Chapter 1

When attempting to inventory and categorize threats, it is often helpful to use a

guide or reference. Microsoft developed a threat categorization scheme known as
the STRIDE threat model. STRIDE is an acronym standing for the following:
 Spoofing: An attack with the goal of gaining access to a target system
through the use of a falsified identity. When an attacker spoofs their
identity as a valid or authorized entity, they are often able to bypass filters
and blockades against unauthorized access.
 Tampering: Any action resulting in unauthorized changes or manipulation
of data, whether in transit or in storage.
 Repudiation: The ability of a user or attacker to deny having performed an
action or activity by maintaining plausible deniability. Repudiation attacks
can also result in innocent third parties being blamed for security
violations.
 Information disclosure: The revelation or distribution of private, confidential,
or controlled information to external or unauthorized entities.
 Denial of service (DoS): An attack that attempts to prevent authorized use of
a resource. This can be done through flaw exploitation, connection
overloading, or traffic flooding.
 Elevation of privilege: An attack where a limited user account is transformed
into an account with greater privileges, powers, and access.

Visual, Agile, and Simple Threat (VAST) is a threat modeling concept that integrates
threat and risk management into an Agile programming environment on a scalable
basis (see Chapter 20, “Software Development Security,” regarding Agile).
These are just a few in the vast array of threat modeling concepts and
methodologies available from community groups, commercial entities, government
agencies, and international associations.

BE ALERT FOR INDIVIDUAL THREATS

Competition is often a key part of business growth, but overly adversarial

competition can increase the threat level from individuals. In addition to criminal
hackers and disgruntled employees, adversaries, contractors, employees, and even
trusted partners can be a threat to an organization if relationships go sour.

Potential threats to your business are broad and varied. A company faces threats
from nature, technology, and people. Always consider the best and worst possible
outcomes of your organization's activities, decisions, and interactions. Identifying

Classification: Internal
 threats is the first step toward designing defenses to help reduce or eliminate
downtime, compromise, and loss.

Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage threat modeling
methodology. PASTA is a risk-centric approach that aims at selecting or developing
countermeasures in relation to the value of the assets to be protected. The following
are the seven steps of PASTA:
 Stage I: Definition of the Objectives (DO) for the Analysis of Risks
 Stage II: Definition of the Technical Scope (DTS)
 Stage III: Application Decomposition and Analysis (ADA)
 Stage IV: Threat Analysis (TA)
 Stage V: Weakness and Vulnerability Analysis (WVA)
 Stage VI: Attack Modeling & Simulation (AMS)
 Stage VII: Risk Analysis & Management (RAM)
Each stage of PASTA has a specific list of objectives to achieve and deliverables to
produce in order to complete the stage. For more information on PASTA, please
see Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis (Wiley,
2015), by Tony UcedaVelez and Marco M. Morana.

Threat modeling isn't meant to be a single event. Instead, it's meant to be initiated
early in the design process of a system and continue throughout its lifecycle. For
example, Microsoft uses a Security Development Lifecycle (SDL)
(www.microsoft.com/en-us/securityengineering/sdl) with the motto of “Secure by
Design, Secure by Default, Secure in Deployment and Communication” (also known
as SD3+C). It has two goals in mind with this process:
 To reduce the number of security-related design and coding defects
 To reduce the severity of any remaining defects

Classification: Internal