Threat Modelling Frameworks (SDL, STRIDE, DREAD & PASTA)
As we all are aware of, vulnerability can be defined as the existence of flaw in a system’s design, implementation or operation that can be exploited to violate the system’s security policy.
But you may ask ? Then what’s the difference between vulnerability, threats and exploit.
Well, an attacker’s ability or ingenuity to violate a defensive goal for instance, an ability to run code on someone else’s system is called an exploit, and the underlying potential risk can be seen as the threat. So that was all about the differences in all of the three terms which are almost used every time interchangeably.
Now let’s dive deep into one the three terms namely threats and how do we model them using different modelling frameworks.
Threat Modelling
A simple definition for threat modelling may be given as structured process or series of tasks by which the security professionals can identify different threats and vulnerabilities, assess their severity and take immediate remediation steps to mitigate the risks associated with those threats.
And for the very same purpose we have a lot of threat modelling frameworks at our disposal to mitigate such risks posed by the threats depending on the need, requirements and circumstances for example SDL, STRIDE, DREAD, VAST, STRIKE, PASTA and many more. We’ll look into each of these frameworks in detail and try to analyze them.
Microsoft SDL (Security Development Lifecycle)
This is a threat modelling framework conceptualized by Microsoft in 2008 which advocates security at every stage of development. There are five major steps in implementing this framework.
- Firstly, we need to define the security requirements or “scope” of the program
- Then comes the creation of an application diagram
- The next step would be to identify the threats
- Consequently the next task would be to mitigate those threats
- And to ensure everything has been implemented correctly, we then need to validate our findings and research by ensuring that the threats have been mitigated entirely or their risk has been eliminated to a great extent.
STRIDE
STRIDE is a shorthand representation to imply Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service & Elevation of Privilege. STRIDE framework is built upon the CIA triad principle (Confidentiality, Integrity & Availability). This categorization of threat is mostly employed in Application Security industry but also used in Network Security too.
Security professionals usually implement this model to get an answer to the famous question in threat modelling — “What could go wrong in this system ?.”
Spoofing : It is basically an act of impersonation of a legitimate user by an attacker which basically violates the authentication principle from the perspective of the CIA triad. Common ways include ARP, IP, DNS spoofing or DNS compromise.
Tampering : As the term suggests, tampering implies modification of any sort of data, information by an unauthorized user. It violates the integrity principle of the CIA triad.
Repudiation : This term simply means not taking the responsibility or taking a step back from the incident so that action is not linked back to the attacker or the malicious user. It violates the principle of non-repudiability. This can come into the scene when the attacker clears up all the tracks and logs, wipes out everything that could lead to the tracing.
Information Disclosure : It is an act of violation of confidentiality of the CIA triad. Common example would include data exfiltration by a malicious and unauthorized user or data breaches.
Denial of Service : Denial of Service occurs when an authorized user is unable to access the service, assets or system due to the exhaustion of all the network resources. DoS is basically a violation of availability principle of CIA triad.
Elevation/Escalation of Privilege : Escalating privileges to gain unauthorized access is a classic example of violation of the authorization principle of CIA triad.
3. DREAD
It is basically a subjective rating system in which we create a score based upon risk probabilities. It stands for Damage, Reproducibility, Exploitability, Affected Users and Discoverability.
Damage : From this term we analyze or speculate the possible damage a threat could cause to the existing IT infrastructure or assets. It is based on a scale of 1–10 where a score of 0 means no damage, 5 means Information Disclosure, 8 means any sort of user data is compromised, 9 means administrative data is compromised and 10 means complete unavailability of the application.
Reproducibility : It signifies how easily the particular threat can be replicated by any other user or a hacker for that user. A score of 0 means it is nearly impossible to replicate, 5 stands for being complex, 7.5 for an authenticated user and a score of 10 means it can be reproduced very easily without any authentication or even via a web-browser.
Exploitability : This implies the analysis of the system’s vulnerabilities or the security posture to ascertain the ease or sophistication of the attack. A score of 2.5 implies it would require advanced skillset of networking and programming skills, 5 means it can be exploited with the available tools, a score of 9 means we would require a simple web application proxy tool and a score of 10 means it can exploited by simply a web browser.
Affected Users : As the term suggests, it denotes the number of user that shall be affected with the successful exploitation of the threat. A score of 0 would mean that there would be no affected users, 2.5 shall mean for an individual user, 6 would mean a couple of users, 9 would mean the significant administrative users and 10 would imply all of the users are affected.
Discoverability : The process of discovering the vulnerable points in the system infrastructure and the IT network of an organization. It basically means how easy would it be to discover the threat ?
A score of 0 would mean it would be very difficult to discover it, score of 5 means that the threat can be discovered by HTTP requests, 8 means it’s already there out in the public domain and can be easily discovered and a score of 10 would mean it’s visible in the browser address bar or in some other form.
4. PASTA
If we need to model the threats in the application or infrastructure from the perspective of an attacker’s mind we might want to make use of the PASTA framework. It is very useful in creating threat management processes and polices. PASTA stands from Process for Attack Simulation & Threat Analysis.
PASTA, an application threat modeling methodology is divided into 7 stages.
Define Objectives : In this stage all the objectives for the threat modelling process are noted down. Defining objectives makes the end goal a whole lot clearer and shifts the entire focus onto only the relevant assets pertaining to be modelled for threats.
Define Technical Scope : This stage makes use of network diagrams, logical and physical architecture diagrams to mark the boundaries for the application and to also list out the application dependencies from the environment.
Decomposition & Analysis : In this stage, we define and evaluate all the possible assets along with their data which could be in either transit or be at rest. For each computing asset, we create a trust boundary which encompasses all of its subsystems and data. Mapping of threat vectors and their corresponding assets takes place in this stage.
Threat Analysis : This is nothing but the core extract information obtained from threat intelligence. It helps us to identify which applications are susceptible to which threat vectors resulting in threat enumeration.
Vulnerabilities & Weaknesses Analysis : This stage is a very crucial one as it analyses the vulnerabilities of web application security controls. It maps threats to security flaws in the application and enumerates and scores vulnerabilities as per established scoring. In this stage we also create a threat tree which will be useful in the next stage.
Attack/Exploit Enumeration & Modelling : In this stage, we map out the possible threat landscape and the complete attack surface of our web application. We then map out all possible attack vectors to the different tree’s nodes which results in the identification of exploits and attack paths.
Modelling & Simulation : This stage is basically a simple simulation of all the enumerated information extracted out from all of the previous stages which helps in security professionals to determine the extent and probability of launching an attack successfully.
Risk Impact Analysis : Based upon the collective data from the previous stages, all of the nodes in the tree diagram which have been affected are analyzed which gives us a plausible extent to which the assets in the infrastructure have been affected and based upon those interpretations we then recommend steps to mitigate the risks and eliminate all of the residual risks.