Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Video transcript: Security Threat Modelling / Analysis using STRIDE and the Microsoft Threath Analysis Tool

This is a transcript for a video linked here: Security Threat Modelling / Analysis using STRIDE and the Microsoft Threat Analysis Tool.

Video transcript - Security Threat Modelling / Analysis using STRIDE and the Microsoft Threat Analysis Tool

00:00:00.160 --> 00:00:06.240

this is a quick introduction to threat modeling

and analysis looking at the stride categorization

00:00:06.240 --> 00:00:10.880

scheme this is going to cover the theory and in

a future video i'm going to show you how this

00:00:10.880 --> 00:00:19.600

could be put into a practice with a real world

example modelling is a way to identify categorize

00:00:19.600 --> 00:00:26.480

and analyze threats looking at the potential harm

the possibility of occurrence i.e the likelihood

00:00:27.360 --> 00:00:32.320

the priority of concern and then the

means to eradicate or reduce the threat

00:00:33.680 --> 00:00:38.640

one of the reasons for threat modelling is being

able to identify where to deploy resources based

00:00:38.640 --> 00:00:44.400

on the risks and the importance of the data and

systems for example you wouldn't need the same

00:00:44.400 --> 00:00:49.600

level of security for an information system that

shows the canteen menu on an internal display

00:00:50.320 --> 00:00:54.480

as you might need on a system that

holds client credit card information

00:00:55.280 --> 00:01:01.920

in an ideal world you would want them both to

be secure in the real world you need to identify

00:01:01.920 --> 00:01:07.760

the risks and deploy appropriate resources

accordingly the threat modeling is also important

00:01:07.760 --> 00:01:13.760

for all the services but the actual risks and

resources may vary based on different systems

00:01:15.760 --> 00:01:20.800

so when to perform the analysis you can perform

analysis at just about any stage in the software

00:01:20.800 --> 00:01:28.880

life cycle this diagram is based around a typical

software development life cycle the same diagram

00:01:28.880 --> 00:01:34.640

would be used if you're using off-the-shelf

software with the development being replaced

00:01:34.640 --> 00:01:41.120

by selection and configuration of the software

as a general rule the earlier you perform the

00:01:41.120 --> 00:01:47.280

analysis the cheaper it is to add the additional

security it's usually a good idea to revisit the

00:01:47.280 --> 00:01:54.160

analysis at a later stage in case anything changes

the life cycle normally starts with the strategy

00:01:54.160 --> 00:02:00.000

at the top and then goes clockwise you really need

some kind of initial design to start the analysis

00:02:00.640 --> 00:02:04.560

although you could even start before then if you

have some ideas of how it will be implemented

00:02:05.680 --> 00:02:10.320

there are almost infinite number of threats it's

therefore important to take a structured approach

00:02:11.120 --> 00:02:17.040

we look at this by focusing on assets also

identify the value of the assets and threats

00:02:17.040 --> 00:02:23.440

to them or it could be focused on attackers

you may want to focus on potential attackers

00:02:23.440 --> 00:02:30.640

and threats based on their motivation for

trying to attack you this is particularly

00:02:30.640 --> 00:02:35.840

relevant to certain organizations who may have

informational resources that may be targeted

00:02:37.360 --> 00:02:41.680

or it could be focused on software if you're

developing software then you can look at

00:02:41.680 --> 00:02:50.000

the software during the development process to

ensure that you include security features in that

00:02:50.000 --> 00:02:55.120

so here i'm looking at stride this is a

threat categorization scheme from microsoft

00:02:56.080 --> 00:02:59.280

this is something that can be applied to

software development but it can also be

00:02:59.280 --> 00:03:05.280

used for off-the-shelf products as a way you can

review suitability and specific configurations

00:03:06.880 --> 00:03:11.440

stride is a mnemonic and it describes the

possible attack vectors against the system

00:03:12.320 --> 00:03:19.840

s for spoofing t for tampering r for

repudiation i for information disclosure

00:03:20.560 --> 00:03:24.080

d for denial of service and

e for elevation of privilege

00:03:26.800 --> 00:03:33.840

spoofing is essentially pretending to be someone

else or some other device this may allow them to

00:03:33.840 --> 00:03:40.320

get through filters or blockades this may be

one reason that less important systems still

00:03:40.320 --> 00:03:46.080

need to be kept secure in case they're used

as a stepping stone to more important systems

00:03:46.080 --> 00:03:50.480

another thing that an attacker may be trying

to achieve is to get a higher privilege

00:03:50.480 --> 00:03:55.920

than they are otherwise entitled to different

from elevation of privilege which i'll explain

00:03:55.920 --> 00:04:03.280

later but this is where you're trying to

get straight in as a higher privileged user

00:04:05.920 --> 00:04:09.280

as it suggests tampering

is the manipulation of data

00:04:10.480 --> 00:04:16.640

this could be in storage such as saved on disk

or in a database or it could be in transit which

00:04:16.640 --> 00:04:21.200

could mean traveling over a network connection

or being transferred from disk to memory

00:04:22.640 --> 00:04:28.880

one of the concerns about tampering is identifying

what damage has been done for example knowing

00:04:28.880 --> 00:04:33.840

whether the data that you're looking at is

safe or whether it's being tampered with

00:04:38.000 --> 00:04:43.840

repudiation is about identifying who has done

what on a system it's about stopping someone

00:04:43.840 --> 00:04:51.760

claiming shaggy would say it wasn't me in some

circumstances this goes hand in hand with spoofing

00:04:51.760 --> 00:04:58.880

in that if someone is able to spoof an entry then

how can you prove who is responsible there's also

00:04:58.880 --> 00:05:03.920

the risk that a third party could be being blamed

for something that's been done by somebody else

00:05:08.720 --> 00:05:14.160

information disclosure is when some private

confidential or controlled information is stolen

00:05:15.360 --> 00:05:23.760

particular concerns include personal identifiable

information credit card details or company secrets

00:05:23.760 --> 00:05:29.520

but it could also include information that allows

the attacker further access or makes it easier for

00:05:29.520 --> 00:05:35.920

them to impersonate someone in the event of an

information disclosure then it may be necessary

00:05:36.480 --> 00:05:41.680

to notify clients and it can result

in damage to their company reputation

00:05:45.680 --> 00:05:49.920

the denial of service is where an attacker

prevents the authorized use of a resource

00:05:50.720 --> 00:05:56.000

this may include a service such as a

website could mean that a business is

00:05:56.000 --> 00:06:00.560

unable to operate if this is an attack

against the service that is needed to

00:06:00.560 --> 00:06:06.320

keep that business running imagine computers

controlling a manufacturing production line

00:06:11.120 --> 00:06:14.960

an escalation of privilege is where someone

is able to increase their level of permission

00:06:15.520 --> 00:06:19.840

perhaps gaining admin or root privileges

00:06:21.440 --> 00:06:26.640

to perform the stride analysis you normally start

with a data flow diagram such as the one shown

00:06:26.640 --> 00:06:33.280

here this identifies where data flows from one

system or part of a system to another you then

00:06:33.280 --> 00:06:38.640

look at each of the data flows and apply the six

attack types and identify the threats and risks

00:06:42.000 --> 00:06:45.360

you can then build up an analysis

based on the identified threats

00:06:47.120 --> 00:06:51.600

this screen here shows the microsoft threat

analysis tool which is one of the ways that

00:06:51.600 --> 00:06:58.480

you can do this alternatively you could do this

manually looking at common threats there are pros

00:06:58.480 --> 00:07:03.600

and cons to each methods and i'll be looking

at these in much more detail in a future video

00:07:07.680 --> 00:07:10.560

stride is just one of the threat

modelling tools that can be used

00:07:11.520 --> 00:07:16.080

it is simple to apply it's something i've recently

used on an open source project i'm working on

00:07:17.680 --> 00:07:22.400

this video has been an introduction to the theory

i also plan to make a video showing how this can

00:07:22.400 --> 00:07:28.400

be applied to the actual project so if you'd

like to see that and other cyber security videos

00:07:28.400 --> 00:07:32.880

please click subscribe and click on the

notification icon to get notified about them

00:07:34.560 --> 00:07:40.240

thanks for watching and i hope to

see you again in a future video

Previous Application Security Testing
Application Security Testing