Unleash the Power of Unified Threat Modeling with the Cyber Decision Diagram & ATT&CK Navigator Stack + Video

Listen to this Post

Featured Image

Introduction:

The convergence of IT, OT (Operational Technology), and AI-driven security threats demands a unified approach to risk assessment, yet teams often struggle to communicate complex attack paths and mitigations across engineering, security, and executive stakeholders. The Cyber Decision Diagram (CDD) from admeritia and the MITRE ATT&CK Navigator are two powerful, free tools that, when integrated, provide a visual, structured, and engineering-friendly methodology to model the worst-case event, map the most-likely attacker kill chain, and prioritize security measures—all from your browser.

Learning Objectives:

  • Master the 5-step workflow of the free, browser-based Cyber Decision Diagram (CDD) tool to visualize critical functions, worst-case events, and prioritized security controls.
  • Integrate the MITRE ATT&CK for ICS™ framework and traditional Kill Chain models into a unified, HTML-based threat modeling portal.
  • Run the ATT&CK Navigator locally using Docker and Node.js on Linux/Windows to create layers, map detection gaps, and drive threat-informed defense.

You Should Know:

  1. Mastering the Cyber Decision Diagram (CDD) — A 5-Step Browser-Native Workflow

A Cyber Decision Diagram (CDD) is a free web application developed by admeritia, designed to guide users through five structured steps to create a single-page visualization of a critical cybersecurity decision. The tool runs entirely in your browser and stores all data only in your local cache—nothing is transmitted to any external server, ensuring complete privacy. It is the open-source, community-focused spin-off of admeritia’s commercial Security Engineering Tool (SET).
How to Use the CDD Tool in 5 Steps:

  1. Identify the Worst-Case Event: Start by defining the absolute worst possible outcome for your organization (e.g., a toxic chemical release, production outage, or data breach).
  2. Define the Cyber Component: Pinpoint the specific cyber-physical component(s) where that worst-case event could manifest (e.g., the programmable logic controller (PLC) controlling a centrifuge).
  3. Model the Most-Impactful Function: Diagram the most critical function of that component (e.g., “maintain specified RPM within tolerance”).
  4. Draw the Most-Likely Attack Path: Map the most plausible sequence of adversarial actions needed to compromise the function, leveraging frameworks like the MITRE ATT&CK Kill Chain.
  5. Mark the Most-Relevant Security Requirements: Overlay the top 5 priority security controls or risk-reduction measures directly onto the diagram.

The tool provides templates and examples for each step, so you never start from a blank page. You can access the free tool directly at https://cyber-decision-diagrams.com.

  1. Integrating ATT&CK for ICS™ and the Kill Chain into Your Threat Model

The MITRE ATT&CK for ICS (Industrial Control Systems) framework is a globally accessible knowledge base of adversary tactics and techniques specific to OT environments. It is complemented by the Lockheed Martin Cyber Kill Chain, which describes the adversary’s progression from reconnaissance to action on objectives.

To integrate these into your unified threat model, you must create a diagram that overlays an ATT&CK tactic (e.g., “Execution,” “Persistence,” “Lateral Movement”) onto each step of the attack path in your CDD. For example, if your CDD shows “Initial Access via spear-phishing to the IT-OT gateway,” you would map that node to the “Initial Access” tactic in the ATT&CK for ICS matrix. Simultaneously, align this step with the “Delivery” or “Exploitation” stage of the Lockheed Martin Kill Chain.

This hybrid model—let’s call it a cyberPHA/FMEA/ATT&CK/bowtie—allows a single assessment to identify the initiating threat, the central hazard (the “knot” of the bowtie), preventing barriers (left side), and mitigating controls (right side), all while tagging each element with an ATT&CK adversary behavior identifier.

  1. Step-by-Step: Deploy Your Own Unified Threat Modeling Portal (HTML + Diagrams)

You can build a standalone HTML portal that generates all three diagrams (CDD, ATT&CK/Kill Chain, Bowtie) for each of your assessments. This is achieved by using the CDD to define the scare on the left side of the bowtie and then extending the logic to the right.
Step 1. Create the CDD for your function. Use the 5-step tool at `https://cyber-decision-diagrams.com`.
Step 2. Translate the CDD into a Bowtie Diagram. Map the identified “worst-case event” to the central “hazard” (the knot). Map the “attack path” steps to the threats on the left side. Map the “security requirements” to the prevention/detection barriers on the left and the mitigation/response barriers on the right.
Step 3. Layer in the Cyber Kill Chain. Annotate each threat (left side) and barrier with the relevant stage of the Kill Chain (e.g., Weaponization, Delivery).
Step 4. Build the HTML portal. Use a simple script to read your JSON or YAML assessment data to automatically generate the three diagrams in the report.
This approach ensures that every assessment, test, or study generates a unified set of diagrams for both the technical team and the board.

  1. Hands-On: Install the MITRE ATT&CK Navigator Locally (Linux + Windows)

The MITRE ATT&CK Navigator is a powerful web-based visualization tool used by SOC and blue teams to map their detection coverage against the entire ATT&CK matrix, identify gaps, and plan enhancements. Running it locally is often preferred to maintain the confidentiality of vulnerability and detection data.

Installing the ATT&CK Navigator Using Docker (Linux):

 1. Install Docker and Docker Compose prerequisites
sudo apt update
sudo apt install -y docker.io docker-compose
sudo systemctl enable docker --now
sudo usermod -aG docker $USER
newgrp docker
docker --version

<ol>
<li>Clone the repository
git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator</p></li>
<li><p>Build the Docker image
docker build -t attack-navigator .</p></li>
<li><p>Run the container
docker run -d --name attack-navigator -p 4200:4200 attack-navigator</p></li>
<li><p>Access the tool
Open a browser to http://localhost:4200 (or your Ubuntu IP:4200)

Installing the ATT&CK Navigator Using Node.js/Angular (Linux/Windows):

 1. Install Node.js (on Windows, download installer from nodejs.org; on Linux use package manager)
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo bash -
sudo apt install -y nodejs

<ol>
<li>Install Angular CLI globally
npm install -g @angular/cli@17</p></li>
<li><p>Clone the repo
git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator/nav-app</p></li>
<li><p>Install dependencies and run the dev server
npm install
sudo ng serve --host=0.0.0.0 --disable-host-check</p></li>
<li><p>Access it at http://localhost:4200 (or your machine's IP:4200)

Once running, you can create and share layers to visualize your control coverage against real adversary techniques.

  1. Cloud Hardening: Using the CDD and ATT&CK for AWS/Azure Threat Modeling

You can extend the on-premises ICS methodology to the cloud. The threat modeling process is identical: define the worst-case event (e.g., an RDS database exfiltration), identify the component (the RDS instance), model the critical function (the `SELECT` query returning customer data), draw the attack path (e.g., exploiting a workstation with exposed IAM keys), and mark the security measures (e.g., enabling VPC Flow Logs, implementing GuardDuty).

To use the ATT&CK Navigator for cloud, simply select the “Cloud” or “AWS” matrix when creating a layer. Then, search for techniques like `T1530` (“Data from Cloud Storage Object”) or `T1078` (“Valid Accounts: Cloud Accounts”) and mark them with colors representing your detection status. This creates a clear heatmap of your cloud posture.

What Undercode Say:

  • Visualization is the missing link. Engineers, pentesters, and risk managers often speak different languages. Unified diagrams like the CDD combined with ATT&CK layers create a single source of truth.
  • Open-source tooling is catching up to commercial solutions. The free CDD tool and ATT&CK Navigator now provide enterprise-grade workflows without licensing costs, making structured threat modeling accessible to all.
  • The future is an integrated security engineering platform. Expect to see a new class of tools that automatically generate cyberPHA diagrams, kill chain maps, and ATT&CK heatmaps in real time, directly from your infrastructure logs.

Prediction:

The next major evolution in the cybersecurity industry will be the consolidation of dozens of specialist tools (risk assessment, threat modeling, incident response) into what are essentially integrated “Security Engineering Suites.” We predict that within 24-36 months, commercial SIEMs, SOAR platforms, and EDRs will embed native versions of CDD-like visual decision graphs and live ATT&CK Navigator layers. This shift will force security product companies and open-source communities alike to converge on a standard, visual, engineering-first language for risk assessment, fundamentally changing how enterprises and critical infrastructure operators plan, test, and communicate their defensive posture.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Isiah Jones – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky