There are three different approaches to threat modeling focusing on:
software
assets
things you protect
stepping stones
things attackers want
attacks and attackers
Let us consider three threat models proposed by Microsoft, CERT, and MITRE that depend on what you are going to focus on when deploying a cloud. Based on these models it will be possible to recommend mitigation techniques for every class of threats in the next chapters.
STRIDE (Microsoft)
STRIDE model focuses on software. We recommend using Microsoft Threat Modeling Tool when planning your cloud to model potential threats you might have in future when running your cloud. As a result, this may affect architectural solutions and change a deployment scenario.
In STRIDE there are six classes of threats corresponding with the letters in the abbreviation.
Threat class |
Description |
Examples of affected objects |
---|---|---|
Spoofing |
Pretending to be something or someone other than yourself |
Process, file, host, account, certificate, TLS-protected session |
Tampering |
Modifying something on disk, on a network, or in memory |
File, memory, data store, data flow, network, cache |
Repudiation |
Claiming that you did not do something, or were not responsible |
Attack to logs, sources of time synchronization |
Information disclosure |
Providing information to someone not authorized to see it |
Data from a process, storage, network, cache |
Denial of Service (DoS) |
Absorbing resources needed to provide service |
Service availability |
Elevation of Privileges (EoP) |
Allowing someone to do something they are not authorized to do |
Process, authorization service |
This guide will refer to STRIDE as a primary threat model used in a software deveopment life cycle.
OCTAVE (CERT)
OCTAVE (Allegro) model focuses on information assets and performs risk assessment. The model consists of eight steps:
Establish risk measurement criteria
Develop an information asset profile
Identify information asset containers
Identify areas of concern
Identify threat scenarios
Identify risks
Analyze risks
Select mitigation approach
These steps are organized into four phases:
Develop risk measurement criteria consistent with the organization’s mission, goal objectives, and critical success factors.
Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.
Identify threats to each information asset in the context of its containers.
Identify and analyze risks to information assets and begin to develop mitigation approaches.
CAPEC (MITRE)
The Common Attack Pattern Enumeration and Classification (CAPEC) model provides comprehensive threat classification and focuses on mechanisms and vectors of attacks.