Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
Threat modeling is an exercise designed to identify the potential threats and attack vectors that exist for a system. Based upon this information, it is possible to perform risk analysis and develop countermeasures and strategies to manage and mitigate these risks.
However, identifying threats in a vacuum can be difficult and is prone to error. Using a threat modeling framework provides structure to the threat modeling process and may include other benefits, such as suggested detection strategies and countermeasures.
Let’s take a look at some well-known threat modeling frameworks.
OWASP top 10
The OWASP Top Ten list is one of the most famous products of the Open Web Application Security Project (OWASP). As the name of the group suggests, its focus — and that of its Top Ten list — is on web application vulnerabilities. This famous list is updated every few years with the most common or dangerous vulnerabilities detected in web applications. The list is commonly a mix of exploitable vulnerabilities (such as Injection or Cross-Site Scripting) and poor development practices, such as a failure to perform proper logging and to monitor those logs and other data sources for signs of an attack.
The OWASP Top Ten list is a great starting point when performing a threat modeling exercise for web applications. It outlines the most common vulnerabilities in web applications, and, due to its high visibility, is also the starting point for many cybercriminals looking for vulnerabilities to exploit. Closing these potential attack vectors eliminates some of the low-hanging fruit for potential attackers.
However, while the OWASP Top Ten list is focused on web application vulnerabilities, this doesn’t mean that it only has value for web application developers. The mistakes described in the OWASP list can generally apply to other types of software as well, such as blockchain applications.
MITRE ATT&CK Framework
MITRE is a federally funded research and development center (FFRDC) of the US government. One of its areas of research is cybersecurity, and the MITRE ATT&CK framework — and the related Shield framework — is one of the products of this cybersecurity research.
MITRE ATT&CK is designed to support cybersecurity by providing a framework for threat modeling, penetration testing, defense development and similar cybersecurity exercises. MITRE ATT&CK breaks the lifecycle of a cyberattack into fourteen stages (called “Tactics” by MITRE). Each of these Tactics describes a specific goal that an attacker may need to achieve on their way to achieving their overall objective such as escalating privileges or gaining access to account credentials.
Under each Tactic is an array of Techniques and Sub-Techniques. Each of these describes a specific method of achieving the related goal. For example, user credentials may be acquired via a brute-force attack, dumping credentials from the operating system or browsers and other means.
The combination of Tactics and Techniques provides concrete guidance for a threat modeling exercise. While MITRE ATT&CK may not be a comprehensive list of every potential attack technique, it has impressive coverage. A simple “check the box” approach to determining if a system is vulnerable to each of the described Techniques and Sub-Techniques provides a solid understanding of the potential vulnerabilities within the system.
However, the value of the MITRE ATT&CK framework is not limited to its structured description of cyberthreats in Tactics and Techniques. Under each Technique or Sub-Technique, MITRE provides additional data, including:
- Technique description
- Affected platforms
- Required permissions
- Data sources for detection
- “Procedures” (known malware, tools or threat actors using the technique)
- Detection methods
This information can help to ensure that a potential threat is properly identified during threat modeling and provides guidance on how to mitigate the potential risk using a combination of detection and mitigation strategies.
MITRE Common Weakness Enumeration (CWE)
In addition to the ATT&CK and Shield frameworks, MITRE also maintains the Common Weakness Enumeration. This resource is similar to the OWASP Top Ten list in that it is designed to describe the common vulnerabilities and other issues that can exist within an application. The CWE is a much more comprehensive list of potential security issues and includes a list of the top 25 threats based on the probability of exploitation and impact of different CWEs.
Like the OWASP Top Ten, the CWE Top 25 is a great starting point for general threat modeling exercises. Investigation of the weaknesses described in the list provides coverage of the most common and commonly exploited vulnerabilities.
However, the CWE Top 25 is not the only useful view into the CWE database. MITRE’s CWE page also provides lists specific to certain programming languages, software development phases and more.
These more focused lists can be invaluable for performing threat modeling throughout the software development life cycle. Early in the process, developers or security team members can review the potential issues that can occur in the Design phase. Later, as solutions are being implemented, code can be tested for language-specific issues.
STRIDE threat modeling
STRIDE is a threat modeling framework developed by Microsoft employees and published in 1999. The STRIDE threat model is focused on the potential impacts of different threats to a system:
- Information disclosure
- Denial of service
- Escalation of privileges
By considering these potential impacts or goals and considering how they can be achieved, it is possible to identify attack vectors for the system under test. Based on this information, it is possible to assess the risk and impact of each potential threat and develop countermeasures to mitigate it.
Mapping STRIDE to other frameworks
STRIDE is a high-level threat model focused on identifying overall categories of attacks. This contrasts with the other threat models discussed in this article, which focus on specific threats to a system.
This difference in focus means that STRIDE and other threat models are often complementary. For example, a blog by (ISC)2 discusses integrating STRIDE with MITRE attack, using STRIDE for high-level modeling and ATT&CK for identifying specific threats.
Selecting a threat modeling framework
The tools described here are only a subset of the threat modeling frameworks available. Frameworks like STRIDE include PASTA, DREAD and more. Additional tools for specific vulnerabilities exist as well, such as the CVSS list.
No “one size fits all” threat modeling framework exists. Different models are better for different situations and different teams. Understanding the available options and the benefits and limitations of each can help with making an informed decision and improve the effectiveness of threat modeling efforts.
- OWASP Top Ten, OWASP
- Mapping the OWASP Top Ten to Blockchain, Howard Poston
- CWE VIEW: Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses, CWE
- “The Threats to Our Products”, Microsoft
- UNDER ATT&CK: HOW MITRE’S METHODOLOGY TO FIND THREATS AND EMBED COUNTER-MEASURES MIGHT WORK IN YOUR ORGANIZATION, (ISC)2