When talking about Thread Modeling, it is almost a crime not to mention STRIDE as one of the most important analysis tools in this topic. It has definitely achieved a prominent place in the ranks of threat modelling methodologies and tools and no one can take that away from it anymore.
Formalised at Microsoft in 1999, the first published mention of it comes from an article by Loren Kohnfelder and Praerit Garg, “The Threats To Our Products”. In this phase, the STRIDE security threat model was suggested to be used by all (Microsoft) products to identify various types of threats to which the product is susceptible during the design phaseThreats are identified based on product design.
I don’t think it is worth explaining exactly what each of the Stride letters means in detail because there are countless articles and explanations about the case. But I think that the questions we ask during the analysis, deliver more value for those who are building a model, so here goes.
In this article, I decided to compile a set of several questions that help me during the process of threat modelling with stride. As I threat model and focus on what the attacker likely wants my sensitive data.
I will be sure to ask myself the following questions:
- What are my most valuable assets?
- What are the potential threats to my device?
- What type of attack do I need to protect against?
- How severe are the threats?
- What countermeasures could I implement?
- What are my security requirements?
- How does my device meet my security requirements?
- How is the sensitivity of data determined?
- What sensitive data is handled by the application?
- Where does sensitive data enter and leave the application?
- How is it secured while in transit and at rest?
- What type of encryption is used and how are encryption keys secured?
- How can an attacker change the authentication data?
- What is the impact if an attacker can read the user profile data?
- What happens if access is denied to the user profile database?
Now, for each type of vulnerability, I also like to pose some questions about how we treat analytics. Let’s look at some examples for each.
Spoofing - Threats imply that an attacker can impersonate and assumes the privileges of the identity of an element in the system.
- How do I authenticate the user or service?
- How do I authorize and validate it?
- How could I impersonate another user?
Tampering — causing changes (arbitrarily, intentionally or not) to the data or functionality manipulated by the system.
- Can I change another person's information?
- How could I go around the business logic controls?
- Can I modify the data directly in the database?
Repudiation — The ability to claim I didn’t do certain actions.
- How can I prove a particular user performs a certain action?
- If needed for auditing or troubleshooting purposes, can I retrace the steps of a user?
Information Disclosure — Leak/expose information.
- Is the system information sensitive? Any particular reason? Why?
- What are the risks of unauthorized information exposure to the public or other users?
Denial of Service —Prevent the system to provide a service.
- What are the services the system is providing?
- What are the consequences if it is interrupted? How likely is it to happen?
Elevation of Privilege — Gain rights to do things that I am not supposed to have access to.
- How can a user escalate to gain administrator rights?
- Can a user with an expired subscription continue to use the service?
- Can I modify/execute any service?
What are the benefits of STRIDE threat modelling?
- Take a security-first approach.
- Get ahead of vulnerabilities at an early stage.
- This modelling can be carried out over and over again.
- The modelling is part of a wider cybersecurity programme.
Keep this on the list
- Create (or update) my backlog with all the findings and new work uncovered.
- Keep the architecture and flow diagrams up-to-date.
