Threat Modeling allows us to apply a structured approach to security and will also help us to address the threats that have the greatest impact to the application. Thereby we can systematically identify the threats that are most likely to affect our application. We need to have a good understanding of our application architecture and how we are going to implement it, so that we can plan for counter measures in a logical order. So the inclusion of Threat Modeling in the Software Development Life Cycle (SDLC) will help us to ensure that applications are being developed with security built-in from the very beginning.
The primary benefit of using Threat Modeling early in the project is that all possible threats to the software systems can be identified and mitigated and hence in this way, a more secure software application can be developed. For example during the design phase of the project, if we are able to address the design flaws even before a single line of code is written, then we would be able to reduce the need to redesign and fix security issues in code at a later time.
Once a threat model is generated, it should be iteratively visited and updated as the software development project progresses. It won’t be able to identify all the possible threats in a single pass. Also applications are rarely static. The application needs to be enhanced and adapted to suit changing business requirements, so the Threat Modeling process should be repeated as your application evolves.
The development team can use a threat model to implement controls and write secure code. Testers can use the threat models to generate security test cases and can also validate the controls that need to be present to mitigate the threats identified in the threat models. Operation personnel can use threat models to configure the software securely so that all entry and exit points have the necessary protection controls in place. When we plan for a threat model it is important that we take inputs from representatives of the design, development, testing, and deployment and operations teams.
Identifying the threat is important. We need to think in the way an attacker thinks and what all things he will be able to achieve. Here we will look into STRIDE and DREAD Threat Modeling approaches proposed by Microsoft and how they are related with the pillars of Information Security, the CIA (Confidentiality, Integrity and Availability) triad.
STRIDE is a way of classifying security threats in terms of what can be done if an exploit is found. DREAD is another aspect where we look at how likely and common the exploit can be. So we identify the threat through the STRIDE Modeling and rate the threats through DREAD Modeling.
STRIDE, stands for Spoofing, Tampering with Data, Repudiation, Information Disclosure, Denial of Service, and Elevation of privileges. As we discussed above it is about classifying security threats in terms of what can be done if an exploit is found.
We will look into each of those. Spoofing, in this context is Identity spoofing; someone tricks to be a valid legitimate user. Is it possible for an attacker to impersonate another user or identity? For that someone has to break the authentication information such as username and password. Here the importance is for the confidentiality part. Tampering in this context is Tampering the data. Will it be possible for someone to tamper the data while it is in transit or in storage – Dealing with the integrity aspect here. Repudiation is if someone is denying that he didn’t do a malicious act that he actually did. Can the attacker deny the attack? We need to have a look at the Non Repudiation controls such as access logs, audit trails etc. Information Disclosure happens when an unauthorised user gets access to data which he is not supposed to access. – this again deals with Confidentiality. Denial of Service aka DOS attack is another important factor we should consider. If an attacker is able to bring down an application, then Availability is being affected here. Elevation of Privilege is the last part here. If a normal user gets an administrator access, then he would be able to do whatever he wants. Will it be possible for an attacker to bypass the control least privilege implementation and execute the application at administrator or elevated privileges. Here Authorization is the major factor.
DREAD is about looking at how likely and common the exploit can be.DREAD, stands for Damage Potential, Reproducibility, Exploitability, Affected users, Discoverability. Overall risk can be calculated using the formula D+R+E+A+D/5. The calculation always produces a number between 0 and 10; the higher the number, the more serious the risk.
Damage Potential – In case a threat occurs, how much damage it can do to our system. As per the calculation if the resulting number is
0 - we are safe, 5 - Individual user data is affected , 10 -complete system or destruction.
Reproducibility – It is about how easy we can reproduce the threat exploit. If the resulting number is
0 - then it is not possible to reproduce, 5 - Then one or two steps required and 10 - Then it is easy to reproduce.
Exploitability - How much effort and experience it requires to be exploited. If the resulting number is
0 – With some good programming skills or with the help of tools, 5 –With the help of a malware or using attack tools, 10 – Very easy to exploit
Affected users – In case if a threat becomes an attack, how many users will be affected. If the resulting number is
0 – no users will be affected, 5 – Some users, 10 – All users
Discoverability –How easy is it discover the threat? If the resulting number is 0 – very hard or impossible, 5- We can have some guesses, 9- With the help of some search engine, 10 – The information is clearly visible
As the new attack surfaces and threats are continually getting introduced and knowing how to best defend against those are the ongoing challenges for organizations. It is important that we need to adopt a continuous threat modeling process that allows organizations to stay updated with the risk exposure in their application portfolio, and also to measure the effectiveness of security initiatives.