wwwTASK.to© Toronto Area Security Klatch 2007

Threat Modeling

With STRIDE and DREAD

Chuck Ben-Tzur

Sentry Metrics

March 27, 2007

wwwTASK.to© Toronto Area Security Klatch 2007

(Application) Threat Modeling

• A process to identify threats to the system, the associated risks and determine the correct controls to produce effective countermeasures

• The output is a list of rated threats. The threat model helps you to focus on the most potent threats

• Aimed to be used at the design phase of a system. However, usually implemented at the testing phase (vulnerability assessment)

• Not only for web applications. Can be (and should be...) applied to different type of systems (e.g. networks)

wwwTASK.to© Toronto Area Security Klatch 2007

Threat Modeling (cont.)

wwwTASK.to© Toronto Area Security Klatch 2007

STRIDE

• A methodology for identifying and categorizing threats • SSpoofing identity

• TTampering with data

• RRepudiation

• IInformation disclosure

• DDenial of service

• EElevation of privileges

• “Business” oriented – easier for non-technical persons to relate to

• Expand (can replace) the “map by mechanisms and subsystems” approach

• Can be used also to identify threats (e.g. as pen. test checklist)

wwwTASK.to© Toronto Area Security Klatch 2007

DREAD

• A methodology for risk rating. Each vulnerability is graded in all of the following categories:

• DDamage potential0 – Leaking Trivial Info, 5 – Sensitive, 10 – Admin level

• RReproducibility0 – Very difficult to reproduce, 5 – three steps, 10 – web browser

• EExploitability0 – very skilled, 5 – can be automated, 10 – novice programmer

• AAffected Users0 – few users, 5 – some users, 10 – all users

• DDiscoverability 0 – unlikely, 5 – accessible only to few users, 10 - published

• The risk overall rate calculation formula: Rating = (D + R + E + A + D) / 5

Threat D R E A D Rate

Attacker obtains authentication credentials by monitoring the network 10 10 5 5 5 7 High

SQL commands injected into application 10 10 10 10 5 9 High

wwwTASK.to© Toronto Area Security Klatch 2007

DREAD (cont.)

wwwTASK.to

• Operationally Critical Threat Asset and Vulnerability Evaluation

• Risk-based strategic assessment and planning technique for security

• Key differences:• Organization focused (as opposed to system)

• Security practices (not technology specific)

• Strategic issues (not relating to tactical aspects)

• Self direction (security experts)

• Flexible - can be tailored for small andlarge organizations

• Focuses on the design and strategicplanning of the organization

• Input is from both internal business andtechnical resources

• Not suitable for ad-hoc vulnerability assessments

• http://www.cert.org/octave/

© Toronto Area Security Klatch 2007

The OCTAVE Option

wwwTASK.to© Toronto Area Security Klatch 2007

Resources

Threat Modelinghttp://msdn2.microsoft.com/en-us/security/aa570411.aspx

Microsoft Threat Analysis & Modeling v2.1.1 http://www.microsoft.com/downloads/details.aspx?familyid=59888078-9daf-4e96-

b7d1-944703479451&displaylang=en

Octavehttp://www.cert.org/octave/

Good book on the subjectThreat Modeling (Microsoft Professional)