What is threat model STRIDE and DREAD?

Cyber-attacks have become far more sophisticated and inventive than ever before. Modern-day hackers are utilizing advanced techniques and tactics such as endpoint security evasion, hacking suppliers, bypassing Intrusion Detection Systems (IDS) and application firewalls to gain access and administrative privileges on an application. Moreover, vulnerabilities in the application code are exploited to carry out attacks against an organization. Therefore, it is critical that developers and businesses take necessary measures to secure applications and be security conscious while developing applications. 

With the emergence of a variety of new threats now and then, how can you secure applications? This is where techniques such as Application Threat Modeling designed and built into the Secure Software Development Lifecycle (SSDLC) can help. Various methodologies are used for application threat modelling, amongst which DREAD and STRIDE methodology will be discussed in this blog. 

What is Application Threat Modelling?
Threat modelling can be defined as a systematic and structured security technique that is used to identify security objectives and threats and vulnerabilities in an application. The threat modelling procedure helps in optimising applications against possible security issues. This approach enables developers and businesses to make better engineering and design decisions so that applications can be secure. At the same time, preventive and mitigating countermeasures are defined against the effects of cyber threats to the application. 

When it comes to software development and its security, threat modelling is one of the essential components. This also helps in developing applications in compliance with corporate security policies and meeting privacy and regulatory requirements. 

Why is Threat Modelling Important?
Cybercrimes have grown exponentially in recent years and it is affecting businesses everywhere. Therefore, it is a smart business move to build robust security measures to fight against potential cyber threats, and threat modelling is an essential part to accomplish the security goals. Besides, find out some of the reasons why performing threat modelling at the initial stages of the SDLC process is important. 

  • Helps in identifying attack surfaces and entry points
  • Less expensive than performing it at a later stage
  • Documentation helps in better defender analysis of possible attacker profiles and attack vectors

Application Threat Modelling: DREAD and STRIDE
DREAD and STRIDE are application threat modelling methodologies used for analysing the security of an application. It is considered a structured technique that helps in identifying, classifying, rating, comparing and prioritising security risks related to an application. 

These methodologies help penetration testers to calculate the risk and severity found in an application. In addition, it helps businesses to better understand the issues as they are conveyed with the help of standards and frameworks. Find out more about these methodologies below.

STRIDE is a developer-centred threat modelling approach and it was created by security researchers at Microsoft. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege, which are the most common threats against the application. These threat groups help security professionals to assess different aspects related to the security of the application and develop a process to protect the application from the initial development stage. The six threats are discussed below:

  • Spoofing
    A spoofing attack is carried out by the attackers by disguising themselves as a trusted source and thereby gaining access to important data and sensitive information from a user. Social engineering is the key method executed by cybercriminals to retrieve information such as usernames and passwords. Some of the well-known spoofing attacks include cookie replay attacks, CSRF attacks and hijacking of sessions. To protect against spoofing, businesses can implement better user authentication measures, stronger passwords and multi-factor authentication. 
  • Tampering
    Tampering is done by modifying the system or application to change its characteristics. Such attacks are carried out by tampering with the target parameters or code, which changes elements like user credentials, permissions and other essential items. Some of the methods are Cross-Site Scripting (XSS) and SQL injection. Static code analysis is a possible solution against tampering.
  • Repudiation
    Repudiation involves an attack on actions on the application. Lack of controls in the application can lead to improper tracking, storing of log users, their actions and mismanagement of log files. This vulnerability is exploited by the attacker to manipulate and forge identification of non-authorized actions. Incorporating digital signatures in the application can potentially help in ensuring that logs are tamper-proof. 
  • Information Disclosure
    Information about the application is sometimes revealed through different means such as developer comments, parameter information in the source code, error messages with too many details, technical data, user data and so on. This information disclosure, in turn, can be used by cybercriminals to get access to the application and find useful information. Thus, developers should take special care to keep error messages generic, developer comments aren’t revealed, and necessary steps are taken to prevent unauthorised access.
  • Denial of Service
    Denial of Service (DoS) attacks are carried out by flooding the application with traffic which leads to shut down of the same. DoS attacks affect both applications as well as the network. Various measures such as firewall configuration for blocking traffic from certain sources and managing traffic using rate limiting can be used. 
  • Elevation of Privilege
    Vulnerabilities and misconfigurations are often exploited to gain access to privileged rights. The best way to fight against such attacks is by building protection against this in the development stage of the application.

DREAD is a threat modelling developed by Microsoft, which helps in rating, comparing and prioritising risks presented by risk found with STRIDE methodology. It stands for Damage Potential, Reproducibility, Exploitability, Affected Users and Discoverability.

The formula for calculating DREAD risk is: (Damage + Reproducibility + Exploitability + Affected Users + Discoverability)/ 5.

The higher number signifies higher risk. Examining these 5 categories of threats using the DREAD approach and assigning a value to the same can help in the quantitative analysis of threats. 

  • Damage
    The damage potential of a threat can be gauged by determining the data type targeted and the extent of access the threat actor may achieve. If the data being protected is very sensitive, damage scores will be high. Similarly, if the access allows limited users to gain administrative privileges, the damage scores will be high. 
  • Reproducibility
    It deals with how much effort and ease with which exploitation of the vulnerability is possible and how many times the threat can be repeated. Various data pieces are gathered to assign a value to reproducibility. For instance, although the attacker may have enough and more knowledge and information about the threat but cannot execute it will have low scores.
  • Exploitability
    Exploitability is similar to reproducibility. However, only the effort part is taken into consideration for a threat to exploit. It can be determined by analysing the total amount of effort required by the cyber attacker.
  • Affected Users
    This helps in quantifying the number of users affected. In addition, the importance of users is taken into consideration which can be ascertained by the level of threat modelling used. An appropriate value can be assigned by estimating the affected users against the total number of users.
  • Discoverability
    Discoverability can be understood as the amount of effort taken by the threat actor to find the threat. Many experts opine that maximum value should be given to discoverability.

Business Perspective: How Threat Modelling Process Works
Once you decide to implement the threat modelling process into your business, follow these steps for success.

  • Build a Team
    Build a team that can look after every aspect of the cyber security and threat modelling process. It is highly advised that the team should consist of key business decision-makers, developers, network architects, cyber security experts and leaders. A diverse team will help in developing a holistic approach for threat modelling and implementing the same.
  • Establish Objectives
    It is important to establish the objectives of the threat modelling procedure. In this case, the objectives need to be in sync with the application. In other instances, models can be developed for other elements that include networks, infrastructure etc. Every data type needs to be classified and represented.
  • Find Threats
    Once the objectives are well defined, focus on finding threat targets and where they exist. This should include the creation of threat scenarios, both expected as well as unexpected, which will eventually help in realising the potential vulnerabilities that can cause failure. There are various tools available which can streamline and automate this process. 
  • Rank Threats
    As part of the risk mitigation strategy, always determine the level of risk attached to a threat type and rank them accordingly. One of the effective ways is to multiply the threat’s damage potential with the chance of it happening. 
  • Build and Implement Mitigations
    A comprehensive plan must be in place to counter, mitigate and reduce the risk. Also, the team should be alert always to build and implement mitigation measures. 
  • Documentation
    Documenting all the measures and actions taken can help the team in the future to develop, modify and update the existing threat model according to the threat landscape. 

Technical Perspective: How Threat Modelling Process Works

Following are the technical steps involved in the application risk threat modelling:

  • Decompose the application
    A comprehensive understanding and study of the application and its components are required. All the features and data flow levels need to be assessed, and how it interacts with external entities must be analysed. 
  • Identifying and Classifying threats
    The main goal of this step is to get into the shoes of an attacker and identify the key entry points and potential attack surfaces that can be used. The best example is that of a bank. There can be multiple threats a bank can face such as stealing money, conducting a money transfer, stealing credentials, performing DoS attacks and other means to compromise application security. This can be followed by classifying the threats according to different existing standards. 
  • Find Countermeasures
    After identifying and documenting the possible threats, find and build countermeasures to be put in place. In the example of a bank, measures such as validation requests, parameterised queries and anti-CSRF tokens can be used. In addition, fraud detection mechanisms, multi-factor authentication, and use of HTTPS certificates can be implemented. 
  • Rate Threats
    As discussed, every threat identified must be rated according to the potential damage it can cause. The DREAD methodology can be used to determine the risk value. 

Best Practices
An effective approach to application threat modelling can bring good results for your business. Here are some best practices you can follow to make it more efficient. 

Begin threat modelling as early as possible. Experts believe that this approach during a lifecycle of a project ensures the security of the design. Moreover, security controls in the early stages are much faster and more cost-effective too.

  •  Consulting the cyber security professionals and experts can help you in identifying potential latest threats and most vulnerable components. 
  •  The use of sophisticated and advanced tools is highly recommended.
  •  Training and education of everyone involved at every stage of threat modelling can maximize the chance for a positive outcome.

One of the major advantages of threat modelling is that developers or the development team acquire the mind of an attacker. This kind of mindset helps in better understanding of the assets and potential threats to them. Thus, more secure applications are developed as a result. 

Other benefits of threat modelling are that it is complementary to other security activities such as penetration testing, helps learning applications interactions with external and internal systems and defines the security level of the application.

Measuring Effectiveness of Threat Modelling
There are some ways you can measure the effectiveness of threat modelling. It includes Common Vulnerability Scoring System and Penetration Testing.