The STRIDE threat modeling approach is most effective shift left method. It is a method to find and eliminate possible weaknesses before even any code is ever written. Utilizing threat modeling techniques should be the first step towards creating systems, networks and applications that can be secured through design. It is a model for threats that can be utilized as a framework to ensure secure design for applications.
STRIDE as an effective Threat Modeling Methodology
STRIDE was created in the latter part of 1990 by two engineers from Microsoft, Koren Kohnfelder and Praerit Garg. The model for threat analysis in STRIDE covers six threat categories that are distinct:
Spoofing Identity
Identify spoofing is when the hacker appears to be someone else, and assumes the identity of the person and the information contained associated with that identity in order to perpetrate fraud. One of the most common instances of this type of threat is the case of an email being sent via a fake email address, which appears to be sent from a different. In most cases, these emails demand sensitive information. Unsuspecting or insecure recipients gives the requested information, and the hacker is in a position to easily assume the identity of the other.
Identity fraud could include both human and technical identities. By spoofing, hackers could gain access to one vulnerable identity and launch a far more extensive cyber-attack.
Making Fun of Data
Data tampering is when information or data are altered without authorization. Methods by which a criminal could commit tampering include by changing an existing configuration file to gain control of the system by inserting malicious data or even deleting or changing an log file.
Monitoring for changes, commonly referred to as FIM, or file integrity monitoring (FIM) is vital to incorporate into your business in order to detect whether and when data tampering occurs. The process is a thorough examination of files using a standard of what a good file appears to be. A proper log and storage system is crucial to enable the monitoring of files.
Repudiation Threats
Repudiation threats are when an intruder performs an unlawful or fraudulent act in a system only to claims that they were not involved in the attack. In these cases the system does not have the capability to trace the malicious activity and identify the hacker.
Repudiation attacks are quite simple to perform on e-mail systems, because the majority of systems do not check outbound mail to determine its authenticity. The majority of these attacks start with access attack.
Information Transparency
Information disclosure can also be referred to as leakage of information. It occurs when a website or application inadvertently exposes information to non-authorized users. This kind of attack can impact the data flow and the storage of data in the application. Examples of data disclosure are accidental acces to files in source code by way of temporary backups, unintentional exposure of sensitive data, such as debit card information, as well as the disclosure of database information within error message messages.
These problems are not uncommon, and could be caused by internal data that is made available with the public, unsecure configurations of applications or incorrect error responses due to the layout of the app.
Denial of Service
Denial of Service (DoS) attacks block users who are authorized to access resources that they should capable of accessing. This can affect the way in which data is transferred of data flow, data flow and storage within an application. DoS attacks are becoming more powerful and more frequent. the possibility of 12.5 millions DDos weapons discovered in 2020.
A most well-known attacks targeted Google in the year 2017. In the words of Google, “The attacker used multiple networks to disguise the 167 Mpps (millions of packets per second) to 180,000 vulnerable CLDAP DNS, CLDAP, as well as SMTP servers that then sent large-scale response to Google. This is a testament to the volume that a well-funded attacker could achieve this was four times greater over the previous record breaking 623 Gbps attack carried out by the Mirai botnet one year prior.”
Despite the increase in DoS attacks and attacks, it is evident that tools for protection such as AWS Shield or CloudFlare remain efficient.
Increase of Privileges
With the help of elevation of privileges by a user who is authorized or not, a user of the system could gain access to information that they aren’t allowed to view. An example of this kind of attack could be as easy as a misplaced authorization verification, or the elevation of privileges through data manipulation which allows the attacker to alter the memory or disk in order to execute commands that are not authorized.
Identifying an approach to Threat Modeling
One reason why threat modeling is carried out as the initial step is to get an objective perspective of the bigger picture for the entire project. It can also assist in determining the areas of security risks. This can be accomplished after the design is identified conceptually.
While STRIDE is an extremely popular and effective method there are many other options accessible, such as PASTA, VAST, Trike, OCTAVE, and NIST. Some are more suitable for different IT disciplines or have distinct focus, like applications rather than networks, for instance. If you’re looking to collaborate on behalf of the Federal government, you might think about working more closely with standards like NIST as well as FedRAMP standards, as well.
The threat modeling techniques are not specifically designed for a particular application. You must select the most closely matches your objectives. But it is important that your DevOps team is encouraged to change or modify techniques for threat modeling to fit their particular application.
In the future, keep in mind this: your risk model will be a live document that must be reviewed regularly and kept up-to-date. After a global system-wide threat model has been developed, it is beneficial to create miniature threat models to satisfy a safe engineering design necessity.
Concerning frequency:
The full initial threat model must be conducted and repeated each year.
Delta threat modeling must be applied to any feature that has been proposed as a new feature or major change during the time of design.