In 1976, a British statistician named George Box wrote the famous line,
“All models are wrong, some are useful.”
He argued that practical application should be prioritized over debating universal correctness.
What is STRIDE?
The acronym stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
Who developed STRIDE?
STRIDE is a threat modeling methodology developed by Loren Kohnfelder and Praerit Garg in 1999.
Why STRIDE Method was developed?
Prior to the development of models like STRIDE, there was a lack of structure in the threat identification and management processes. The stride method was developed to streamline this process and provide a systematic, mnemonic-based approach to identifying and categorizing threats.
It has since evolved into a foundational tool in threat-modeling methodologies, aiding security experts and developers in asking key questions like
'What can go wrong in this system we're working on?' and identifying specific security threats based on its six categories.
Explanation of the STRIDE Mnemonic:
- Spoofing: This threat involves an attacker impersonating another user or system to gain unauthorized access.
- Tampering: This involves an attacker altering data or code within the system.
- Repudiation: This represents scenarios where an attacker can deny having performed a specific action, making it difficult to hold them accountable.
- Information Disclosure: This refers to situations where an attacker could expose sensitive information to individuals who should not have access to it.
- Denial of Service (DoS): This threat involves an attacker trying to make a system or network resource unavailable to its intended users.
- Elevation of Privilege (EOP): This threat occurs when an attacker can gain higher-level access to resources or data without proper authorization. It can Lateral Movement (LM)
Each threat is a violation of a desirable property for a system:
Threat ❌ Desired Property ✅ Spoofing Authenticity Tampering Integrity Repudiation Non-Repudiability Information Disclosure Confidentiality Denial of Service (DOS) Availability Elevation of Privilege or Lateral Movement (LM) Authorization
When STRIDE methodology should be used?
During the design phase of an application or software.
Benefits of using the STRIDE Method
- Maturity: Despite being one of the oldest threat modeling methodologies, it continues to be a useful tool in identifying vulnerabilities and their mitigating techniques.
- Comprehensive: Useful in identifying all possible threats.
- Dependency: The only dependent input for STRIDE is the Model of the System. The best time to use the STRIDE method is during the Design and Development Phase of the application/architecture. The only input required is the Model of the System.
Who are the Intended Users of the STIDE Method?
Essentially anyone designing, building, and developing the System.
- System Architects
- Solution Architects
- System Designer/Application Developers
- Security Engineers & Consultants
While STRIDE solves the first problem of identifying all the threats, you soon realize you have another problem at your hand, that is, lack of prioritization.
On to the next challenge: Prioritization
For Prioritization, we will use the DREAD Framework.
DREAD is a framework used to quantify the risk associated with each identified threat.
DREAD is a risk-assessment model that Microsoft originally developed to prioritize potential threats and vulnerabilities in the system.
DREAD stands for Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability.
Here's a breakdown:
- Damage Potential refers to the amount of damage that could be caused if an exploit is executed. It asks, 'What's the worst thing that could happen?'
- Reproducibility - This factor assesses how easy it would be for an attack to be repeated. The easier it is to reproduce the attack, the higher the risk.
- Exploitability - The term exploitability refers to how easy it would be for a potential attacker to take advantage of the vulnerability. This could depend on various factors, including the attacker's skill level and the resources required for the attack.
- Affected Users - This factor looks at the percentage of users affected if the vulnerability were to be exploited. If only a tiny percentage of users were affected, the risk would be lower than a vulnerability impacting a more significant percentage of all users.
- Discoverability - In the final part of DREAD, discoverability refers to how easy it would be for the attacker to discover the vulnerability. If the vulnerability is easily or widely known, it is considered a higher risk.
Each factor typically receives a score between 1 and 10, with ten being the most severe. The scores are then combined to give a total DREAD score for the vulnerability, which can help prioritize responses.
Why is DREAD, not a Threat Modeling Methodology?
The article by David LeBlanc titled "DREADful" on Microsoft Learn discusses the STRIDE and DREAD systems, which are used for risk assessment in threat modeling.
David LeBlanc criticizes both systems for lacking academic rigor while acknowledging their practical uses.
David LeBlanc explains that DREAD's issue is calculating an overall score, and proposing a revision to the scoring system.
He suggests simplifying the rating scale from 1-10 to High, Medium, and Low, and grouping the categories into 'Severity' (comprising Damage, Reliability, and Affected Users), and 'Priority' (comprising Exploitability and Discoverability).
He further elaborates a weighted approach that emphasizes 'Damage' and provides an adaptable scoring range for 'Priority' factors, recognizing the situational nature of these threats.
Despite the proposed improvements, LeBlanc remains cautious and urges readers not to rely solely on this system but to 'think' critically and adjust the model according to what best suits their specific requirements.
He said, and I quote:
Some caveats – we're NOT using this internally very much.
This is NOT how MSRC does things. This is just something I sorted out on my own, and hope it is helpful to you.
Warning! Do NOT apply this system, or any other system, without THINKING about it.
(One of my favorite professors, who was from Sri Lanka, often said "you have to THINK about it" – he's right)
This system may or may not help you arrive at the right conclusion, and if it does not, consider worth what you paid to get it, which is zero.
DREAD is a framework used to quantify the risk associated with each identified threat, but it doesn't provide the whole process necessary for complete threat modeling.
Threat modeling methodologies, such as STRIDE, OCTAVE, or TRIKE, typically involve a broader and more complete process.
So, while DREAD is quite valuable in the threat modeling risk assessment stage, it doesn't address all the necessary steps in a comprehensive threat modeling methodology.
Stop Dreading, and Start Modeling. 😄