Adam Shostack here.
I’ve been meaning to talk more about what I actually do, which is help the teams within Microsoft who are threat modeling (for our boxed software) to do their jobs better. Better means faster, cheaper or more effectively. There are good reasons to optimize for different points on that spectrum (of better/faster/cheaper) at different times in different products. One of the things that I’ve learned is that we ask a lot of developers, testers, and PMs here. They all have some exposure to security, but terms that I’ve been using for years are often new to them.
Larry Osterman is a longtime MS veteran, currently working in Windows audio. He’s been a threat modeling advocate for years, and has been blogging a lot about our new processes, and describes in great detail the STRIDE per element process.
I wanted to chime in and offer up this handy chart that we use. It’s part of how we teach people to go from a diagram to a set of threats. We used to ask them to brainstorm, and have discovered that that works a lot better with some structure.
|
Property |
Threat |
Definition |
Example |
|
Authentication |
Spoofing |
Impersonating something or someone else. |
Pretending to be any of billg, microsoft.com or ntdll.dll |
|
Integrity |
Tampering |
Modifying data or code |
Modifying a DLL on disk or DVD, or a packet as it traverses the LAN. |
|
Non-repudiation |
Repudiation |
Claiming to have not performed an action. |
“I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!” |
|
Confidentiality |
Information Disclosure |
Exposing information to someone not authorized to see it |
Allowing someone to read the Windows source code; publishing a list of customers to a web site. |
|
Availability |
Denial of Service |
Deny or degrade service to users |
Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole. |
|
Authorization |
Elevation of Privilege |
Gain capabilities without proper authorization |
Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP. |
Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.
Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for many organizations across multiple industries.
A set of memory corruption vulnerabilities in the ncurses library could have allowed attackers to chain the vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions.
In a recent investigation by Microsoft Incident Response of a BlackByte 2.0 ransomware attack, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.
