원클릭으로
threat-modeling
Systematic threat analysis using STRIDE and MITRE ATT&CK frameworks following Hack23 ISMS Threat Modeling Policy
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Systematic threat analysis using STRIDE and MITRE ATT&CK frameworks following Hack23 ISMS Threat Modeling Policy
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
GitHub Agentic Workflows (gh-aw) - markdown-based AI automation with 5-layer security, safe outputs, and Continuous AI patterns
gh-aw CLI usage, compilation, testing, debugging, add-wizard, and CI/CD practices for GitHub Agentic Workflows
Multi-agent coordination, orchestrator-worker patterns, /plan decomposition, and project coordination for GitHub Agentic Workflows
5-layer defense-in-depth security for GitHub Agentic Workflows - safe outputs, threat detection, AWF firewall, and zero-trust patterns
Continuous AI patterns from Agent Factory - issue triage, documentation sync, code quality, security scanning, and project coordination
GDPR compliance including privacy by design, data protection requirements, consent management, right to be forgotten, and data breach response
| name | threat-modeling |
| description | Systematic threat analysis using STRIDE and MITRE ATT&CK frameworks following Hack23 ISMS Threat Modeling Policy |
| license | Apache-2.0 |
This skill ensures systematic identification, analysis, and mitigation of security threats using structured methodologies as defined in the Hack23 ISMS Threat Modeling Policy. It applies to all systems, applications, and data flows within the organization.
MUST:
MUST NOT:
Spoofing Identity (S):
Tampering with Data (T):
Repudiation (R):
Information Disclosure (I):
Denial of Service (D):
Elevation of Privilege (E):
MUST:
Example Mappings:
MUST:
Components:
MUST:
Risk Formula: Risk = Likelihood × Impact
Likelihood Ratings:
Impact Ratings:
Risk Score Matrix:
MUST:
Mitigation Strategies:
## Component: User Login API
### Data Flow Diagram
[User] --username/password--> [Login API] --SQL query--> [Database] [Login API] --session token--> [User]
### Trust Boundaries
- Internet → Web Server
- Web Server → Database
### STRIDE Analysis
**S - Spoofing:**
- Threat: Attacker guesses weak passwords
- Risk: High Likelihood (3) × High Impact (3) = 9 (Critical)
- Mitigation:
- Implement strong password policy (12+ chars, complexity)
- Implement account lockout after 5 failed attempts
- Implement rate limiting (max 10 attempts/minute/IP)
- Log all authentication attempts
- ATT&CK: T1110 (Brute Force)
**T - Tampering:**
- Threat: MitM attack captures credentials
- Risk: Medium Likelihood (2) × High Impact (3) = 6 (High)
- Mitigation:
- Enforce TLS 1.2+ for all connections
- Implement HSTS headers
- Use secure session cookies (HTTPOnly, Secure, SameSite)
- ATT&CK: T1557 (Man-in-the-Middle)
**R - Repudiation:**
- Threat: User denies performing actions
- Risk: Low Likelihood (1) × Medium Impact (2) = 2 (Low)
- Mitigation:
- Log all authentication events with timestamp, IP, user agent
- Protect log integrity (append-only S3 bucket)
- Implement log retention for 1 year
- ATT&CK: T1070 (Indicator Removal on Host)
**I - Information Disclosure:**
- Threat: SQL injection exposes user data
- Risk: Medium Likelihood (2) × Critical Impact (4) = 8 (High)
- Mitigation:
- Use parameterized queries exclusively
- Implement input validation (allowlist)
- Run database with least privilege account
- Implement Web Application Firewall (WAF)
- ATT&CK: T1190 (Exploit Public-Facing Application)
**D - Denial of Service:**
- Threat: Attacker floods login endpoint
- Risk: High Likelihood (3) × Medium Impact (2) = 6 (High)
- Mitigation:
- Implement rate limiting (per IP and per account)
- Use CAPTCHA after 3 failed attempts
- Implement CDN with DDoS protection
- Set up auto-scaling
- ATT&CK: T1498 (Network Denial of Service)
**E - Elevation of Privilege:**
- Threat: SQL injection bypasses authentication
- Risk: Medium Likelihood (2) × Critical Impact (4) = 8 (High)
- Mitigation:
- Use ORM or parameterized queries
- Implement principle of least privilege for database access
- Separate admin and user authentication paths
- Implement security testing in CI/CD
- ATT&CK: T1068 (Exploitation for Privilege Escalation)
Goal: Compromise User Account
|
+-- [OR] Steal Credentials
| |
| +-- [AND] Phishing Attack
| | +-- Send phishing email (Easy)
| | +-- User clicks malicious link (Medium)
| | +-- User enters credentials (Medium)
| | → Mitigation: Security awareness training, email filtering, MFA
| | → ATT&CK: T1566 (Phishing)
| |
| +-- [AND] Password Guessing
| | +-- Obtain username (Easy)
| | +-- Guess weak password (Medium)
| | → Mitigation: Strong password policy, account lockout, rate limiting
| | → ATT&CK: T1110 (Brute Force)
| |
| +-- [AND] Database Breach
| +-- SQL injection (Hard)
| +-- Extract password hashes (Medium)
| +-- Crack hashes (Hard)
| → Mitigation: Parameterized queries, strong hashing (bcrypt), WAF
| → ATT&CK: T1190 (Exploit Public-Facing Application)
|
+-- [OR] Session Hijacking
|
+-- [AND] XSS Attack
| +-- Find XSS vulnerability (Hard)
| +-- Inject JavaScript to steal session cookie (Medium)
| → Mitigation: Input validation, output encoding, HTTPOnly cookies, CSP
| → ATT&CK: T1185 (Browser Session Hijacking)
|
+-- [AND] Session Fixation
+-- Provide victim with known session ID (Easy)
+-- Victim authenticates with fixed session (Medium)
→ Mitigation: Regenerate session ID on login, use secure random IDs
→ ATT&CK: T1185 (Browser Session Hijacking)
# Threat Model: [System Name]
## Document Control
- **Version:** 1.0
- **Date:** 2026-02-10
- **Author:** Security Team
- **Status:** Approved
- **Classification:** Internal
## 1. System Overview
### Purpose
[Brief description of system purpose and business value]
### Architecture
[High-level architecture diagram]
### Data Classification
- **Public:** Product catalog
- **Internal:** User activity logs
- **Confidential:** User PII, payment information
- **Restricted:** Encryption keys
## 2. Assumptions and Dependencies
### Assumptions
- Users access system via HTTPS only
- Database is hosted in secure AWS VPC
- All users complete security training annually
### Dependencies
- AWS (infrastructure)
- Stripe (payment processing)
- SendGrid (email delivery)
## 3. Data Flow Diagrams
### Level 0: Context Diagram
[User] --HTTPS--> [Web Application] --TLS--> [Payment Gateway] [Web Application] --TLS--> [Database]
### Level 1: Detailed Flow
[Include detailed DFD with trust boundaries]
## 4. STRIDE Analysis
[For each component, perform STRIDE analysis as shown in Example 1]
## 5. Threat Summary
| ID | Component | Threat | STRIDE | Risk | ATT&CK | Status |
|----|-----------|--------|--------|------|--------|--------|
| T-001 | Login API | Password guessing | S | Critical (9) | T1110 | Mitigated |
| T-002 | Login API | SQL injection | I, E | High (8) | T1190 | Mitigated |
| T-003 | Web App | XSS | I, T | High (6) | T1185 | In Progress |
## 6. Mitigation Plan
| Threat ID | Mitigation | Owner | Due Date | Status |
|-----------|------------|-------|----------|--------|
| T-001 | Implement account lockout | Dev Team | 2026-02-15 | Complete |
| T-002 | Use parameterized queries | Dev Team | 2026-02-20 | Complete |
| T-003 | Implement CSP headers | DevOps | 2026-02-25 | In Progress |
## 7. Residual Risks
[List any accepted risks with executive approval]
## 8. References
- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)
- [Risk Assessment Methodology](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Risk_Assessment_Methodology.md)
This skill implements requirements from:
Threat modeling compliance is verified through: