This page looks best with JavaScript enabled

Security Threat Models

 ·  ☕ 4 min read

Came across a list of Threat Models in a book on Zero Trust Networks that I just started reading. I had heard of two models in the past - STRIDE and DREAD in the context of security thread classification and ranking for Cyber-physical systems Seifert & Reza (2016).

Before going into the popular models, what is Threat Modeling? There was a small section on Threat Modeling in the IT Security course that I wrote about recently. It mentions that Security Risk assessment starts with Threat Modeling. The goal is to identify likely threats to systems, assign them priorities that correspond to severity and probability. This is done by brainstorming from the perspective of an outside attacker and figuring out what high value targets an attacker may want to go after, and then review possible attack vectors that could be used to gain access to the high value assets.

The book mentions the following and I thought I’d do a quick read on the other 3 to find out what they are and summarize all of them.

  1. STRIDE
  2. DREAD
  3. PASTA
  4. Trike
  5. VAST

STRIDE and DREAD were developed at Microsoft. Chapter 3 of Improving Web Application Security: Threats and Countermeasures talks in detail about these. STRIDE is used in ‘Step 4. Identify the Threats’ and DREAD in ‘Step 6. Rate the Threats’.

STRIDE

STRIDE is derived from an acronym for the following six threat categories. The goal is to bucketize the threats into these categories.

  1. Spoofing identity
  2. Tampering with data
  3. Repudiation
  4. Information disclosure
  5. Denial of service
  6. Elevation of privilege

DREAD

Once classification is done, DREAD acronym can be used to asking the following questions to arrive at a risk rating.

  • Damage potential: How great is the damage if the vulnerability is exploited?
  • Reproducibility: How easy is it to reproduce the attack?
  • Exploitability: How easy is it to launch an attack?
  • Affected users: As a rough percentage, how many users are affected?
  • Discoverability: How easy is it to find the vulnerability?

The chapter has a Risk rating table that is very useful in coming up with a combined rating.

PASTA

PASTA is an acronym for ‘Process for Attack Simulation and Threat Analysis’. It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process.

Trike

Trike is an open source threat modeling methodology and tool. There are two implementations of Trike. One is a spreadsheet, and the other is a standalone desktop tool. The high level idea is to model threats based on requirements of a system (assets) and the ‘acceptable’ level of risk defined by stakeholders of the requirements.

VAST

VAST is an acronym for Visual, Agile, and Simple Threat. It is based on an automated threat-modeling platform named ThreatModeler, creates two types of models - Application and Operational threat models. Application model represents architectural POV and Operational model represents attacker POV.

More Models

This article from CMU is more comprehensive and goes over 12 threat models - https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html

Threat Modeling tools

The wiki page on Thread Modeling mentions many tools used for Threat Modeling. Of the list, I’ve used SD Elements in the past. In that, the first step is to complete a questionnaire (created based on compliance requirements) and the system generates a set of threat vectors and actions that need to be taken to overcome the threats.

References

  1. STRIDE & DREAD in CPS : Seifert, Darren, and Hassan Reza. “A security analysis of cyber-physical systems architecture for healthcare.” Computers 5, no. 4 (2016): 27.

  2. STRIDE & DREAD - Meier, J. D., A. Mackman, M. Dunner, S. Vasireddy, R. Escamilla, and A. Murukan. “Improving Web Application Security: Threats and Countermeasures. Microsoft Corporation (2003).” Online at: http://msdn.microsoft.com/enus/library/ms994921.aspx (2017).

  3. PASTA - UcedaVelez, Tony, and Marco M. Morana. Risk centric threat modeling. John Wiley & Sons, New York, USA, 2015.

  4. Trike - https://www.octotrike.org

  5. VAST -
    Shevchenko, Nataliya. “Threat Modeling: 12 Available Methods.” Threat Modeling: 12 Available Methods. December 03, 2018. https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html.

Share on
Robinson Raju
WRITTEN BY
Robinson Raju
Bibliophile, Friend, Optimist

©2024, Robinson Raju, All Rights Reserved

What's on this Page