Security Architecture & Threat Models

Overview and Objectives

As an instructor teaching cybersecurity to college students, this module on Security Architecture & Threat Models focuses on the foundational principles of designing secure systems. Secure systems don't happen by accident; they require deliberate planning, documentation, and the application of established frameworks to identify, mitigate, and respond to threats. By the end of this module, students will be able to:

• Understand and design layered architectures (also known as defense-in-depth) to create multiple barriers against attacks.
• Apply threat modeling frameworks like STRIDE, DREAD, and MITRE ATT&CK to systematically identify and prioritize risks.
• Produce comprehensive security architecture documentation that serves as a blueprint for implementation and auditing.

This module builds on basic cybersecurity concepts (e.g., CIA triad: Confidentiality, Integrity, Availability) and assumes familiarity with networking and system design. Emphasize real-world examples, such as how these principles were applied (or failed) in incidents like the SolarWinds supply chain attack or the Equifax data breach.

Estimated Time: 4-6 hours of lecture/discussion, plus hands-on labs (e.g., threat modeling a simple web application).

Prerequisites: Introduction to Cybersecurity, Networking Fundamentals.

Assessment Ideas:

• Quiz on key terms and frameworks.
• Group project: Threat model a hypothetical e-commerce system using STRIDE and document it.
• Essay: Compare STRIDE vs. MITRE ATT&CK in enterprise vs. cloud environments.

Key Concepts and Explanations

1. Security Architecture Fundamentals

Security architecture refers to the high-level design of a system's security controls, ensuring they align with business goals while protecting against threats. It's like building a fortress: you plan walls, moats, and guards in advance.

• Layered Architectures (Defense-in-Depth): This approach involves stacking multiple security controls so that if one fails, others provide protection. Layers might include physical security, network perimeter defenses, host-based protections, application security, and data encryption. The goal is redundancy and diversity to complicate attacks.

  • Why it matters: Single points of failure (e.g., relying only on a firewall) are risky. Layering reduces the blast radius of breaches.
  • Example: In a cloud environment, layers could be: Edge (CDN with WAF), Network (VPC with subnets), Compute (VM hardening), Application (input validation), and Data (encryption at rest/transit).
  • Term to Explain: Blast Radius – The extent of damage from a security incident; layered designs minimize this by isolating components.

• Micro-Segmentation: A technique to divide a network into small, isolated segments (e.g., using software-defined networking like NSX or AWS Security Groups). Each segment has its own access controls, preventing lateral movement by attackers.

  • Why it matters: In flat networks, once an attacker breaches the perimeter, they can roam freely (e.g., WannaCry ransomware spread via unsegmented networks).
  • Implementation Tip: Use zero-trust principles: Assume no segment trusts another by default.
  • Term to Explain: Lateral Movement – An attacker's technique to pivot from one compromised asset to others within a network.

• Trust Boundaries: These are logical or physical points where the level of trust changes, such as between a public internet-facing server and an internal database. At these boundaries, you enforce strict controls like authentication and validation.

  • Why it matters: Misplaced trust (e.g., assuming all internal traffic is safe) leads to insider threats or pivoting attacks.
  • Example: In a web app, the boundary between user input (untrusted) and backend processing (trusted) requires sanitization to prevent SQL injection.

• Resilience Planning: Designing systems to withstand, recover from, and adapt to disruptions. This includes redundancy (e.g., failover servers), backups, incident response plans, and chaos engineering (intentionally introducing failures to test resilience).

  • Why it matters: Threats aren't just prevented; some will succeed, so focus on minimizing downtime and data loss.
  • Term to Explain: Chaos Engineering – A practice popularized by Netflix, where controlled experiments simulate failures to build more robust systems.

2. Threat Modeling Frameworks

Threat modeling is the process of identifying potential threats, vulnerabilities, and countermeasures early in the design phase. It's proactive, not reactive.

• STRIDE Model: Developed by Microsoft, this acronym helps categorize threats:

  • Spoofing: Impersonating something or someone (e.g., IP spoofing).
  • Tampering: Unauthorized modification of data (e.g., altering database records).
  • Repudiation: Denying actions (e.g., lacking audit logs to prove who did what).
  • Information Disclosure: Leaking sensitive data (e.g., unencrypted transmissions).
  • Denial of Service: Overwhelming resources (e.g., DDoS attacks).
  • Elevation of Privilege: Gaining higher access than authorized (e.g., privilege escalation exploits).
  • Application: Use in data flow diagrams (DFDs) to map threats to system components.
  • Term to Explain: Data Flow Diagram (DFD) – A visual representation of how data moves through a system, used to identify entry/exit points for threats.

• DREAD Model: A risk assessment framework to prioritize threats identified via STRIDE or similar:

  • Damage Potential: How much harm could occur?
  • Reproducibility: How easy is it to repeat the attack?
  • Exploitability: How much effort/skill is needed to exploit?
  • Affected Users: How many people/systems are impacted?
  • Discoverability: How easy is the vulnerability to find?
  • Scoring: Rate each on a scale (e.g., 1-10) and average for a risk score. High scores get priority mitigation.
  • Why combine with STRIDE? STRIDE identifies threats; DREAD ranks them.

• MITRE ATT&CK Framework: A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. It's matrix-based, covering enterprise, mobile, cloud, and ICS environments.

  • Structure: Tactics (columns, e.g., Initial Access, Execution, Persistence) and Techniques (rows, e.g., Phishing under Initial Access).
  • Application: Map your system's defenses to ATT&CK to find gaps; use for red teaming or threat hunting.
  • Updates: As of 2025, version 14 includes new techniques like AI/ML model evasion.
  • Term to Explain: Tactics, Techniques, and Procedures (TTPs) – Tactics are the "why" (goals), Techniques are the "how" (methods), Procedures are the "what" (specific implementations).
  • Example: In the Colonial Pipeline ransomware attack (2021), attackers used Initial Access (compromised VPN) and Lateral Movement (RDP).

3. Producing Security Architecture Documentation

Documentation is the "blueprint" that communicates your design to stakeholders, developers, and auditors. It should be living documents, updated with system changes.

• Key Elements to Include:

  • System Overview: High-level diagrams (e.g., using UML or Mermaid).
  • Threat Models: STRIDE/DREAD analyses, MITRE ATT&CK mappings.
  • Controls Catalog: List of defenses per layer (e.g., firewalls, IDS/IPS, encryption standards).
  • Assumptions and Constraints: E.g., "Assumes users are trained on phishing."
  • Risk Register: Prioritized threats with mitigations and residual risks.
  • Standards: Follow NIST SP 800-53 or ISO 27001 for structure.

• Tools for Documentation: Draw.io for diagrams, Microsoft Threat Modeling Tool, or OWASP Threat Dragon (free/open-source).

• Best Practices: Use version control (e.g., Git), make it accessible yet secure, and review annually.

• Term to Explain: Residual Risk – The risk that remains after applying controls; aim to reduce it to an acceptable level.

Visualizations Using Mermaid Script

To enhance understanding, include these diagrams in lectures. Students can recreate them in tools like Mermaid Live (mermaid.live) for practice.

Visualization 1: Layered Architecture (Defense-in-Depth)

This flowchart shows a typical layered design for a web application.

graph TD
    A[External User] -->|Internet| B[Perimeter Layer: Firewall/WAF]
    B --> C[Network Layer: VPC/Micro-Segmentation]
    C --> D[Host Layer: OS Hardening/IDS]
    D --> E[Application Layer: Input Validation/Auth]
    E --> F[Data Layer: Encryption/Access Controls]
    subgraph "Trust Boundaries"
    B -.-> C
    C -.-> D
    D -.-> E
    E -.-> F
    end
    style A fill:#f9f,stroke:#333
    style F fill:#bbf,stroke:#333

Explanation in Class: Arrows represent data flow; dashed lines are trust boundaries where inspections occur. Discuss how an attack on B might be stopped at C.

Visualization 2: STRIDE Threat Model Process

A sequence diagram for applying STRIDE.

sequenceDiagram
    participant Designer
    participant System
    participant ThreatModel
    Designer->>System: Draw DFD
    System->>ThreatModel: Identify Elements (Processes, Data Stores)
    loop For Each Element
        ThreatModel->>ThreatModel: Apply STRIDE Categories
        ThreatModel->>Designer: List Threats (e.g., Spoofing on Auth Process)
    end
    Designer->>ThreatModel: Prioritize with DREAD
    ThreatModel->>Designer: Recommend Mitigations

Explanation in Class: This shows the iterative process. Assign students to model a simple app (e.g., login system) following these steps.

Visualization 3: MITRE ATT&CK Matrix Snippet

A simplified graph of tactics and techniques.

graph LR
    A[Initial Access] --> B[Phishing]
    A --> C[Exploit Public-Facing App]
    D[Execution] --> E[Command and Scripting Interpreter]
    D --> F[User Execution]
    G[Persistence] --> H[Boot or Logon Autostart]
    subgraph "MITRE ATT&CK Tactics"
    A
    D
    G
    end
    style A fill:#ffcc00,stroke:#333
    style D fill:#ffcc00,stroke:#333
    style G fill:#ffcc00,stroke:#333

Explanation in Class: The full matrix has 14 tactics; this is a subset. Use the official MITRE site for interactive exploration. Discuss mapping a recent breach (e.g., Log4j vulnerability under Execution).

Hands-On Activities and Examples

• Lab 1: Use OWASP Threat Dragon to model threats for a sample IoT system. Apply STRIDE and score with DREAD.
• Case Study: Analyze the 2023 MOVEit supply chain attack using MITRE ATT&CK (tactics: Initial Access via SQL injection, Exfiltration via data theft).
• Group Discussion: Debate: "Is zero-trust (extreme micro-segmentation) feasible for small organizations?" Pros: Enhanced security; Cons: Complexity and cost.

Key Skills Development

• MITRE ATT&CK: Students will learn to navigate the framework, map defenses, and simulate attacks in CTF exercises.
• STRIDE & DREAD: Practice in workshops; emphasize quantitative risk scoring.
• Layered Design: Design exercises for cloud (AWS/Azure) architectures.
• Micro-Segmentation: Demo with tools like Docker Compose for segmented containers.
• Trust Boundaries: Identify in code reviews (e.g., OWASP Top 10 vulnerabilities).
• Resilience Planning: Create a basic incident response plan template.

Resources and Further Reading

• Books: "Threat Modeling: Designing for Security" by Adam Shostack.
• Online: MITRE ATT&CK website (attack.mitre.org), Microsoft Security Development Lifecycle.
• Videos: YouTube channels like "LiveOverflow" for threat modeling demos.
• Tools: Free – ThreatModeler Community Edition; Paid – IriusRisk.

Encourage students to stay updated via sources like Krebs on Security or CVE databases, as threats evolve rapidly (e.g., AI-driven attacks in 2025). End with a Q&A to clarify terms like those highlighted.