As you can see in the previous post, the “know yourself” side of the Threat Modeling process is extensive and covers all but one of the steps. While some may be tempted to deal only in knowing the adversary, you must grasp on your organization’s own policies, capabilities, and design to model most effectively. These efforts also feed related activities, such as project planning and roadmap development, business strategy, risk management, and procurement & staffing. Several externally focused frameworks and methodologies map adversary behaviors and their impacts to the environment and should be selected to compliment the skills and capabilities of your organization. Each offers different areas of focus, fidelity, and processes that can be adapted to your organization’s needs.
By focusing your security efforts on the most critical threats, you can allocate resources more effectively, ensuring that you address the most significant risks first. You and your teammates are likely using guidance from organizations like NIST, CISA, GCHQ, CIS, and others to develop and operate more secure architectures. Under the hood of many of those approaches, there are some building blocks worth familiarizing yourself with. Let’s look at what they entail and how we might select the right one for our needs.
STRIDE/DREAD
Microsoft published STRIDE/DREAD to offer a consistent process for both defining the threats to an organization and then evaluating the risks associated with each threat. STRIDE approach focuses on identifying threats based on the categories of Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges (STRIDE), and assessing their potential impact using the DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) model. While these models seem to focus on the threats, they are really there to help you and your teammates decide what to be most worried about internally and what threats would result. The table below breaks down those elements of STRIDE./
| Threat Type | Description |
| Spoofing | Involves illegally accessing and then using another user’s authentication information, such as username and password |
| Tampering | Involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet |
| Repudiation | Associated with users who deny performing an action without other parties having any way to prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Non-Repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package |
| Information Disclosure | Involves the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers |
| Denial of Service | Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability |
| Elevation of Privilege | An unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed |
STRIDE is often used during the design and development phase of a software project to identify potential security threats and take proactive measures to mitigate them.
DREAD
Once you know what the threats are, you may want to understand how much they impact your environment. Microsoft also coined the DREAD acronym to help assess and prioritize security risks associated with specific vulnerabilities. While STRIDE might explain the type of threat, DREAD helps explain the importance of addressing it to the target environment. DREAD breaks risk down into the 5 factors shown in the table below:
| Category | Description |
| Damage (Potential) | How bad is it when this threat impacts your environment? Keep in mind, the same initial symptom can present itself for two very different threats, so consider the total implications, not just single symptoms. |
| Reliability | How reliable is the attack for the adversary to leverage? Is it finicky, or does it work every single time it is executed? This assumes that the exploit is being used properly and the vulnerability exists. |
| Exploitability | How hard is it to properly exploit the vulnerability and use that attack?If it is so easy that your adversary can script it and walk away with confidence in the outcome, that is bad. If, however, they need to put in considerable effort, customization, or rely on other complex stages in the operation to make it work within your environment, that is a win! |
| Affected Users | Assuming the attack is successful, who is impacted? How many users or systems could be affected by the vulnerability? Higher is usually worse, but you may consider grouping of assets and users based on their role or place in the network. You should also consider the users and their place in the value stream. Guest users in a coffee shop might be a small consideration, but what about guest users in a hotel? That could be disastrous to the host. |
| Discoverability | How easy it is for an attacker to discover the vulnerability is in place? Some valid security countermeasures may include controls to segment a vulnerable system from attacker-accessible portions of the environment. |
DREAD scores are typically assigned on a scale of 0 to 10 for each of these factors, with higher scores indicating a higher level of risk. Using this method, organizations can prioritize which security issues to address first. Even better, if your organization already has a working risk management program, leveraging that process to better integrate cyber risks with your other risks improves awareness and helps condition your leadership to understand that cyber risk is shared by the organization, not just the domain of the Information Security department or SOC.
Next up, we’ll take a look at Attack Trees and Data Flow Diagrams!
Mike
0 Comments
2 Pingbacks