DREAD Threat Modeling: An Introduction to Qualitative and Quantitative Risk Analysis
From small businesses to Fortune 500 companies, cyberattacks have become a dreaded reality which cannot be ignored, and any entity lacking a robust cybersecurity system is bound to pay the price of ignorance. Cybersecurity has come a long way in the past decade with a new threat intelligence model, paving the way for enhanced qualitative risk assessments.
One such cyber threat modeling methodology is DREAD. Developed by Microsoft, the DREAD model is even used by several militaries to protect sensitive information and infrastructure against cyberattacks.
What Is DREAD Threat Modeling?
DREAD cyber threat intelligence modeling creates a rating system for threats by assessing, analyzing, and creating risk probabilities. DREAD threat modeling allows an organization to ascertain the amount of damage done by an attack and create damage assessments for similar attacks in the future. Based on data points and information gathered, the organization can then create a rating system for threats and classify them under low, medium, and high-risk categories.
DREAD Breakdown
Though the word DREAD carries a fearful connotation, yet there’s a valid reason behind the coining of this term in the cybersecurity space. The key points of DREAD threat modelling are as below:
- “D” for Damage: Understanding the potential damage that a particular threat can cause to an organization’s IT infrastructure.
- “R” for Reproducibility: In layman’s terms, reproducibility gives an understanding of how easily the threat can be replicated by other hackers or cyber criminals.
- “E” for Exploitability: Analyse the system’s vulnerabilities to ascertain the ease of an attack.
- “A” for Affected Users: Ascertain how many users, the ones within and the ones outside, of a business (clients/customers) will be affected post-attack.
- “D” for Discoverability: The process of discovering the vulnerable points in the system infrastructure and the IT network of an organization.
The DREAD model helps to rate, compare, and prioritize the severity of threats by analyzing threats/risks in each category, ending with a final rating. Each category is given a rating between 0 to 10 and the average of these ratings determine the severity of risks.
Damage Potential
| Rating | Damage |
| 0 | No damage |
| 5 | Information disclosure |
| 8 | Individual/employer non-sensitive user data compromised |
| 9 | Administrative non-sensitive data compromised |
| 10 | Information system or data destruction or application unavailability |
Reproducible
| Rating | How easy is it to reproduce the attack? |
| 0 | Difficult or Impossible |
| 5 | Complex |
| 7.5 | Easy for authenticated user |
| 10 | Very easy through web browser, no authentication |
Exploitability
| Rating | What is required to exploit this threat? |
| 2.5 | Advanced programming and networking skills |
| 5 | Using available attack tools |
| 9 | A web application proxy tool |
| 10 | Web browser |
Affected Users
| Rating | How many users affected? |
| 0 | No users affected |
| 2.5 | Individual user |
| 6 | Few users |
| 8 | Administrative users |
| 10 | All users |
Discoverability
| Rating | How easy is it to discover the threat? |
| 0 | Very hard |
| 5 | Can figure it out by HTTP requests |
| 8 | Already in the public domain and can easily be discovered |
| 10 | Visible in the web browser address bar or in a form |
| Risk Rating | DREAD Score | Comments |
| Critical | 40-50 | Critical vulnerability, should be considered immediately for review and resolution |
| High | 25-39 | Severe vulnerability, should be considered for review and resolution within a short period of time |
| Medium | 11-24 | Moderate risk finding or vulnerabilities should be considered once severe and critical risks have been addressed |
| Low | 1-10 | Low risk and does not pose significant risk to the IT infrastructure |
Based on the needs you want to cater to, the DREAD methodology can be customized to perform the risk analysis.
To master the DREAD threat modeling methodology, you need to climb up the ladder of cybersecurity expertise and reach the level of a threat intelligence analyst. Threat modeling methodologies require a deep understanding of basic cybersecurity techniques and hence, a certified threat intelligence analyst program is the best threat intelligence course to enroll in.
EC-Council’s Certified Threat Intelligence Analyst (CTIA) is one of the most robust and informative threat intelligence training courses in the cybersecurity industry. Our threat intelligence training program has been developed using inputs from industry professionals and renowned threat intelligence experts, providing you with the evidence-based knowledge you need to progress in your career. Become the vanguard of your organization’s IT security with CTIA, today!
CTIA Video:
