OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to structure, store, and visualise cyber threat intelligence (CTI). While it’s not a threat modelling framework per se, it plays a powerful supporting role by feeding real-world intelligence into frameworks like MITRE ATT&CK, PASTA, and custom models.
🔧 What Does OpenCTI Do?
Aggregates threat data from feeds like MISP, MITRE ATT&CK, VirusTotal, and more
Structures data using STIX 2.1 (Structured Threat Information Expression)
Allows analysts to model attack campaigns, TTPs, IOCs, threat actors, and vulnerabilities
Links together CTI entities to create narratives that help drive threat modelling, IR planning, and SOC enrichment
📌 Use Cases in Threat Modelling
Populate ATT&CK matrices with actual actor techniques
Support scenario-based modelling in PASTA using historical CTI
Enrich assets in your threat model with real-world IOCs and attack patterns
Provide strategic context (who’s attacking whom, and why)
🔗 Integration & Automation
Works with platforms like TheHive, MISP, Elastic, Splunk, and SIEMs
Supports custom ingestion pipelines and can power dashboards in SOC and CTI teams
Enables automated risk scoring and contextualised alerts
While OpenCTI is not a traditional threat modelling framework, it serves as a critical intelligence backbone. By integrating OpenCTI with your modelling efforts, you ensure that your threat models are grounded in current, relevant, and adversary-specific intelligence — not just theoretical threats.
Threat Modelling Frameworks: Identifying and Managing Cyber Risks
Threat modelling is a proactive cybersecurity process used to identify, prioritise, and mitigate potential threats before they can be exploited. It’s a vital part of secure system design, helping teams anticipate vulnerabilities, understand attacker goals, and build security into applications and infrastructure from the start.
🛠️ What Is Threat Modelling?
Threat modelling answers four fundamental questions:
What are we building?
What can go wrong?
What are we doing about it?
Have we done a good enough job?
By applying structured thinking frameworks, organisations can anticipate attacks, reduce risk, and improve resilience — all while aligning with DevSecOps and regulatory requirements.
🧩 Common Threat Modelling Frameworks
🔍 1. STRIDE (Microsoft)
A classic model developed by Microsoft, used primarily in application and system design.
STRIDE Category
Description
Spoofing
Impersonating users or systems
Tampering
Modifying data or code
Repudiation
Denying actions or transactions
Information Disclosure
Leaking sensitive data
Denial of Service
Disrupting service availability
Elevation of Privilege
Gaining unauthorised privileges
STRIDE is typically used during the design phase to evaluate components, data flows, and trust boundaries.
🔢 2. DREAD (Microsoft, Deprecated)
Formerly used for prioritising threats, based on 5 factors:
DREAD Metric
What It Measures
Damage potential
How bad would the attack be?
Reproducibility
How easy is it to reproduce the attack?
Exploitability
How easy is it to launch the attack?
Affected users
How many users would be impacted?
Discoverability
How easy is it to discover the threat?
DREAD is no longer widely used due to subjectivity concerns, but can still inform internal risk ratings.
🧪 3. PASTA (Process for Attack Simulation and Threat Analysis)
A risk-centric framework that aligns with business impact.
PASTA Stage
Purpose
1. Define business objectives
What are we protecting?
2. Define technical scope
Identify assets, interfaces, boundaries
3. Decompose the application
Understand data flows and architecture
4. Threat analysis
Use attacker models and scenarios
5. Vulnerability analysis
Identify weaknesses
6. Attack modelling
Simulate attacks
7. Risk and impact analysis
Prioritise based on business value
PASTA is suited for complex, high-value applications, especially in regulated industries.
🧠 4. MITRE ATT&CK
A globally curated knowledge base of real-world adversary tactics and techniques.
Used for post-exploitation threat modelling and defensive gap analysis
Helps map threats to real attacker behaviour (e.g. lateral movement, privilege escalation)
Commonly used in SOC playbooks, threat emulation, and purple teaming
Unlike STRIDE and PASTA, ATT&CK is not design-phase focused, but excels in operational threat modelling and adversary mapping.
🛠️ 5. LINDDUN
A privacy-focused threat modelling framework.
LINDDUN Category
Description
Linkability
Identifying linkable user data
Identifiability
Personal data exposure risks
Non-repudiation
Verifiable actions and records
Detectability
System observability by attackers
Disclosure of Information
Unintended data leakage
Unauthorised Actions
Policy violations and misuse
Non-compliance
Failing to meet privacy obligations
LINDDUN is valuable for GDPR, HIPAA, and other privacy-by-design efforts.
🧠 When to Use Each Framework
Framework
Best Used For
STRIDE
Early-stage design of systems and apps
PASTA
Business-aligned risk modelling
MITRE ATT&CK
Threat emulation and SOC operations
LINDDUN
Privacy impact assessments
DREAD
(Optional) Risk prioritisation (legacy use)
✅ Summary
Threat modelling is essential for proactively addressing security and privacy risks in software and infrastructure. By using frameworks like STRIDE, PASTA, and MITRE ATT&CK, teams can systematically analyse threats, understand attacker behaviour, and make informed decisions to reduce risk.
Whether you’re securing a new app, mapping adversary behaviour, or aligning with compliance — there’s a threat modelling framework to match your goals.