Have you ever wondered how hackers find vulnerabilities? Out of all the millions of ways to exploit a system, how do they organize all the possible attacks? It is quit literally finding a needle in a hack stack. Hackers use STRIDE while they are threat modeling a target to identify a systems/products attack surface.
What is Threat Modeling?
Threat Modeling is the practice/process of identifying all the potential attack exposures a system/product could have. At first, the attacks are all theory, they can even have a “movie theme” such as “someone could social engineer into someone’s life, figure our history and compromise their accounts” or as “real” as performing a buffer over attack on a system/product that has known vulnerabilities.
Threat modeling is the action and process of identifying potential attacks, however, Threat Modeling needs help with identifying what those attacks are, to easily identify what attack methods to use is where STRIDE comes in.
What is STRIDE?
STRIDE is an acronym for six threat categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of Privilege. It was invented by Microsoft engineers, Koren Kohnfelder and Praerit Garg in the late 1990s. STRIDE can be used for defense and offensive practices. Hackers like to stay as “quiet” as possible while attempting to attack a target. Being “Loud” means the attacker is raising alarms that the target could identify, being “quiet” reduces the likelihood of an attacker being detected. Let’s discuss what each acronym of STRIDE means to an organization and how you can use these types of attacks to protect yourself.
Six Threat Categories
Spoofing: In the real world, we know of fraud. Well spoofing is the internet world version of fraud. There are several types of Spoofing such as IP Spoofing, ARP Spoofing, Email Spoofing, Website Spoofing Attack, and DNS Spoofing.
Example of Spoofing: Two systems within the same network establish a session, however, there was a third systems listening to the conversation happening. That attacker could intercept the TCP handshake (conversation) and perform a “Man in the Middle Attack”. The Man in the Middle Attack gives the attacker the ability to ingest all traffic meant for the original system, after it ingests the data, it will forward to the original destination. The attacker’s system is falsely claiming it is the original destination host.
Tampering: Tampering is modifying an item, data on disks, network streams, and memory data. After a hack, it is safe to assume data was modified, the trouble is finding out what. In most cases, organizations just hope the data they have is accurate. Most of the times organizations can identify incorrect information. It is the subtle changes such as adding a few extra digits to someone’s bonus or cost of a product that can affect a company’s stock reports.
Can you think of a situation while at work when you are unsure of a process or procedure, so you ask a colleague regarding the best approach to a problem you are facing? What if the person you reached out gave you misinformation, not because they knowingly told you misinformation, they were told and informed incorrectly themselves? Now, what if you used that guidance to make large strategic decisions within your organization? The consequences could be extremely impactful to your organization. The results could lead to terminations and even (in some cases) lead to a company going under. The misinformation that was passed to you was “correct” from the eyes of everyone involved. That is the result of tampering. The scary part of tampering is how difficult it is to confirm the information is accurate after an attack. An example of this is an accountant purchasing items for large events or projects, the price for thousands of parts to build multiple products can be modified. After the price is modified executives could be facing high price projections for their products all based on incorrect data. This consequence could affect stockholders and lead to losing confidence of investors.
Repudiation: Have you ever clicked a link in a site, thinking it was going to take you to a certain site or type of site then turns out it takes you to a completely different site or “nothing” happens at all? That is repudiation, it’s when someone claims they did not do the act they are accused of doing. In most cases the individual is the victim not the “attacker”. The victim receives something, or visits a “known” site, somehow, they accidentally downloaded something or somehow landed in a site they never navigated to.
The scary part of repudiation is the unknown of it all. From a management perspective, how can companies determine if their staff was intending to perform the actions, they claim they did not do or if they were a victim of a repudiation attack?
Information Disclosure: Many organizations such as Tesla, Microsoft, and Google (to name a few) engineer unique products, for those organizations, their intellectual property is extremely valuable (spending millions a year to engineer such products). How can companies ensure their key product information needed to build such products is protected? They apply security measures, whether its restricting access in a database or physical restrictions. Information Disclosure attack is when people who should not have access to data or property are able to get access.
Information Disclosure can come from many areas such as processes, gaining information from an email (someone created a malware to bcc an attacker’s email box). Or systems engineers built a database for a new product. The engineering’s begin to load their code into the database, send and retrieve data from the database, only to find out a permission was missed or built incorrectly in the database. Because of the misconfigured security policies in the database access for all tables and databases within the server is accessible on lower-level engineer’s that allows them to read all data from customers. From a company standpoint that isn’t a major flaw, however, if an attack compromised the developers (engineers) system, the attackers are able to read all data the customers pass through to the database. Information Disclosure attack is targeting on gaining access to information utilizing an account or person that should not have access to the information.
Denial of Service: The Denial-of-Service attack is probably the most known attack, gaining awareness from mainstream media. Large scale Denial-of-Service attacks are common, six banks were attacked in 2012 which included Bank of America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. In 2020 Amazon Web Services also fell victim to a Denial-of-Service attack. Denial-of-Service attack is an attack that is meant to absorb so many resources from the target so that the target crashes. The system does not just crash, the system will essentially “reboot” come back online then crash again. The attack outcome is a system in a loop of starting then crashing repeatedly until the organization owners become aware of the situation and mitigate the attack.
It is worth mentioning that Denial-of-Service attacks that occur meaningful impact are in a form of Distributed Denial-of-Service attack (DDoS). The difference is that distributed portion of the attack is the sources are in the thousands – millions of sources all targeting one system/product.
Elevation of Privilege: While information disclosure is an attack that grants access to data to someone who is not allowed to access, Elevation of privilege is allowing someone to do something they’re not authorized to do. Why is this a critical attacker? Let’s say you are an accountant for an organization. Your system was compromised via a malware attack, the attacker has now access to your system via your account. Now, the attack utilizes vulnerabilities in your system to obtain an elevated privilege to make changes on files that your account has access to. This type of attack will now leverage all attacks we mentioned above.
Elevation of Privilege is the highest and most severe level of attack. An attack can do anything and everything they want to the system and product. Read, executing, and creating files. This can cause issues with discovering the attack at all, compromising integrity, and even causing an outage of a product within the organizations network.
Summary:
Threat Modeling with STRIDE is used by hackers to compromise systems/products, it is also used by cybersecurity professionals to build defenses for their systems/products. Threat modeling is a process in which to identify vulnerabilities (potential and real). STRIDE is used to categorize attacks that will exploit the identified vulnerabilities. Threat Modeling with STRIDE is meant to turn a complicated problem of identifying a vulnerability across multiple attack surfaces into a simple process.
In cybersecurity the tools used for good are also used for evil. Hackers can organize their attacks in such a way to reduce the likelihood of detection by utilizing Threat Modeling with STRIDE. Cybersecurity professionals building up their organizations and personal security posture can utilize Threat Modeling with STRIDE to identify vulnerabilities and build enhanced protections and logging on the vulnerable systems/products.
Comments