You cannot build secure systems until you understand your threats. Threat modeling is essential to a secure enterprise. Microsoft has adopted threat modeling, and now no product design is complete without a threat model. In this article, Microsoft's Michael Howard uses his experience to explain the process of threat modeling and how to use it in any organization.
by Michael Howard
Dec 17, 2002
Page 4 of 6
A well-known method for identifying possible failure modes in hardware is by using fault trees, and it turns out this method is also well suited for determining computer system security issues. After all, a security error is nothing more than a fault that potentially leads to an attack. (The hardware-related method is also often referred to as using threat trees, and some of the best threat tree documentation is in Edward Amoroso's Fundamentals of Computer Security Technology [Prentice Hall, 1994]).
The idea behind threat trees is that an application is composed of threat targets and that each target could have vulnerabilities that when successfully attacked could compromise the system. Threat trees describe the decision-making process an attacker goes through to compromise the component. When the decomposition process gives you an inventory of application components, you start identifying threats to each of those components. Once you identify a potential threat, you then determine how that threat could manifest itself by using threat trees.
Figure 1: A threat tree outlines how an attacker could view another user's confidential data.
Think for a moment about the payroll data that flows between the user (an employee) and the computer systems inside the data center and back; it's sensitive data, confidential between the company and the user. This is an example of an information disclosure threat. You don't want a malicious employee looking at someone else's payroll information, which means that your solution must protect the data from prying eyes. An attacker can view the data in a number of ways, but the easiest, by far, is to use a network protocol analyzer, or sniffer, in promiscuous mode to look at data as it travels between the unsuspecting target user's computer and the main Web server. Another attack might involve compromising a router between the two computers and reading all traffic between the two computers.
The top shaded box is the ultimate threat; the boxes below it are the steps involved to make the threat a reality. In this case the threat is an information disclosure threat (indicated by the (I) in the box): an attacker views another user's data.
For this threat to become a real exploit the HTTP traffic must be unprotected (1.1) and the attacker must actively view the traffic (1.2.). For the attacker to view the traffic, he must sniff the network (1.2.1) or listen to data as it passes through a router (1.2.2). The attacker can view the data in cases 1.2.1 and 1.2.2 because it's common for HTTP traffic to be unprotected. Note that for the router listening scenario (1.2.2) to be real, one of two facts must be true: either the target router is unpatched and has been compromised (188.8.131.52 and 184.108.40.206 must both be true) or the attacker has guessed the router administrative password (220.127.116.11). The small semicircular link between the two nodes symbolizes how the two facts are tied together. You could also simply add the word and between the lines.
Although trees communicate data well they tend to be cumbersome when building large threat models. An outline is a more concise way to represent trees. The following outline represents the threat tree in Figure 1.
1.0 View confidential payroll data on the wire
1.1 HTTP traffic is unprotected (AND)
1.2 Attacker views traffic
1.2.1 Sniff network traffic with
1.2.2 Listen to router traffic
18.104.22.168 Router is unpatched (AND)
22.214.171.124 Compromise router
126.96.36.199 Guess router password
1.2.3 Compromise switch
188.8.131.52 Various switch attacks
Small Enhancements to Make Threat Trees More Readable
You can make some small additions to threat trees to show the most likely attack vectors. First, use dotted lines to show the least likely attack points and solid lines for the most likely. Second, place circles below the least likely nodes in the tree outlining why the threat is mitigated. Figure 2illustrates the concept.