You cannot build secure systems until you understand your threats. Threat modeling is essential to a secure enterprise. Microsoft has adopted threat modeling, and now no product design is complete without a threat model. In this article, Microsoft's Michael Howard uses his experience to explain the process of threat modeling and how to use it in any organization.
by Michael Howard
Dec 17, 2002
Page 5 of 6
Bringing It All Together: Decomposition, Threat Trees, STRIDE, and Risk
To bring it all together, you can determine the threat targets from functional decomposition, determine types of threat to each component using STRIDE, use threat trees to determine how the threat can become a vulnerability, and apply a ranking mechanism to each threat.
Applying STRIDE to threat trees is easy. For each system inventory item, ask these questions:
Is this item susceptible to spoofing?
Can this item be tampered with?
Can an attacker repudiate this action?
Can an attacker view this item?
Can an attacker deny service to this process or data flow?
Can an attacker elevate their privilege by attacking this process?
Look at Table 2 and you may notice that certain data flow diagram items can have certain threat types.
Table 2: Relating DFDs and STRIDE threat categories.
Some of these table entries require a little explanation:
Spoofing threats usually mean spoofing a user (accessing their credentials), a process (replacing a process with a rogue, which is also a data-tampering threat), or a server.
Tampering with a process means replacing its binary image or patching it in memory.
Information disclosure threats against processes means reverse engineering the process to divulge how it works or to determine whether it contains secret data.
An interactor cannot be subject to information disclosure; only data about the interactor can be disclosed. If you see an information disclosure threat against a user, you're probably missing a data store and a process to access that data.
You cannot deny service to an interactor directly; rather, an attacker denies service to a data store, data flow, or a process, which then affects the interactor.
Repudiation threats generally mean a malicious user denying an event occurred. Attacks could be due to actions take by the user, disrupting audit and authentication data flow on the wire or in a data store.
You can elevate privilege only by taking advantage of a process that grants or uses higher privilege. Simply viewing an administrator's password (information disclosure) does not grant extra privilege. However, do not lose sight of the fact that some attacks are multi-step attacks and viewing an administrative password is a privilege elevation if a vulnerability exists such that the password can be replayed.