A key step to threat modelling is drawing up an initial list of potential security threats that your system is vulnerable to. This might seem like a daunting task given the varied vulnerabilities and methods of attacks that a system can face.
Luckily, STRIDE is here to help.
STRIDE is a mnemonic or “memory aid”, with each letter referring to a different category of attack which a system could face. Any attack you can forecast usually falls into one of these categories.
Let’s work through them:
S is for Spoofing
Spoofing refers to the impersonation of an asset or identity by an attacker. An attacker could spoof your website, leading your users to visit the attacker's site instead, possibly leading them to share personal details, payment information, usernames and passwords, or download malware. Attackers could also spoof a person by taking over email accounts or impersonating them via doctored emails. Files and data can also be spoofed. If an attacker spoofs a temporary file with access privileges, this could enable access to sensitive data or the ability to execute code with those privileges, leading to system compromise.
T is for Tampering
Attackers might tamper with data either at rest (typically on a hard disk, USB drive or similar) or in transit (where it’s moving across networks). If an attacker gains access to a database for example, they may be able to edit or delete data, which gives rise to multiple business risks depending on what the database contains (finance data, employee data, customer data, intellectual property, etc). Data sent across networks without encryption could be intercepted, and an attacker could modify its contents to mislead the receiver. While interception might sound out of reach for an attacker, incidents of this type have occurred a number of times at scale.
R is for Repudiation
Repudiation is the ability to confirm or deny that a particular activity took place. Robust audit trails or logs that prove the occurrence of a specific action by a user are a crucial part of many systems. In a banking situation or a ledger, a log will confirm whether a user made a transaction, even if they insist they haven’t.
I is for Information Disclosure
This is where an attacker gained access to privileged information they ought not to have. A common cause of this is misconfigured permissions. If a file should only be accessible to a specific staff member or department but the permissions are set incorrectly, the information is suddenly readable to a wider audience, possibly including the entire internet.
D is for Denial of Service
A DoS refers to attackers rendering a system inaccessible or otherwise unable to function normally. In most peoples mind’s this means overwhelming a system (e.g. a website, a database, etc) with so much traffic it can’t process any requests, but they can take many forms, particularly if your system is highly dependent on third-party services. With the right cloud credentials, an attacker could pull the plug on your system. For example, if they access the firewall between your service and the outside world they could completely block all traffic, having the same effect as a traffic overload, with much less effort.
E is for Elevation of Privilege
This is the event of someone obtaining privileges they shouldn’t have. In the context of a cloud environment, misconfigured Internet Access Management (IAM) policies are an obvious source of Elevation of Privilege vulnerabilities.
In my opinion, STRIDE is an essential element of an effective threat model. It’s not the only methodology out there for discovering threats but is popular in the security industry and easy to use. With STRIDE you can quickly determine most security risks to your system.
