Threat models

Threat models

There are three different approaches to threat modeling focusing on:

  • software

  • assets

    • things you protect

    • stepping stones

    • things attackers want

  • attacks and attackers

Let us consider three threat models proposed by Microsoft, CERT, and MITRE that depend on what you are going to focus on when deploying a cloud. Based on these models it will be possible to recommend mitigation techniques for every class of threats in the next chapters.

STRIDE (Microsoft)

STRIDE model focuses on software. We recommend using Microsoft Threat Modeling Tool when planning your cloud to model potential threats you might have in future when running your cloud. As a result, this may affect architectural solutions and change a deployment scenario.

In STRIDE there are six classes of threats corresponding with the letters in the abbreviation.

STRIDE threat model

Threat class

Description

Examples of affected objects

Spoofing

Pretending to be something or someone other than yourself

Process, file, host, account, certificate, TLS-protected session

Tampering

Modifying something on disk, on a network, or in memory

File, memory, data store, data flow, network, cache

Repudiation

Claiming that you did not do something, or were not responsible

Attack to logs, sources of time synchronization

Information disclosure

Providing information to someone not authorized to see it

Data from a process, storage, network, cache

Denial of Service (DoS)

Absorbing resources needed to provide service

Service availability

Elevation of Privileges (EoP)

Allowing someone to do something they are not authorized to do

Process, authorization service

This guide will refer to STRIDE as a primary threat model used in a software deveopment life cycle.

OCTAVE (CERT)

OCTAVE (Allegro) model focuses on information assets and performs risk assessment. The model consists of eight steps:

  1. Establish risk measurement criteria

  2. Develop an information asset profile

  3. Identify information asset containers

  4. Identify areas of concern

  5. Identify threat scenarios

  6. Identify risks

  7. Analyze risks

  8. Select mitigation approach

These steps are organized into four phases:

  1. Develop risk measurement criteria consistent with the organization’s mission, goal objectives, and critical success factors.

  2. Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.

  3. Identify threats to each information asset in the context of its containers.

  4. Identify and analyze risks to information assets and begin to develop mitigation approaches.

CAPEC (MITRE)

The Common Attack Pattern Enumeration and Classification (CAPEC) model provides comprehensive threat classification and focuses on mechanisms and vectors of attacks.