Fatskills
Practice. Master. Repeat.
Study Guide: **Threat Types: A Practical Guide for Business & Security Professionals**
Source: https://www.fatskills.com/comptia-a-exam/chapter/threat-types-a-practical-guide-for-business-security-professionals

**Threat Types: A Practical Guide for Business & Security Professionals**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

Threat Types: A Practical Guide for Business & Security Professionals


What Is This?

Threat types categorize potential dangers to an organization’s assets—data, systems, people, or reputation. You use them to identify, prioritize, and mitigate risks before they cause harm.

Businesses, security teams, and IT professionals rely on threat types to build defenses, allocate resources, and respond effectively to incidents.


Why It Matters

Threats evolve constantly—cyberattacks, insider risks, natural disasters, and supply chain disruptions cost businesses $6 trillion globally in 2023 (Cybersecurity Ventures). Understanding threat types helps you: - Reduce financial losses (e.g., ransomware, fraud).
- Protect customer trust (e.g., data breaches).
- Comply with regulations (e.g., GDPR, HIPAA).
- Prioritize security investments (e.g., patching vs. employee training).

Without a clear threat model, you’re reacting to crises instead of preventing them.


Core Concepts


1. Threat vs. Risk vs. Vulnerability

  • Threat: A potential danger (e.g., a hacker, hurricane, or disgruntled employee).
  • Vulnerability: A weakness that a threat can exploit (e.g., unpatched software, weak passwords).
  • Risk: The likelihood a threat exploits a vulnerability and the impact if it does.

Example: - Threat: Phishing emails.
- Vulnerability: Employees clicking malicious links.
- Risk: High (if successful, leads to data breach).

2. Threat Actors (Who’s Behind the Threat?)

Actor Motivation Example
Cybercriminals Financial gain Ransomware, credit card theft
Hacktivists Political/social causes Defacing websites, DDoS attacks
Nation-States Espionage, disruption Stuxnet, SolarWinds hack
Insiders Revenge, profit, negligence Employee leaking data, misconfigured systems
Script Kiddies Bragging rights Using pre-made hacking tools

3. Threat Vectors (How Threats Get In)

The path a threat takes to exploit a vulnerability: - Email (phishing, malware attachments).
- Network (unsecured Wi-Fi, open ports).
- Physical (tailgating, stolen devices).
- Supply Chain (compromised third-party software).
- Social Engineering (tricking humans, e.g., fake support calls).

4. Threat Categories (What Can Go Wrong?)

Category Description Example
Cyber Digital attacks on systems/data Malware, SQL injection, DDoS
Physical Harm to people, facilities, or hardware Theft, fire, power outages
Human Errors, negligence, or malicious intent Misconfigured servers, insider leaks
Environmental Natural or man-made disasters Floods, earthquakes, chemical spills
Operational Disruptions to business processes Supply chain delays, IT outages


How Threat Modeling Works

Threat modeling is a structured way to identify and mitigate threats. Here’s how it works:


  1. Define the Scope
  2. What are you protecting? (e.g., customer data, a web app, a factory).
  3. What are the boundaries? (e.g., cloud servers, on-premises databases).

  4. Identify Assets & Data Flows

  5. List critical assets (e.g., PII, intellectual property).
  6. Map how data moves (e.g., user → web app → database).

  7. List Potential Threats

  8. Use a framework like STRIDE (see below) or PASTA (Process for Attack Simulation and Threat Analysis).
  9. Ask: Who would want to harm this? How?

  10. Prioritize Risks

  11. Score threats by likelihood (1–5) and impact (1–5).
  12. Focus on high-risk threats first.

  13. Mitigate & Validate

  14. Apply controls (e.g., encryption, MFA, backups).
  15. Test defenses (e.g., penetration testing, red teaming).

STRIDE Framework (Common Threat Categories)

Threat Definition Example Mitigation
Spoofing Pretending to be someone/something else Fake login page (phishing) MFA, certificate validation
Tampering Modifying data or code Altering a database record Digital signatures, hashing
Repudiation Denying an action took place User claims they didn’t send an email Audit logs, non-repudiation tech
Information Disclosure Exposing sensitive data Data breach (e.g., unencrypted files) Encryption, access controls
Denial of Service (DoS) Disrupting service availability DDoS attack on a website Rate limiting, cloud scaling
Elevation of Privilege Gaining unauthorized access Exploiting a zero-day to get admin Least privilege, patching


Hands-On: Building a Threat Model for a Web App


Prerequisites

  • Basic understanding of web apps (frontend, backend, database).
  • Familiarity with security concepts (e.g., authentication, encryption).

Step-by-Step Example

Scenario: A simple e-commerce site with: - User login (email/password).
- Product catalog.
- Payment processing (via third-party API).


1. Define the Scope

  • Assets: User data (emails, passwords), payment info, product database.
  • Boundaries: Web app (React + Node.js), database (PostgreSQL), third-party payment API.

2. Map Data Flows

graph LR
User -->|Login| WebApp
WebApp -->|Auth| Database
User -->|Browse| WebApp
WebApp -->|Fetch| Database
User -->|Checkout| WebApp
WebApp -->|Process| PaymentAPI

3. Identify Threats (Using STRIDE)

Component Threat Example Mitigation
Login Spoofing Credential stuffing attack MFA, rate limiting
Database Tampering SQL injection to alter prices Prepared statements, WAF
Payment API Information Disclosure Man-in-the-middle attack HTTPS, tokenization
Web App DoS Bot flooding the site Cloudflare, rate limiting

4. Prioritize Risks

Threat Likelihood (1–5) Impact (1–5) Risk Score (L × I) Priority
SQL Injection 4 5 20 High
Credential Stuffing 5 3 15 High
Payment API MITM 2 5 10 Medium

5. Mitigate & Validate

  • SQL Injection: Use an ORM (e.g., Sequelize) or prepared statements.
  • Credential Stuffing: Enforce MFA and password complexity.
  • Payment API MITM: Enforce HTTPS and validate API certificates.

Expected Outcome: - A documented threat model for the web app.
- A prioritized list of risks and mitigations.
- Actionable security improvements.


Common Pitfalls & Mistakes

  1. Ignoring Insider Threats
  2. Mistake: Focusing only on external hackers.
  3. Fix: Monitor employee access, enforce least privilege, and train staff on security policies.

  4. Overlooking Third-Party Risks

  5. Mistake: Assuming vendors/suppliers are secure.
  6. Fix: Audit third-party security (e.g., SOC 2 reports), use zero-trust principles.

  7. Static Threat Models

  8. Mistake: Creating a threat model once and never updating it.
  9. Fix: Review and update the model quarterly or after major changes (e.g., new features, mergers).

  10. Underestimating Human Error

  11. Mistake: Relying solely on technical controls.
  12. Fix: Train employees on phishing, social engineering, and secure coding.

  13. Prioritizing Low-Impact Threats

  14. Mistake: Fixing easy issues (e.g., weak passwords) while ignoring high-impact risks (e.g., unpatched servers).
  15. Fix: Use a risk matrix to prioritize threats by likelihood and impact.

Best Practices

  1. Adopt a Framework
  2. Use STRIDE, PASTA, or MITRE ATT&CK to structure your threat modeling.

  3. Automate Where Possible

  4. Tools like OWASP ZAP (for web apps) or Microsoft Threat Modeling Tool can identify common threats.

  5. Assume Breach

  6. Design systems with the mindset that some threats will succeed. Plan for detection and recovery (e.g., backups, incident response).

  7. Test Defenses

  8. Conduct penetration tests and red team exercises to validate mitigations.

  9. Document Everything

  10. Keep a living threat model (e.g., in Confluence or a Git repo) that’s updated with new threats and mitigations.

Tools & Frameworks

Tool/Framework Purpose When to Use
STRIDE Threat modeling for software Designing apps, APIs, or systems
MITRE ATT&CK Adversary tactics and techniques Red teaming, SOC operations
OWASP Top 10 Web application security risks Securing web apps
Microsoft Threat Modeling Tool Visual threat modeling Collaborative threat modeling
OWASP ZAP Automated web app security testing Finding vulnerabilities in web apps
Nessus Vulnerability scanning Identifying unpatched software
Splunk Log analysis and threat detection Monitoring for suspicious activity


Real-World Use Cases


1. Healthcare: Protecting Patient Data (HIPAA Compliance)

  • Threat: Ransomware encrypting patient records.
  • Mitigation:
  • Encrypt data at rest and in transit.
  • Implement immutable backups (cannot be deleted by attackers).
  • Train staff on phishing (common ransomware entry point).
  • Outcome: Reduced breach risk, compliance with HIPAA.

2. E-Commerce: Securing Payment Processing

  • Threat: Credit card skimming (e.g., Magecart attacks).
  • Mitigation:
  • Use tokenization (replace card numbers with tokens).
  • Deploy a Web Application Firewall (WAF) to block malicious scripts.
  • Monitor for unusual JavaScript changes (common in skimming).
  • Outcome: PCI DSS compliance, reduced fraud.

3. Manufacturing: Preventing Supply Chain Attacks

  • Threat: Compromised firmware in IoT devices (e.g., 2021 SolarWinds hack).
  • Mitigation:
  • Code signing for firmware updates.
  • Zero-trust network access (verify every device).
  • Vendor security audits (e.g., SOC 2 reports).
  • Outcome: Reduced risk of production halts due to cyberattacks.


Check Your Understanding (MCQs)


Question 1

A company’s database was breached because an employee reused a password from a previous leak. Which threat type does this represent?

A) Spoofing B) Tampering C) Information Disclosure D) Elevation of Privilege

Correct Answer: C) Information Disclosure Explanation: The breach exposed sensitive data (information disclosure). While the vulnerability was weak passwords, the threat was the exposure of data.
Why the Distractors Are Tempting: - A) Spoofing involves impersonation (e.g., phishing), not password reuse.
- B) Tampering involves modifying data, not stealing it.
- D) Elevation of privilege involves gaining higher access, not data exposure.


Question 2

A retail website experiences a DDoS attack, making it unavailable for 6 hours. Which STRIDE category does this fall under?

A) Denial of Service B) Tampering C) Repudiation D) Spoofing

Correct Answer: A) Denial of Service Explanation: A DDoS attack disrupts service availability, fitting the DoS category in STRIDE.
Why the Distractors Are Tempting: - B) Tampering involves altering data, not availability.
- C) Repudiation involves denying actions (e.g., claiming you didn’t send an email).
- D) Spoofing involves impersonation (e.g., fake login pages).


Question 3

A developer hardcodes API keys in a public GitHub repository. Which threat actor is most likely to exploit this?

A) Nation-State B) Script Kiddie C) Insider D) Hacktivist

Correct Answer: B) Script Kiddie Explanation: Script kiddies use automated tools to scan GitHub for exposed keys. While other actors could exploit it, script kiddies are the most likely due to low effort.
Why the Distractors Are Tempting: - A) Nation-states target high-value assets (e.g., government systems).
- C) Insiders have legitimate access (no need to scan GitHub).
- D) Hacktivists focus on ideological targets (e.g., defacing websites).


Learning Path


Beginner

  1. Understand Core Concepts
  2. Learn the difference between threats, vulnerabilities, and risks.
  3. Study STRIDE and MITRE ATT&CK basics.
  4. Hands-On Threat Modeling
  5. Practice modeling a simple app (e.g., a to-do list app).
  6. Use Microsoft Threat Modeling Tool (free).
  7. Explore Common Threats
  8. Research OWASP Top 10 (web app risks).
  9. Learn about phishing, ransomware, and DDoS.

Intermediate

  1. Advanced Threat Modeling
  2. Apply PASTA or TRIKE frameworks.
  3. Model a cloud-based system (e.g., AWS/Azure).
  4. Tool Proficiency
  5. Use OWASP ZAP for web app testing.
  6. Learn Nessus for vulnerability scanning.
  7. Incident Response
  8. Study NIST SP 800-61 (incident handling guide).
  9. Practice log analysis with Splunk or ELK Stack.

Advanced

  1. Red Teaming & Penetration Testing
  2. Learn Metasploit, Burp Suite, Cobalt Strike.
  3. Study adversary emulation (e.g., MITRE ATT&CK techniques).
  4. Threat Intelligence
  5. Use MISP or AlienVault OTX for threat feeds.
  6. Analyze APT groups (e.g., APT29, Lazarus).
  7. Automation & AI in Security
  8. Explore SOAR (Security Orchestration, Automation, and Response).
  9. Learn machine learning for anomaly detection.

Further Resources


Books

  • Threat Modeling: Designing for Security – Adam Shostack (the definitive guide).
  • The Web Application Hacker’s Handbook – Dafydd Stuttard, Marcus Pinto (for web app threats).
  • *Hacking


ADVERTISEMENT