before we can identify threats, we must have a clear, shared mental model of the system.
- The Linkage: We use VAST (Visual, Agile, Simple) here not as a rigid checklist, but as the delivery mechanism. By creating a VAST-compliant process map, we generate the "Map" that the subsequent steps will hunt upon.
Key Actions:
- Develop high-level architecture diagrams focusing on data flows, trust boundaries, and dependencies.
- Profile threat actors (motivations, capabilities, resources).
- Identify and prioritize critical assets based on business value.
2. Review Threats (The Net: STRIDE)
Objective: Achieve comprehensive threat coverage.
- The Bridge (from Step 1): Once we have the VAST diagrams (the Map), we need a methodical way to sweep that map for vulnerabilities.
- The Linkage: STRIDE acts as our "dragnet." It ensures we don't rely on gut feelings. We systematically apply STRIDE categories to every interaction and boundary identified in Step 1 to ensure we haven't missed a standard class of attack (like Spoofing or Tampering).
Key Actions:
- Spoofing: Identify threats related to authentication and impersonation.
- Tampering: Identify threats related to unauthorized modification of data or systems.
- Repudiation: Identify threats related to the ability to deny actions or transactions.
- Information Disclosure: Identify threats related to the unauthorized exposure of sensitive data.
- Denial of Service: Identify threats related to the disruption or degradation of system availability.
- Elevation of Privilege: Identify threats related to gaining unauthorized access or permissions.
3. Offensive Threat Impact Evaluation (The Scale: DREAD)
Objective: Filter noise and prioritize risk.
- The Bridge (from Step 2): STRIDE is excellent at finding possible threats, but it doesn't tell us which ones matter. A STRIDE analysis often produces a massive, unprioritized list of "what-ifs."
- The Linkage: We apply DREAD to the list generated by STRIDE to score them. This transforms a flat list of technical bugs into a ranked list of business risks. This is where we move from "Security Engineering" to "Risk Management."
Key Actions:
- Damage: Assess the potential damage caused by the threat if it were to occur.
- Reproducibility: Determine how easily the threat can be reproduced or exploited.
- Exploitability: Evaluate the level of skill and resources required to exploit the threat.
- Affected Users: Assess the number of users or systems that could be impacted by the threat.
- Discoverability: Determine how easily the vulnerability or weakness can be discovered by potential attackers.
4. Evaluate Privacy Concerns (The Blindspot: LINDDUN)
Objective: Address non-security data risks.
- The Bridge (from Step 3): Traditional security scoring (DREAD) focuses on broken systems. However, a system can be perfectly secure (unhackable) and still violate privacy laws (e.g., excessive data collection).
- The Linkage: We pause the security workflow to run a specific LINDDUN pass. This captures the risks that STRIDE misses, specifically where the system functions exactly as designed, but that design harms the user's privacy (e.g., Unawareness or Linkability).
Key Actions:
- Linkability: Determine if data from different sources can be combined to identify an individual or link their activities.
- Identifiability: Assess if an individual can be singled out or identified within a dataset.
- Non-repudiation: Evaluate if an individual can deny having performed an action or transaction.
- Detectability: Determine if it is possible to detect that an item of interest exists within a system.
- Disclosure of Information: Assess the risk of unauthorized access to or disclosure of sensitive information.
- Unawareness: Evaluate if individuals are unaware of the data collection, processing, or sharing practices.
- Non-compliance: Determine if the system or practices are not compliant with privacy laws, regulations, or policies.
5. Countermeasures and Tactical Safeguards (The Fix: PASTA)
Objective: Simulate attacks and validate defenses.
- The Bridge (from Steps 3 & 4): We now have a prioritized list of Security risks (from DREAD) and Privacy risks (from LINDDUN). The final question is: Do our defenses actually work against a motivated human adversary?
- The Linkage: We use the simulation strengths of PASTA (Process for Attack Simulation and Threat Analysis) here. While PASTA is a full lifecycle, PROTECT leverages its specific strength in Attacker-Centric simulation. We don't just patch vulnerabilities; we build attack trees to see if our proposed countermeasures actually break the attacker's kill chain.
Key Actions:
- Attack Modeling: Simulate realistic attack scenarios and identify choke points.
- Vulnerability Assessment: Conduct technical validation (pen-testing, code review) for high-risk vectors.
- Countermeasure Analysis: Design countermeasures that address root causes. Map controls to regulatory requirements (PCI DSS, NIST 800-53, etc.).
PROTECT Summary
- VAST draws the map.
- STRIDE finds the holes in the map.
- DREAD decides which holes are dangerous.
- LINDDUN checks if the map exploits the user.
- PASTA tests if the fences we build can actually stop the wolves.
The PROTECT model provides a comprehensive and integrated approach to threat modeling by combining the strengths of VAST, STRIDE, DREAD, LINDDUN, and PASTA into a unified framework.
