Threat Modeling Methodology: STRIDE 🀝 DREAD

A cybersecurity expert gazed at the screen filled with a list of threats, his face resembling that of an artist pondering a blank canvas. But instead of a masterpiece waiting to emerge, he was faced with a digital jigsaw puzzle where every piece was a potential catastrophe.
Threat Modeling Methodology: STRIDE 🀝 DREAD
Photo by Karan Mandre / Unsplash

On this page

In 1976, a British statistician named George Box wrote the famous line,

"All models are wrong; but some are useful."

He argued that practical application should be prioritised over debating universal correctness.

What is STRIDE?

The acronym stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

Who developed STRIDE?

STRIDE is a threat modeling methodology developed by Loren Kohnfelder and Praerit Garg in 1999.

Why STRIDE Method was developed?

Prior to the development of models like STRIDE, the threat identification and management processes lacked structure. The stride method was developed to streamline this process and provide a systematic, mnemonic-based approach to identifying and categorizing threats. 

It has since evolved into a foundational tool in threat-modeling methodologies, aiding security experts and developers in asking critical questions like

'What can go wrong in this system we're working on?' and identifying specific security threats based on its six categories.

Explanation of the STRIDE Mnemonic:

  1. Spoofing: This threat involves an attacker impersonating another system to gain unauthorized access.
  2. Tampering: This involves an attacker altering data or code with the System.
  3. Repudiation: This represents scenarios where an attacker can deny having performed a specific action, making it difficult to hold them accountable.
  4. Information Disclosure: This refers to situations where an attacker could expose sensitive information to individuals who should not have access to it.
  5. Denial of Service (DoS): This threat involves an attacker trying to make a system or network resource unavailable to its intended users.
  6. Elevation of Privilege (EOP): This threat occurs when an attacker can gain higher-level access to resources or data without proper authorization. It can Lateral Movement (LM)

Each threat is a violation of a desirable property for a system:

Threat ❌ Desired Property βœ…
Spoofing Authenticity
Tampering Integrity
Repudiation Non-Repudiability
Information Disclosure Confidentiality
Denial of Service (DOS) Availability
Elevation of Privilege or Lateral Movement (LM) Authorization

When will lacked structureSTRIDE methodology be used?

During the design phase of an application or software.

Benefits of using the STRIDE Method

  1. Maturity: Despite being one of the oldest threat modeling methodologies, it continues to be a valuable tool in identifying vulnerabilities and their mitigating techniques.
  2. Comprehensive: Useful in identifying all possible threats.
  3. Dependency: The only dependent input for STRIDE is the ModelSystem model. The best time to use the STRIDE method is during the application/architecture's design and development phase. The only input required is the System modelModel.

Who are the Intended Users of the STIDE Method?

Essentially, anyone designing, building, and developing a system.

  1. System Architects
  2. Solution Architects
  3. System Designer/Application Developers
  4. Security Engineers & Consultants

What's Next?

While STRIDE solves the first problem of identifying all the threats, you soon realize you have another problem: lack of Prioritization.

On to the next challenge: Prioritization

For Prioritization, we will use the DREAD Framework.

Depiction of a man staring at the endless abyss of generated threats Photo by AarΓ³n Blanco Tejedor / Unsplash

DREAD

DREAD is a framework used to quantify the risk associated with each identified threat.

Microsoft originally developed a risk-assessment model, DREAD, to prioritize potential threats and vulnerabilities in the System.

DREAD stands for Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability.

Here's a breakdown:

  1. Damage Potential refers to the damage that could be caused if an exploit is executed. It asks, 'What's the worst thing that could happen?'
  2. Reproducibility - This factor assesses how easy it would be for an attack to be repeated. The easier it is to reproduce the attack, the higher the risk.
  3. Exploitability - Exploitability refers to how easy it would be for a potential attacker to exploit the vulnerability. This could depend on various factors, including the attacker's skill level and the resources required for the attack.
  4. Affected Users - This factor looks at the percentage of users affected if the vulnerability were to be exploited. If only a tiny percentage of users were affected, the risk would be lower than if the vulnerability affected a larger percentage of all users.
  5. Discoverability - In the final part of DREAD, discoverability refers to how easy it would be for the attacker to discover the vulnerability. The vulnerability is considered a higher risk if it is quickly or widely known.

Each factor typically receives a score between 1 and 10, with 10 being the most severe. The scores are then combined to give a total DREAD score for the vulnerability, which can help prioritize responses.

Why is DREAD not a Threat Modeling Methodology?

The article by David ; someLeBlanc's article "DREADful" on Microsoft Learn discusses the STRIDE and DREAD systems used for risk assessment in threat modeling.

David LeBlanc criticizes both systems for lacking academic rigor while acknowledging their practical uses.

David LeBlanc explains that DREAD's issue is calculating an overall score and proposing revising the scSystemsystem.

He suggests simplifying the rating scale from 1-10 to High, Medium, and Low and grouping the categories into 'Severity' (comprising Damage, Reliability, and Affected Users) and 'Priority' (comprising Exploitability and Discoverability).

He further elaborates a weighted approach that emphasizes 'Damage' and provides an adaptable scoring range for 'Priority' factors, recognizing the situational nature of these threats.

Despite the proposed improvements, LeBlanc remains cautious and urges readers not to rely solely on this System to 'think' critically and adjust the Model according to what best suits their specific requirements.

He said, and I quote:

Some caveats – we're NOT using this internally very much.

This is NOT how MSRC does things. This is just something I sorted out on my own, and hope it is helpful to you.

Warning! Do NOT apply this system, or any other system, without THINKING about it.

(One of my favorite professors, who was from Sri Lanka, often said "you have to THINK about it" – he's right)

This system may or may not help you arrive at the right conclusion, and if it does not, consider worth what you paid to get it, which is zero.

Conclusion

DREAD is a framework for quantifying the risk associated with each identified threat, but it does not provide the complete process necessary for threat modeling.

Threat modeling methodologies like STRIDE, OCTAVE, or TRIKE typically involve a broader and more complete process.

So, while DREAD is quite valuable in the threat modeling risk assessment stage, it doesn't address all the necessary steps in a comprehensive threat modeling methodology.

Stop Dreading and Start Modeling. πŸ˜„

Subscribe to Ishan Girdhar newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox. It's free!
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!