What is STRIDE Threat Modeling

What is STRIDE threat modeling: STRIDE threat modeling is a threat modeling method based on the mnemonic spelled out by STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.

STRIDE threat modeling can be used to identify potential threats, weaknesses, and/or vulnerabilities in your application or IT system. It can be used in conjunction with other security activities such as penetration testing, IT auditing, security code reviews, and vulnerability management.

STRIDE threat modeling was developed by two developers Praerit Garg and Loren Kohnfelder at Microsoft. It has been used for many years at Microsoft to help secure their software and software development processes.

When thinking about what is STRIDE threat modeling, it is essential to look at the threat types that spell out STRIDE.

Spoofing

Spoofing is a type of threat whereby an attacker maliciously impersonates (or pretends to be) a different user (or system). You can also use Spoofing more loosely during STRIDE threat modeling to classify threats related to users and access rights.

Spoofing example: An attacker obtains access credentials of a user in an application. The attacker uses it to log in, and then perform actions using the user access credentials.

Tampering

Tampering is a type of threat whereby an attacker maliciously modifies data. You can also use Tampering more loosely during STRIDE threat modeling to classify threats related to the security of data.

Tampering example: An attacker gains access to the application (somehow), and changes data within the application. The original data has been lost. The data has now been ‘tampered’ with.

Repudiation

Repudiation relates to the ability to prove or disprove that an action or activity was performed by a specific user (or not). Repudiation is thus a type of threat whereby an attacker denies having performed a malicious action.

Repudiation example: An attacker gains access to an application, and performs a transaction of some sort. Due to a lack of logging, and a lack of strong authentication, it is impossible to tell who performed the transaction. The transaction may have been performed by a legitimate user, but it may not have been. Nobody knows after the fact (except for the attacker of course).

Information Disclosure

Information Disclosure is a type of threat whereby the attacker gains access to information that should be confidential or secret (and not available to an attacker).

Information Disclosure example: An attacker gains access to an application, and can view data that they should not be able to view. The data is confidential data that belongs to other users in the application. The confidential data has thus been disclosed.

Denial of Service

Denial of Service is a type of threat whereby an attacker will prevent a system (or application) from working for valid users. This is often achieved by overloading a system with fake requests so that no time or resources remain for legitimate users.

Denial of Service example: An attacker sends thousands of requests per second to an application. The application is run on a server with limited CPU and networking resources. As a result of the attack, the server starts to slow down, and thus slowing down the application. The application is no longer accessible to end users.

Elevation of Privilege

Elevation of Privilege is a type of threat whereby an attacker will elevate their current level of access privilege. This can include elevating access privileges where an attacker has no privileges at all (i.e., not a user) or elevating access privileges where an attacker already has ‘some’ privileges (i.e., a basic user).

Elevation of Privilege example: An attacker has access to an application as a normal user, but is able to set their user rights to ‘administrator’. The attacker can now perform actions that should be reserved for legitimate administrators.