Threat models

Threat models

There are three different approaches to threat modeling focusing on:

  • software
  • assets
    • things you protect
    • stepping stones
    • things attackers want
  • attacks and attackers

Let us consider three threat models proposed by Microsoft, CERT, and MITRE that depend on what you are going to focus on when deploying a cloud. Based on these models it will be possible to recommend mitigation techniques for every class of threats in the next chapters.

STRIDE (Microsoft)

STRIDE model focuses on software. We recommend using Microsoft Threat Modeling Tool when planning your cloud to model potential threats you might have in future when running your cloud. As a result, this may affect architectural solutions and change a deployment scenario.

In STRIDE there are six classes of threats corresponding with the letters in the abbreviation.

STRIDE threat model
Threat class Description Examples of affected objects
Spoofing Pretending to be something or someone other than yourself Process, file, host, account, certificate, TLS-protected session
Tampering Modifying something on disk, on a network, or in memory File, memory, data store, data flow, network, cache
Repudiation Claiming that you did not do something, or were not responsible Attack to logs, sources of time synchronization
Information disclosure Providing information to someone not authorized to see it Data from a process, storage, network, cache
Denial of Service (DoS) Absorbing resources needed to provide service Service availability
Elevation of Privileges (EoP) Allowing someone to do something they are not authorized to do Process, authorization service

This guide will refer to STRIDE as a primary threat model used in a software deveopment life cycle.

OCTAVE (CERT)

OCTAVE (Allegro) model focuses on information assets and performs risk assessment. The model consists of eight steps:

  1. Establish risk measurement criteria
  2. Develop an information asset profile
  3. Identify information asset containers
  4. Identify areas of concern
  5. Identify threat scenarios
  6. Identify risks
  7. Analyze risks
  8. Select mitigation approach

These steps are organized into four phases:

  1. Develop risk measurement criteria consistent with the organization’s mission, goal objectives, and critical success factors.
  2. Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.
  3. Identify threats to each information asset in the context of its containers.
  4. Identify and analyze risks to information assets and begin to develop mitigation approaches.

CAPEC (MITRE)

The Common Attack Pattern Enumeration and Classification (CAPEC) model provides comprehensive threat classification and focuses on mechanisms and vectors of attacks.