What is Threat Modelling?
Threat modelling is a process in which we can detect threats or vulnerabilities which might happen in the future by assessing the technologies that is being used. When we apply threat-modelling process, we create an architectural design of our whole network to identify the threats and then look for the mitigations.
Threat modelling is a hypothetical approach to mitigate the risk and monitor the threats which may arise in future. We can understand it by a simple example where application using a SQL database then we actually consider that there is a risk of SQL injection exploitation, so we will take the mitigations steps such as input sanitizations firewalls etc.
Organization not only take the mitigation steps with threat modeling even also prioritize the remediation of vulnerabilities. It depends on organization how soon they want to start the threat modelling process. It can be start from the Requirements phase of the software development Life Cycle.
Some organization think its overhead to implement it but it helps to stop the attack in initials stage or to reduce the attack surface.
i. Reducing the risk as initial stage.
ii. It provide an architectural view of infrastructure resources. By that we can prioritize the threat, its risk and the vulnerabilities that may arise.
iii. It remove the single point failure as in basic of security it is always mentioned that implement multiple security devices to secure your organization.
iv. It will also show you how attacker can chain the attack to compromise the infrastructure.
v. It not help in mitigation but also monitor the vulnerability.
How to identify the threats?
Threat is starting point or warning if we neglect then it will turn into a vulnerability and the attacker can exploit that vulnerability. Threat is a hypothetical approach to solve the problem.
Whenever data flow from browser to internal network or towards the internal server such as database or web server. In meanwhile so many devices or endpoints exists and there maybe a threat associated with that. At different endpoints, we have different threats. I am writing some common threats that can exists on some common endpoints.
i. Client Side: It can be a browser from where user is accessing the application.
Threats: Cross site Scripting, Spoofing, Privacy.
ii. Client to Firewall: If the admin has not implemented the SSL/https. In that case, traffic going to the server is unencrypted.
Threats: Sniffing, Man-in-the middle Attack, Session hijacking.
iii. Webserver: It comes in picture when traffic reach to particular webserver after flowing through the firewall. Now a day’s most of application admin deploy different services on the server.
Threats: Buffer Overflow, Format String, Directory Traversal, Default Accounts, XXE, SSRF, Authorization Issue.
iv. Database: Database server deployed at last and there might be possibility that one more firewall may be deployed before it. As it contain sensitive information.
Threats: SQL Injection, Misconfiguration, Authentication issue.
Therefore, we have to identify those endpoints to mitigate the threats.
What is “Stride”
STRIDE is a threat model by which we can identify the threat in an application/organization. In “Stride”, every word has its own significance:
a) S: Spoofing
b) T: Tampering
c) R: Repudiation
d) I: Information discourse
e) D: DDOS
f) E: Elevation of privilege
Let us explore them one by on.
Principle it violates: It violates the principle of “Authentication”.
It is specifically doing the impersonation of a person by forging his identity. We have a lot of things such as spoofing the traffic using MITM attack or manipulating the user identity. So impersonating someone without his or her knowledge. Specifically attacker can spoof a machine, a person or a file.
Principle it violates: It violates the principle of “Integrity”.
Tampering is modifying something travelling from user’s network to the application server. As attacker performs modification in the content it the break the integrity it. This can be easily done by performing a MITM attack between user and the server where the attacker can modify the traffic in between.
Also let think attacker gets unauthorized access to one of the system and he tampers the data of that system. Then it is known as compromising the integrity of the system.
Principle it violates : It violates the principle of “Non-Repudiation”
In it, attacker removes the logs and those information by which his identity can be proved. Therefore, no one can identify what operation were performed by him or what were the resources he accessed. Simply to prove that he is not involved in this task.
To perform this attacker will delete all the logs entry from the system that can prove his existence. So if any checks has been performed then there will be nothing by which the attacker can be identified.
d) Information disclosure :
Principle it violates: It violates the principle of “Confidentiality”.
It means sensitive information of an organization has been disclosed to public.
So lets take an example There is one application that is used to save the sensitive data on Amazon S3 bucket. If anyhow the permission of the bucket has not been configured properly then the contents of the bucket may become public and, it will disclose sensitive information related to organization.
Principle it violates: It violates the principle of “Availability”.
DDOS stands for “Denial of Service” Attack, here attacker uses a lot of server of devices connected to the internet so send a lot of traffic to the organizations server. Now the server is not able to handle that much of the traffic and becomes unavailable to serve the users.
As a result, this is commonly used to restrict the users from accessing the service
f) Elevation of privilege:
Principle it violates: It violates the principle of “Authorization”.
Elevation means “upgrading”, this allows someone to access those resources to which he/she is not permitted or authorized to do so he can do it by the elevation of his privileges. Privilege can be escalated vertically or horizontally.
i. Vertical escalation:
In it a simple user escalates his privilege to get the admin access of the account.
ii. Horizontal escalation:
In it attacker escalating his privilege to modify or do the changes of a same level user.