As part of my threat modelling lecture, on 4th February, I covered the basics of STRIDE. STRIDE is a mnemonic – Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Microsoft’s STRIDE is a well-known and mature technique used by security professionals to elicit information security threats of real-world systems.

The properties of STRIDE are as follows:

• Spoofing Identity: Spoofing threats allow an attacker to pose as some other process or somebody else. Example, a user can pretend to be Steve Jobs, or a server can pretend to be Amazon.com, or even code posing as msvcrt.dll. This is a threat to authentication.
• Tampering: Tampering threats involve unauthorised modification of data or code. The resource being manipulated could be both in storage or being transmitted. This is a threat to integrity.
• Repudiation: An attacker makes a repudiation threat by denying to have performed an action that other parties can neither confirm nor contradict. Example, a user may claim that he has not received the goods that he purchased while in fact he did receive them. Naturally, this violates the repudiation property of a system.
• Information Disclosure: Information disclosure threats involve the exposure of information, typically of a sensitive or personal nature, to individuals who are not supposed to have access to it. Examples of this threat type include a user’s ability to read a file, e.g., payroll information sent to HR, that he was not granted read access to. This is a threat to confidentiality.
• Denial of Service: Denial-of-service (DoS) attacks deny or degrade service to valid users. Typically, this makes a Web server or a device (e.g., battery-operated device) temporarily unavailable or unusable, but it can also be of a permanent nature (e.g., if attacking an ICS or SCADA system). This is a threat to availability.
• Elevation of Privilege: Elevation-of-privilege (EoP) threats often occur when a user gains increased capability. For instance, a non-privileged user  taking advantage of a coding flaw to gain administrator or root capabilities. This threat type violates the authorisation goal of a system.

STRIDE provides a very effective way for identifying threats but before it can be used effectively one needs to be familiar with system modelling techniques. This is needed to provide a working model of the system being analysed. Here, Data Flow Diagrams (DFDs) come to the rescue. DFDs provide a visual notation of a system enabling an analyst to depict processes, storage, data flows, external entities, and as well trust boundaries. Once you get the system model right, it is relatively easy to identify threats with STRIDE.

Feel free to contact me for more insights on this or related topics.