What will we learn?

Microsoft Threat Modeling Tool Basics
System Threat Modeling
Threat Generation
It’s a wrap!

Threat Modeling - Microsoft TMMT

Download Link - https://aka.ms/threatmodelingtool

Once you have it installed and ready to go let’s begin with a simple web application.

Scenario

Here is our basic web application scenario drawn out in Lucidchart (another tool that can be used for threat modeling).

Instructions

1. Start by opening up the newly installed Microsoft Threat Modeling Tool
2. On the Welcome page, click 'Create A Model'
3. Using the scenario above, use the Stencil bar on the right side to grab the different elements
    1. Browser 
    2. HTTPS communication
    3. HTTP communication
    4. Web Application
    5. SQL Database

Threat Generation

Now for the exciting part…we have the simple web application with interactions diagrammed out. To generate threats, simple click ‘View’ > ‘Analysis View’

The Threat list should populate in the bottom pane and voila you can see the STRIDE categories and the threats mapped to it. It can be exported as a CSV and/or we can generate an HTML report.

Note: This is a very generic threat generation sample model to show case what the interface looks like and how you can be on your way to threat modeling. The threats generated are a good starting point and should not be considered gospel.

Clicking on the individual threat opens up the threat properties as shown. We can choose priority, Status and make other changes.

The next step here would be to add context, custom attributes, custom threats (within templates), trust zones/boundaries, and enrich this diagram further.

Report Generation

‘Report’ > Generate Report

We can drill down to individual data flows to understand the generated threats and their corresponding STRIDE categories as is visible below.

Conclusion

This series was a very watered down and high level entry into Threat modeling. I would recommend trying out Threat modeling with this tool and reading up the following:

Threat Modeling - Part 5