A Case for Threat Modeling
Imagine a bright engineering team working on a new product. As the product release date arrives, marketing announces the birth of this new addition to the portfolio. A companywide celebration erupts on a bright Friday afternoon with cheers and clapping all around. The team heads home looking forward to a pleasant weekend expecting positive reviews from customers the following week.
Unfortunately, later that night the product is made unavailable by a Distributed Denial of Service (DDoS) attack from an unidentified source. Alerts go off, developers and members of the Security Incident Response team are paged, and all scramble to solve the problem. A week later not a single customer has been able to use the new product and the team identifies a vulnerability known as a “Slow Read DoS”, which is attacking a portion of their product. While the team had built an excellent product, they’d neglected the possibility of malicious activity affecting its availability. How can such a scenario be handled better in the future? Enter threat modeling.
What is Threat Modeling?
Threat modeling is an approach that intelligently analyzes and identifies security threats associated with a system. Many types of threat modeling approaches exist and they typically fall into at least one of three categories: attacker viewpoint, asset viewpoint or system viewpoint.
Framing the threat from the mindset of the perceived attacker is an approach that attempts to assess the goals of an adversary and how they might be achieved. In this approach, motivations and intentions are determined from the perceived threat and then addressed. An attacker’s motivations are often considered such as, “ISIS wants to deface our website,” or, “An angry marketer wants to deface a competing campaign’s results.”
This means identifying the elements in a system that have a value and risk associated with them, and how that value and risk may be exploited. For example, a collection of sensitive data attributed to an individual. The asset viewpoint is concerned with how this asset is to be collected, in transit, stored, or consumed.
Establishing a system structure first, then identifying relevant attack vectors on the macro and micro levels of interaction between subsystems, is an approach that attempts to identify vulnerable portions against each element of the system. STRIDE is an example of this type of threat modeling.
What is STRIDE?
STRIDE is an acronym for a threat modeling system that originated at Microsoft. STRIDE is also a mnemonic tool for security threats and consists of six different categories:
A spoofing attack refers to a situation where a person or system can successfully misrepresent itself in a way that fools a target into interacting with it as the misrepresented system. Spoofing comes in many forms. In the context of network security, ARP and BGP spoofing plague the Internet as formidable Man In The Middle (MITM) attacks. In the context of an application, falsifying credentials or brute forcing login information are forms of spoofing.
The tampering of data into exploitable forms can take many shapes. In the case of endpoints and web applications, cross site scripting (XSS) and SQL injection are wide spread attack scenarios in the modern age. All forms of tampering attacks attempt to modify trusted data toward some malicious aim.
Repudiation is the denial of the truth of something. Repudiation attacks are related to the presence (or absence) of logged activities, including if that log can be tampered with in some way, such that one can claim “I did not do that.”
In terms of a data breach and access to private information, information disclosure relates to methods and processes that reveal ‘too much’ information about a system and the data it operates on to another system or individual unauthorized to use it.
Denial of service (DoS)
Denial of service refers to service interruptions for a host or system connected to the Internet. Denial of service attacks are continually increasing in breadth and complexity. This is perhaps the most prevalent attack found on the Internet.
Elevation of privilege
Elevation of privilege is the act of exploiting a flaw in a system that gives someone more rights than intended. It provides/allows deeper access into the system thus exposing services and data.
Security Properties versus STRIDE
Each element of STRIDE relates to a corresponding security property which mitigates that particular threat.
Authentication vs. Spoofing
Establishing the verifiable identity of valid users or services is essential in thwarting spoofing attacks. Systems that allow anonymous users must accept a quantifiable risk of spoofing.
Integrity vs. Tampering
Maintaining and ensuring the consistency of data including the methods that operate on, analyze and visualize it, works toward thwarting the threat of tampering.
Confirmation vs. Repudiation
Ensuring that an action taken against an application or system is securely logged and attributed to an identifiable entity or process is the essence of defending against repudiation scenarios.
Confidentiality vs. Information Disclosure
Enforcing a set of rules that restrict access to systems, information and meta information about those systems, is critical in preventing information leaks.
Availability vs. Denial of Service
Providing consistent access to information and resources attributed to a specified service by leveraging various levels of redundancy, fallback scenarios and adaptive systems, provides protection from DoS.
Authorization vs. Elevation of Privilege
Limiting access to resources, services and actions in a way that scopes possible exploitation and exploration, is key in defending against elevated privilege at the most fundamental level.
The CIA triad
Not to be confused with the U.S Central Intelligence Agency, the CIA triad represents Confidentiality, Integrity and Availability. It is a model designed to guide information security policy. In regards to STRIDE, it identifies the most important aspects which to address during the threat modeling exercise.
An example of modeling with STRIDE
STRIDE can be introduced into the development process as part of architectural discussions involving the system to be threat modeled. What I have often found works well is to first approach the project team with a question as to the overall structure of their system in development. This usually takes the form of data flow diagrams, linking user to application to service. After this initial discussion is complete, the security engineer will take this information and apply STRIDE in the overview of various components of interest in the system. The highest risk components that relate to the CIA triad (Tampering, Information Disclosure and Denial of Service) are then identified. In my experience with Web Applications, it is less often that spoofing and elevation of privilege come into concern as they will share a common architecture across an enterprise’s services and are fundamentally updated less frequently. After the threat model has been produced another informal meeting with the project team is requested. Then the security engineer will recreate the architectural diagram and point out any areas of concern. In this question/answer phase, the team learns about how security relates to their system and which appropriate security controls that should be added to mitigate the issues.
Why I like STRIDE
I use STRIDE as an approach to methodically identify security issues potentially present in a system. When using STRIDE I will first say to myself “Ok, how can I spoof aspects of this system?” Next, I’ll exhaust all spoofing possibilities I can think of in order to exploit the system. I write down, categorize and then rank the discovered threats by likelihood and severity. Then, I move onto tampering and repeat the exercise. I continue this process with every letter in the STRIDE acronym. When I have finished, the system has a threat model that can be reflected back to the team. Over time, as the development team observes this process of interactions with the security team, major security issues are addressed both more quickly and more comprehensively. In my opinion, STRIDE helps make communication significantly easier between an engineering team and a security team.
If you’re interested in learning more about our recent security investments, check out our latest blog, Ensure Customer Data Security with Webtrends Infinity™ and End-to-End Encryption.
If you have any questions for me, drop me a line in the comments section.