Understanding threat modeling is required before understanding about STRIDE and DREAD. Threat modeling is a technique for identifying and categorizing potential threats, such as vulnerabilities or a lack of protective mechanisms, as well as prioritizing security mitigations. Threat modeling with DREAD and STRIDE is a technique for evaluating the security of an application. It’s a technique for discovering, classifying, ranking, comparing, and prioritizing the security risks associated with a programme. The breakdown of an application is the first step, followed by the identification of vulnerabilities, threat classification, and threat rating, comparison, and prioritization. A good threat intelligence report can help security defence and security operations teams protect IT assets from threats and vulnerabilities. Let’s take a look at what STRIDE can do for threat modeling.
The STRIDE model was established by Microsoft to help security specialists analyze and classify all possible server vulnerabilities. After the vulnerabilities have been found, the STRIDE methodology is utilized to classify them. During security engagements, it’s vital to back up your comments (regarding vulnerabilities) with a solid foundation, such as a framework or standard. The system’s detailed design is assessed using STRIDE. By producing data-flow diagrams, STRIDE is used to identify system entities, events, and system boundaries. The name of this model is an acronym for the six main types of threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. The STRIDE model protects a network’s authenticity, integrity, non-reputability, confidentiality, availability, and authorization.
User authentication and identification are at the heart of the majority of security solutions. Impersonating other users and using their credentials without their knowledge are examples of spoofing attacks. Spoofing attacks typically target authentication systems that use simple passwords or personal information that is easily accessible, such as a date or place of birth. Spoofing attacks that use phishing to trick users into transmitting credentials to a bogus site are fairly popular. Another prominent example of this hazard is when someone sends an email from a fake email account pretending to be someone else. Typically, these emails ask for personal information. A vulnerable or unaware recipient provides the requested data, and the hacker is then easily able to assume the new identity.
Tampering violates the quality of integrity. Data tampering involves the malicious modification of data. A system or the data it uses should only be modified by authorised users. If an attacker is able to tamper with it, it may have ramifications for the system’s use. Ways that a bad actor can execute tampering could be through changing a configuration file to gain system control, inserting a malicious file, or deleting/modifying a log file. For example, if any of the details in a customer’s record has been tampered with, vendor can end up charging him/her for a product/service that he/she didn’t purchase.
Repudiation threats happen when a bad actor performs an illegal or malicious operation in a system and then denies their involvement with the attack. In these attacks, the system lacks the ability to actually trace the malicious activity to identify a hacker. To avoid being caught and banned, attackers try to undo their acts by removing them from the logs or impersonating another user’s credentials. Illegitimately claiming a transaction was not completed is a common example.
Information disclosure is also known as information leakage. It happens when an application or website unintentionally reveals data to unauthorized users. This type of threat can affect the process, data flow and data stored in an application. These issues are common and can arise from internal content that is shared publicly, insecure application configurations, or flawed error responses in the design of the application. Many systems include sensitive information, which attackers frequently seek out. In recent years, there have been countless incidents of data breaches. Unencrypted messages sniffed off the network is a common example.
Denial of Service (DoS) attacks restrict an authorized user from accessing resources that they should be able to access. DoS attacks are getting bigger and more frequent, with an estimated 12.5 million Dos weapons detected in 2020. Whether it’s a banking application or integrated media management on a car, a system is normally installed for a specific purpose. In some circumstances, attackers may be motivated to prohibit normal users from using the system, for example, as a means of blackmailing and extorting money from the system’s owner (e.g., with ransomware).
When a user is identified on a system, they normally have some level of privileges, which means they are allowed to do certain, but not all, actions. Ensuring authorization via the STRIDE model lets an organization prevent elevation or escalation of privilege, which can lead to data theft or breach. As a result, an attacker may attempt to gain further access by impersonating a user with higher privileges or tampering with the system to change their own privileges.
The DREAD model is a type of quantitative risk analysis in which a threat is rated for severity. When a threat is detected in your company’s information technology (IT) infrastructure, you can use the DREAD model to estimate how much harm has already been done and how much damage can be done in the future. You must evaluate numerous major aspects of the threat and offer a numerical rating to each of them. When you’re done, compare your overall score to the DREAD model’s rating system, which should disclose if the threat poses a low, medium, or high danger to your company.
You must examine five critical elements when utilising the DREAD model to estimate the severity of a threat. As you go through these major topics, give each one a rating of 1-5. A risk rating of one denotes a low level of danger. A three-star rating indicates a moderate danger. A five-star rating indicates a high level of danger.
Answering the aforementioned questions and providing rating values to each item are used to rate the threat (high, medium, low). The severity is represented by the rating values, which are stated as numbers (5-high, 3-4-higher medium, 2-medium, 1-low). After the ratings are given to the different factors, DREAD score is calculated as an average of the ratings of individual factors. Threats with a rating of 1-2 are considered low risk, whereas threats with a rating of 2-4 are considered medium risk, according to the DREAD model. On the other hand, a threat with a rating of 4-5 is considered a significant danger.
Damage potential attempts to categorise threats across two different areas of concern, the type of data that is being safeguarded and the amount of access that a threat actor will have. Damage scores are rated at high levels if the type of data being protected is especially sensitive such as financial, health, classified or other forms of protected data. The other aspect that damage attempts to measure is the level of access and elevation of privileges associated with the risk. A high-risk score in this case would be where a threat allows for limited users to become administrators. When evaluating damage, you will need to look across both avenues to properly assign a rating. Then there’s the question of how damage will be categorised in terms of rating if the vulnerability is exploited. A score of 1 indicates that the financial loss is less than 0.5% of revenue. There is no loss of reputation, just a mention of organisation in social media. Impact can be managed by just clarification from the organisation. A score of 2 indicates that financial loss is excess of 0.5% but less than 1% of revenue. Financial loss is major and/or can only be recovered in the short term. Loss of reputation is very temporary and short term. A score of 3 tells that financial loss is excess of 1% but less than 2.5% of revenue. Financial loss is major and/or can only be recovered in the short term. There is consistent negative main media or social media coverage that has mid-term impact on the reputation. It can take over 3 months to recover. A score of 4 indicates that financial loss is excess of 2.5% but less than 5% of revenue. Financial loss is major and/or can only be recovered in the medium term from impacted service. Wider coverage of the negative over social/main media impacting brand image. A score of 5 informs that financial loss is in excess of 5% of revenue. Financial loss is unacceptable to the management and/or only be recovered from impacted service in the long term. Strong brand association to incident creating lack of trust for the brand. It threatens the brand’s existence.
Reproducibility focuses on the relative effort and ease of taking the threat to exploit repeatedly. Determination of the value assigned to reproducibility of threats takes into a number of different pieces of data to properly assign a value. For example, if an attacker has full knowledge of the threat but cannot reliably exploit it, the value would be incredibly low. On the opposite end of the spectrum are exploits that can be performed repeatedly and reliably with little or no effort. Features or configurations that are insecure by default tend to be the most common highly rated. How likely it is that the attack or threat will be repeated in terms of rating is categorised further. A score of 1 indicates that the attack is extremely difficult to replicate. It can only be reproduced by people with the inside knowledge of the system, process and detections. A score of 2 indicates that the attack can be replicated only by people with the inside knowledge/loopholes of the system, process and detections. A score of 3 informs that one or two steps are required and may need to be authorised user to replicate the attack. A score of 4 notifies that basic tool like SIM cards, Mobile Money Account, web browser and address bar are sufficient, without some authentication to reproduce the attack. But there is a possibility that the attacker can leave some traces of identity and can have traceability. A score of 5 indicates that basic tools like SIM cards, Mobile Money Account, web browser and address bar are sufficient, without some authentication to reproduce the attack. The attack can be performed without being identified.
Exploitability is comparable to reproducibility, but it solely considers the effort required to exploit a threat. The entire amount of work necessary is used to determine exploitability. A threat exploited by remote unauthenticated attackers using tools built by others, or threats that are so well-known that they may be automated and actively exploited, for example, would be rated the highest. An attacker who creates a zero-day vulnerability that affects a local privilege user in a segmented network, on the other hand, would be rated the lowest. The total amount of work required should be considered while determining exploitability. Considering how much time and effort is required to exploit the threat and, as a result, launch an attack on your company? A score of 1 indicates that the crime is very well organised. It requires deep planning and collusion at various levels to ensure the fraud is complete. It requires a minimum of 4 internal/external functions to work in sync. From preparation to execution, it involves more than 4 coordinated steps to complete the fraud. A score of 2 indicates that potentially, a disgruntled staff member with inside knowledge or a paid professional attacker can exploit the threat. It involves a minimum of 3 internal/external sequential steps before getting access to money. A score of 3 indicates that an ordinary user who notices something wrong with the process/system/usage can exploit the threat. It requires a combination of two 2 internal/external parties with coordinated efforts to get access to money. A score of 4 indicates that an ordinary user who just stumbles across a loophole can exploit the threat, only a sim card, handset and little internal information is needed. The attack does not require coordinated efforts to get access to money. To commit fraud, it just needed a series of simple actions which a rogue agent can get induced with or without collusion. The actions are involuntary and non-coordinated and not necessary to be in sequence. A score of 5 indicates that an ordinary user who stumbles across a functional mistake with publicly available information or information that is accidentally received from a social media platform can exploit the threat. It requires no internal collusion and fraud is completed in 1-2 steps with no coordinated steps.
Depending on the level of threat modeling you’re undertaking, affected users try to quantify either the total number of users affected, or the importance of users affected. For instance, you may simply estimate the number of users affected in relation to the total number of users in one scenario. You could assign relative priority to the sort of user or users who may be affected in a more in-depth examination. You can evaluate both of these factors, as you do with other parts of DREAD, to get a more complete picture of the proper value to assign. Let’s see how many individuals will be affected by the threat, both inside and outside your organisation as per the rating? A rating of 1 indicates that there is a slight increase in complaints. A massive increase in complaints, according to a rating of 2. More than 5% of customers have been negatively affected and a degree of customer loss, according to a rating of 3. A score of 4 indicates that more than 10% of the customers have been negatively affected and there is a serious customer loss. A score of 5 indicates that more than 15% of customers have been negatively affected and there is a loss of a large customer base or high value customers.
The amount of work required for a threat actor to find the threat is best described as discoverability. The convention in many DREAD implementations is to simply assign the maximum value. Many security experts believe that given enough effort, all vulnerabilities can be discovered. Discoverability is related to the concept of security by obscurity, which should be expressed at its best through reproducibility and exploitability. How easily can you discover the threat is further categorised in terms of rating/scoring. A rating of 1 indicates that either customers or any person in the organisation can discover methods, people involved in fraud with little or no effort. A score of 2 indicates that frauds are able to be detected within 24 hours. Either customers or any person in the organisation can discover methods, people involved in fraud with slight efforts. A score of 3 indicates that frauds can be undetected for more than a day but less than a week. It takes experts a little effort to find out the method and source of the fraud. A score of 4 indicates that fraud can go undetected for more than a week. Organisation is not able to find the source or method of the fraud. A score of 5 indicates that fraud can go undetected for over a week. Even the most advanced fraud management tools are not able to detect the fraud. It requires complex analysis and manual efforts to find out.
After the vulnerability is identified, the next step is a classification of threat as per STRIDE methodology. The above threat is classified under the category of Repudiation as the customers and agents are indulged in performing an illegal or malicious activity of saving transfer charges which is a source of revenue for financial services providers.
After the threat is classified, a DREAD score is calculated in order to prioritize and rate the threat. The DREAD methodology helps to see the impact of the threat. After the detailed examination of the threat, it is rated as follows: Damage Potential to be 2, Reproducibility to be 5, Exploitability to be 5, Affected Users to be 1, and Discoverability to be 4. Since the DREAD score is the average of the five factors, it comes out to be 3.4 which is a moderate risk.
Financial Damage potential is low, with no reputation or regulatory damage. Any agent can perform it with the help of his handset. Any agent can easily stumble upon the method to avoid additional costs. Only the operator gets impacted. It is impossible to identify direct deposits even with the most advanced fraud management tools.
Thus, using STRIDE and DREAD, it is easier to see the impact of a threat. Threat Modeling using DREAD and STRIDE is an accurate method for identifying and categorizing potential risks, such as vulnerabilities or a lack of protection mechanisms and prioritizing security mitigations.