Threat risk modeling, which involves identifying, quantifying and addressing security risks associated with IT systems, is a big part of the job for security professionals.
Fortunately, numerous threat risk models have been developed. Some are geared toward specific purposes (such as web application development), but can be adapted in other ways and for other uses. Some are simple and can be applied immediately by a neophyte. Others are in-depth and complex, requiring dozens of pages of dense reading to even begin to understand how to apply them. Many, of course, fall somewhere in between.
In this, the first of a two-part series, we will cover three popular methodologies for threat modeling -- STRIDE, DREAD and CVSS -- addressing the individual quirks of each one. (And if you can also read part two on selecting a threat risk model, which looks at Trike, OCTAVE and MIL-STD-882E.)
The aim of this series is to highlight the important points of each, enabling you to decide which method or methods are right for you and to get started in assessing risk using your method(s) of choice.
Straightforward and brutally to the point, STRIDE was developed by Microsoft several years ago. It is discussed at length in what is perhaps the seminal work on STRIDE, a November 2006 MSDN Magazine article, "Uncover Security Design Flaws Using the STRIDE Approach."
STRIDE mnemonically identifies six risk categories for assessed threats:
- Spoofing [identity] -- identifying authentication threats
- Tampering [with data] -- identifying threats to data integrity
- Information disclosure -- identifying data stewardship threats and data leaks
- Denial of service -- identifying threats to availability
- Elevation of privilege -- identifying authorization vulnerabilities
While allowing for easy compilation of categorized threat lists, there is not much more to STRIDE than that; even Microsoft employees have acknowledged its weaknesses.
"STRIDE has a number of cross-correlations -- for example, escalation of privilege (E) tends to imply spoofing and loss of non-repudiation, and could imply tampering, information disclosure, and denial of service," observed Microsoft marketer David LeBlanc in a 2007 blog. "Ouch -- every vulnerability category we had, all in one bundle."
Redundancy and lack of rigor notwithstanding, LeBlanc went on to defend STRIDE as but one useful tool in the security researcher's toolbox.
"The fact that it isn't a rigorous classification doesn't mean that it isn't useful," wrote LeBlanc. "It is useful in helping people focus the debate about what to do about some specific problem."
STRIDE is one of two techniques that LeBlanc and colleague Michael Howard documented in their book, Writing Secure Code. The other -- particularly common in web testing -- is DREAD.
DREAD (an apt name indeed for a threat rating system) mnemonically outlines the five categories of risk that it measures:
- Damage [potential]
- Affected users
"If we look at the five components, we see that none of these are highly correlated -- one of them does not imply the other," blogged LeBlanc in defending the model. "This means we have independent factors, which is one of the strongest criteria for a solid model."
In modern DREAD methodology, for each threat identified from a threat model, each category is assigned a score of one, two or three; the higher the number, the higher the risk. (Some threat assessors give Discoverability the highest score for existing applications as a matter of convention -- assuming that a threat will be discovered.)
The five numbers are then added up, giving you a total score. A risk score in the five to seven range is considered low, while a risk score in the 12 to 15 range is considered high.
Writing about DREAD and other threat-model considerations in his new book, The Car Hacker's Handbook, security researcher Craig Smith recommends leaving the entire scoring results visible in your risk report "so that the person reading the results can better understand the risks." This allows security teams assigned to address those risks to more quickly narrow their focus to reduce risk to an acceptable level.
"I feel [DREAD] applies a bit better to physical threat modeling than STRIDE, yet has the same simple design," said Smith in an email interview. "Once a company has a system like DREAD under their belt, they could easily upgrade their process to a more advanced scoring system if needed."
To be certain, the greatest benefit of DREAD is that it is simple and straightforward in both application and interpretation, while highlighting priority areas. It also offers flexibility; it can be readily applied and adapted to almost any situation -- even one not specific to programming, networks or IT in general. Smith acknowledges, however, that DREAD may not be a detailed enough risk methodology for some security professionals. For them, Smith specifically recommends CVSS.
CVSS -- or Common Vulnerability Scoring System -- might be seen as the antithesis to DREAD and STRIDE in terms of simplicity.
It uses 14 metric groups: six "base" groups, three "temporal" groups and five "environmental" groups:
- Environmental factors take into account organizational priorities. For example, if availability is more important than confidentiality, confidentiality risks will be modified downward and availability risks modified upward.
- Temporal characteristics use complex equations to account for "the characteristics of a vulnerability that change over time."
- Base metrics are initially weighted on a scale of zero through 10 and then modified based upon the temporal and environmental metrics.
Unsurprisingly, CVSS can be problematic and unwieldy. The history of DREAD can shed some light here. In its original incarnation, DREAD categories were scored on a scale of zero through 10 -- as CVSS is today -- but this method fell out of favor for some logical and readily apparent reasons.
"If we apply some obvious tests, we find that a damage of one, and all other factors 10 (a well-known nuisance, e.g., pop-ups) gets weighted the same as a discoverability of one and everything else 10 (hard to sort out, but causes the heat death of the universe). This is an obvious malfunction," conceded LeBlanc. "Next, what's the difference between discoverability of six and seven? Who the heck knows? I don't."
This led to the simplifying of DREAD to a ternary scale. Meanwhile, dozens of documentation pages are needed to explain how CVSS works. What it offers in detail, CVSS also offers in complexity -- which, in turn, adds its own flavor of risk on top of the very risks the security researchers are attempting to assess.
"CVSS is more complex than DREAD or other five-point ranking systems, but you will have a more detailed picture when you [are] done as to the exact nature of the vulnerability and risk," said Smith.
Nonetheless, Smith emphasized that he "usually recommend[s] DREAD."
"I would rather see a simple threat model done than a more complex one attempted and never finished," said Smith. "Getting an organization comfortable and willing to regularly use threat models is more important than having a complex system nobody wants to use."
Final Point on Threat Risk Models and Preview of Part Two
It is important to remember that there is no "best" threat-rating system. While each methodology has its own strengths and weaknesses, the "best" system for any given project ultimately depends on the particular project -- and the particular people -- involved.
Next up we will cover Trike, MIL-STD-882E and OCTAVE.
Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate communications and data privacy consultant, writer, speaker and bridge player. Follow him on Twitter at @JoeStanganelli.