Threat modeling is the security process by which we can identify, categorize, and analyze threats. It can be utilized to identify the gaps remaining and achieve security before starting a single code line at the design phase. Threat modeling aims to reduce the risk and put proper security controls where we think of the potential security threats.
A threat model includes:
- A design (diagram) of the system; the more detail, the better it is for Threat modeling.
- A methodology that includes a list of assumptions that can be checked. Some of the popular methodologies are STRIDE, PASTA, Trike, and VAST.
- A list of threats and controls for mitigation.
- A way to validate the model and threats and verification of success of the actions taken.
In this article, we will take a look at one of the popular threat modeling methodology known as STRIDE. Praerit Garg and Loren Kohnfelder developed STRIDE at Microsoft in 1999.
STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. STRIDE threats are against some security properties like Authentication, Integrity, Non-repudiation, Confidentiality, Availability, and Authorization.
For example, an adversary can spoof a user by stealing their credentials or capturing the authentication tokens by performing a man-in-the-middle attack. Enumeration of the potential threats can be done with STRIDE methodology. This kind of potential threat can be discussed with the team performing threat modeling. Implementing security controls for the threats or the security controls already in place can be tested.
Spoofing is a mechanism by which an entity can appear to be something other than itself. The entity can be a system, process, or user. For example, in the case of a web application admin console receiving the authentication request from the system owner using stolen credentials, the adversary spoofs the owner's identity.
Another example can be spoofing a machine where the adversary can perform a DNS poisoning attack and change the DNS records for the machine they control. Here the request which is supposed to be going to the authentic domain might be transferred to another unauthentic domain.
Tampering is modifying something like a file on the disk, or code in memory, or a parameter on the web application request.
For example, an adversary changing an important document on your system. Adversaries can change anything where they have access to the system. Another example can be the network packets. An adversary in your network can modify the network packets. This is possible by a man-in-the-middle attack.
Repudiation is the user's ability to reject or deny the claims against them for performing something they did. These kinds of threats are there due to the inability of the system or application to log properly. It can also be there due to the tempering of the logs.
For example, a database system has shared credentials. Multiple users are using these credentials. Assume that user-1 deleted a part of your database. Now, as multiple users shared the credentials and now the user-1 denies any such doing. This is the repudiation of action, even in case of proper logging.
Information Disclosure Threats:
Information disclosure is about allowing unauthorized people to see private, confidential, or controlled information. This can be any information such as proprietary business-related information, private data of the client or customer, or some employees' private information. Sometimes it can also be the information related to the system in the form of error messages.
Information Disclosure can take place due to improper implementation of the system. Developers love to write clean code, and they might have left some errors with too much information.
For example, when you are surfing on the internet and come across a blog. While posting on the blog, you come across an error message related to the database, which might reveal some information about the database's schema.
Another example can be information disclosure from the process. A process might give details about memory addresses or leak a database connection string or the password.
Denial of Service
Denial of service threats makes the system or resources unavailable for legitimate users. The impact of Denial of Service attacks can be devastating. This kind of threat, when in place, has the potential to use all the available resources by generating a huge amount of requests to the system. When the system tries to serve this request, legitimate users cannot get a response from the system.
For example, a web server is being issued a huge amount of requests by a botnet. The legitimate users will not be able to access that web server. In this kind of case, cloud service providers can also help in providing additional resources as well.
Elevation of Privilege
Elevation of privilege occurs when a normal user or application account with less privilege is accessing something with higher privilege. This can happen due to credential-stealing or by exploiting certain system vulnerabilities or in case of improper authorization controls.
For example, you are a normal user on a social media platform where you can just read others' posts. Due to certain vulnerabilities of the system's access control, you can even change posts by others. Initially, you had only read permissions, and now you got write permissions as well. This is an elevation of privilege.
STRIDE is generally used to perform the threat modeling on applications, but it can be used for network and hosts. In other cases, the attacks can be more related to networks or hosts.
- Threat Modeling by Adam Shostack