threat modelling

Threat Modeling: Some of the Best Methods

/ bugejajoseph / Leave a comment

Threat modeling methods are a set of general principles and practices for identifying cyber threats to computer systems and software. These methods can be applied during the design phase of new systems or when assessing existing security controls against new threats. There are several threat modeling methodologies in use today, ranging from informal processes to formalized models that can be captured within software tools. A summary of some of the most popular threat modeling methods is provided below:

• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege (STRIDE) 

• Process for Attack Simulation and Threat Analysis (PASTA)

• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

• Trike

• Visual, Agile, and Simple Threat modeling (VAST)

• Common Vulnerability Scoring System (CVSS)

• Attack Trees 

• Persona non grata (PnG) 

• Security Cards 

• Hybrid Threat Modelling Method (hTMM)

• Quantitative Threat Modelling Method (QTMM)

• Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance (LINDDUN)

All of the above methods are designed to detect potential threats, except for CVSS. The number and types of threats will vary considerably between the different methods, as well as the quality and consistency of the methods. Which one is your favorite threat modeling method? Are you interested in using some of the methods above for your company or research project?

Using STRIDE to Uncover Threats in an Information System

/ bugejajoseph / Leave a comment

As part of my threat modelling lecture, on 4th February, I covered the basics of STRIDE. STRIDE is a mnemonic – Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Microsoft’s STRIDE is a well-known and mature technique used by security professionals to elicit information security threats of real-world systems.

STRIDE

STRIDE is a model for identifying computer security threats.

The properties of STRIDE are as follows:

  • Spoofing Identity: Spoofing threats allow an attacker to pose as some other process or somebody else. Example, a user can pretend to be Steve Jobs, or a server can pretend to be Amazon.com, or even code posing as msvcrt.dll. This is a threat to authentication.
  • Tampering: Tampering threats involve unauthorised modification of data or code. The resource being manipulated could be both in storage or being transmitted. This is a threat to integrity.
  • Repudiation: An attacker makes a repudiation threat by denying to have performed an action that other parties can neither confirm nor contradict. Example, a user may claim that he has not received the goods that he purchased while in fact he did receive them. Naturally, this violates the repudiation property of a system.
  • Information Disclosure: Information disclosure threats involve the exposure of information, typically of a sensitive or personal nature, to individuals who are not supposed to have access to it. Examples of this threat type include a user’s ability to read a file, e.g., payroll information sent to HR, that he was not granted read access to. This is a threat to confidentiality.
  • Denial of Service: Denial-of-service (DoS) attacks deny or degrade service to valid users. Typically, this makes a Web server or a device (e.g., battery-operated device) temporarily unavailable or unusable, but it can also be of a permanent nature (e.g., if attacking an ICS or SCADA system). This is a threat to availability.
  • Elevation of Privilege: Elevation-of-privilege (EoP) threats often occur when a user gains increased capability. For instance, a non-privileged user  taking advantage of a coding flaw to gain administrator or root capabilities. This threat type violates the authorisation goal of a system.

STRIDE provides a very effective way for identifying threats but before it can be used effectively one needs to be familiar with system modelling techniques. This is needed to provide a working model of the system being analysed. Here, Data Flow Diagrams (DFDs) come to the rescue. DFDs provide a visual notation of a system enabling an analyst to depict processes, storage, data flows, external entities, and as well trust boundaries. Once you get the system model right, it is relatively easy to identify threats with STRIDE.

Feel free to contact me for more insights on this or related topics.