A threat model, or ”threat risk model”, is a process that reviews the security of any web-based system, identifies problem areas, and determines the risk associated with each area. There are five steps in the process:
- Identify Security Objectives – determines the overall goals the organization has regarding its security.
- Survey the System – determines the components of the system, the routes through which data travels, and trust boundaries
- Decompose the System – determines the components of the system that have an effect on security, like the login module.
- Identify Threats – enumerates any potential outside threats that the system has. This generally focuses on those that are known.
- Identify Vulnerabilities – This looks at the identified threats and determines if the system is weak in these areas.
What is STRIDE Threat Modeling?
STRIDE threat modeling is an important tool in a security expert’s arsenal. Threat modeling provides security teams with a practical framework for dealing with a threat.
STRIDE is an acronym for six threat categories: Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of service and Elevation of privileges. Two Microsoft engineers, Loren Kohnfelder and Praerit Garg, developed STRIDE in the late 1990s.
Spoofing is another way of saying ‘impersonating’. In a spoofing attack, the attacker impersonates another person or system without any intimation, violating authentication. Your average spoofing attack uses the weaker authentication markers like passwords that are easy to guess (date of birth, surname, username etc) or simple 4-digit passwords.
While spoofing a process, the attacker builds dependency by creating a fake file. While spoofing a machine, attackers use ARP spoofing, DNS spoofing, IP spoofing or DNS compromise.
Tampering is when the attacker modifies something on memory, disk, or network. This is a violation of integrity. Only authorised users should be allowed access to restricted data or information meant for a select organisation or individuals. If there is data that is restricted, it is for a purpose, whether it’s confidentiality or something else. Any unauthorised access can make modifications to the data or steal from it, which can have serious consequences for the entire organisation.
Repudiation means denying an idea or proposal, claiming you weren’t involved in an illegal deal, which makes it impossible to link an action back to you. Attackers always want to remain hidden, so they hide their wrongdoings discreetly to avoid being caught.
They may claim that they didn’t do what they are being accused of. They may claim to be victims of fraud or even modify or add to the data that runs through the network to confuse security.
This means revealing information that was meant to be hidden, which violates confidentiality. This is one of the main reasons for data breaches. Hackers tend to do one or more of the following:
- Taking advantage of bad database permissions
- Access files protected by obscurity
- Swap files or retrieve data from temp files
- Locate crypto keys on file or memory
- Access or boot devices in a new OS
Denial of Service (DoS)
All organisations have dedicated systems that perform dedicated functions. For example a terminal at a bank. Perpetrators prevent authorised users from entering their system, which violates availability. This stops the business’ operations and disrupts workflow and is used to blackmail the organisation or get them to pay money in exchange for normalisation of the workflow.
DoS is carried out against a process, or store or data flow. The attacker ends up exhausting the system resources by slowing down the system or using all existing ‘Enter Password’ attempts.
Elevation of Privilege
By allowing an unauthorised person within or outside a network access to a restricted file or virtual location, hackers carry out an elevation of privilege. This is a violation of authorisation. Attackers spoof users with more access than they should have, authorising them to take risky or harmful actions
Teams can use the STRIDE threat model to spot threats during the design phase of an app or system. The first step helps find potential threats using a proactive process. The design of the system forms the basis for spotting threats. The next steps include finding the risks inherent in the way the system has been implemented, and then taking actions to close gaps.
STRIDE aims to ensure an app or system fulfills the CIA triad (confidentiality, integrity and availability). Its designers created it to ensure that Windows software developers considered threats during the design phase. Construct this model in parallel, including a breakdown of processes, data stores, data flows and trust boundaries. Using STRIDE, develop defenses for each threat.
Using STRIDE in the Cloud
STRIDE threat modeling can also be used to counter emerging threats to cloud computing, which is becoming common in corporate America. Cloud computing has quite different needs than those of on-premises computing. By nature, it opens the system up to risks and threats that may not have an on-premises counterpart. These need to be assessed to avoid attacks.
To deal with these threats, use the STRIDE threat model to spot and apply fixes. It helps uncover monitoring, logging, and alerting needs. Using STRIDE, develop defenses for each threat: authentication, data protection, confirmation, confidentiality, availability, and authorization. Then, rank the emerging threats according to damage, reproducibility, exploitability, affected users and discoverability.
STRIDE threat model can be used to find and repair threats to IoT devices, which are now widely deployed in companies. Threat modeling helps teams to study the threats IoT devices face, to avoid opening it up to bugs and to find openings already in existing systems.
STRIDE threat modeling offers a way to organize the many possible threats facing enterprise today. It helps experts better prepare for future and emerging threats and enables security teams to respond better to a changing world of threats.