Threat Modelling as Heist

Every heist movie has the same six specialists.

Cybersecurity also has six characters.
It’s called STRIDE.

STRIDE is Microsoft’s threat modelling framework.

It asks six simple questions before you trust any system.

It gives you six questions to ask about any system before you build it. Could someone fake an identity here. Could someone alter data here. Could someone deny doing something here. Could someone see something they shouldn’t. Could someone break the system on purpose. Could someone grab more access than they were given.

Spoofing. Tampering. Repudiation. Information Disclosure. Denial of Service. Elevation of Privilege.

Six letters. Six ways to think like an attacker before you’re forced to think like an incident responder.

Imagine a heist crew casing your system instead of a museum.

The impersonator badges in wearing someone else’s identity. That’s spoofing.

The forger quietly replaces the real painting with a fake.
That’s tampering.
Data, files, logs, or software have been changed without permission.

The crew finishes the heist but what if everyone says,
“It wasn’t me.”
And there are no reliable logs to prove otherwise.
That’s repudiation.

The informant steals blueprints. It’s an unauthorized access. That’s information disclosure.

The muscle cuts the power and jams the exits so guards can’t respond in time. That’s denial of service. In cybersecurity, a DoS attacker overwhelms a server, network, or application so legitimate users cannot access it.

The inside man starts the night as the cleaner and ends it holding the vault key. He managed to gain privilege from basic to advanced. That’s elevation of privilege.

The CISSP exam does not test the acronym for STRIDE. It test you whether you can frame the right question for each threat or not.

Watch all videos for CISSP Domain1 for free as part of CISSP As An Art Course.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *