When looking at threat models I came across STRIDE (from Microsoft) and then came across Mitre ATT&CK, they seem to be different - one is a threat model and the other is a threat intelligence methodology.
What's fuzzy to me is exactly what are the difference between these two categories. In other words, why can't someone threat model with Mitre ATT&CK?
What is the fundamentals that I'm missing?
MITRE ATT&CK describes the different stages of an attack, derived from the Cyber Kill Chain model, and then points out the main tasks of each stage. Finally, it describes a list of common TTP used for each task.
It is useful to establish indicators to catch an attacker at any of these stages, as it mostly describes an arsenal of techniques and the general flow of an attack.
What it doesn't capture so well is which vulnerabilities the attacker is going to exploit and the general attack categories. This is what STRIDE and other threat modeling techniques do, typically with a more system-centric approach.
From "Threat modeling: designing for security" by A. Shostack:
When you threat model, you usually use two types of models. There's a model of what you're building, and there's a model of the threats (what can go wrong).
Although STRIDE doesn't really model the system, it does provide some broad categories of attack, which are not tied to a specific stage nor to a specific version (like the detailed TTP described by ATT&CK).
Moreover, but this is more of a personal consideration of mine, generic threat modeling methodologies like STRIDE can be easily adapted to consider not only IT security, but information security as a whole.
Both ATT&CK and STRIDE are useful, but for slightly different purposes.
Let me add a little here to what @a-darwin says.
You absolutely can threat model with ATT&CK in the right circumstances.
If what you're trying to threat model is an operational system, composed of things like Windows desktops, ipads, LAMP stacks with databases and all the associated bits, then ATT&CK will give you useful insights into what an attacker will do and how to detect that attacker in your system.
STRIDE was developed looking at real vulnerabilities, and one of its strengths is that the model has lasted 20 years. Its longevity is made possible by it being far less specific than ATT&CK.
