wwwTASK.to© Toronto Area Security Klatch 2007
Threat Modeling
With STRIDE and DREAD
Chuck Ben-Tzur
Sentry Metrics
March 27, 2007
wwwTASK.to© Toronto Area Security Klatch 2007
(Application) Threat Modeling
• A process to identify threats to the system, the associated risks and determine the correct controls to produce effective countermeasures
• The output is a list of rated threats. The threat model helps you to focus on the most potent threats
• Aimed to be used at the design phase of a system. However, usually implemented at the testing phase (vulnerability assessment)
• Not only for web applications. Can be (and should be...) applied to different type of systems (e.g. networks)
wwwTASK.to© Toronto Area Security Klatch 2007
Threat Modeling (cont.)
wwwTASK.to© Toronto Area Security Klatch 2007
STRIDE
• A methodology for identifying and categorizing threats • SSpoofing identity
• TTampering with data
• RRepudiation
• IInformation disclosure
• DDenial of service
• EElevation of privileges
• “Business” oriented – easier for non-technical persons to relate to
• Expand (can replace) the “map by mechanisms and subsystems” approach
• Can be used also to identify threats (e.g. as pen. test checklist)
wwwTASK.to© Toronto Area Security Klatch 2007
DREAD
• A methodology for risk rating. Each vulnerability is graded in all of the following categories:
• DDamage potential0 – Leaking Trivial Info, 5 – Sensitive, 10 – Admin level
• RReproducibility0 – Very difficult to reproduce, 5 – three steps, 10 – web browser
• EExploitability0 – very skilled, 5 – can be automated, 10 – novice programmer
• AAffected Users0 – few users, 5 – some users, 10 – all users
• DDiscoverability 0 – unlikely, 5 – accessible only to few users, 10 - published
• The risk overall rate calculation formula: Rating = (D + R + E + A + D) / 5
Threat D R E A D Rate
Attacker obtains authentication credentials by monitoring the network 10 10 5 5 5 7 High
SQL commands injected into application 10 10 10 10 5 9 High
wwwTASK.to© Toronto Area Security Klatch 2007
DREAD (cont.)
wwwTASK.to
• Operationally Critical Threat Asset and Vulnerability Evaluation
• Risk-based strategic assessment and planning technique for security
• Key differences:• Organization focused (as opposed to system)
• Security practices (not technology specific)
• Strategic issues (not relating to tactical aspects)
• Self direction (security experts)
• Flexible - can be tailored for small andlarge organizations
• Focuses on the design and strategicplanning of the organization
• Input is from both internal business andtechnical resources
• Not suitable for ad-hoc vulnerability assessments
• http://www.cert.org/octave/
© Toronto Area Security Klatch 2007
The OCTAVE Option
wwwTASK.to© Toronto Area Security Klatch 2007
Resources
Threat Modelinghttp://msdn2.microsoft.com/en-us/security/aa570411.aspx
Microsoft Threat Analysis & Modeling v2.1.1 http://www.microsoft.com/downloads/details.aspx?familyid=59888078-9daf-4e96-
b7d1-944703479451&displaylang=en
Octavehttp://www.cert.org/octave/
Good book on the subjectThreat Modeling (Microsoft Professional)