次の方法で共有


STRIDE, CIA and the Modern Adversary

The modern adversary isn’t a script kiddie. She/he is a sophisticated professional hired by a nation state or criminal organization. Her organization will have done an ROI (Return on Investment) calculation to justify the cost of a targeted attack against a specific entity. This adversary also doesn’t attack linearly against the traditional network based defenses.

The modern adversary uses graph thinking and going through multiple hops to get to the desired target such as credit card numbers or lists of employees. This can even include more than one company: first breach a trusted vendor, second abuse the trust to attack the actual target.

This new reality made me think about the relationship between the goals of security known as CIA (Confidentiality, Integrity and Availability) and the threat modeling categorization approach known as STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege).

Meaning of each Letter

STRIDE is what an attacker can do. TID is the attack version of CIA:

  • Defenders want Confidentiality – attackers use Information Disclosure
  • Defenders want Integrity – attackers use Tampering
  • Defenders want Availability – attackers use Denial of Service.

But, what about Spoofing, Repudiation and Elevation of Privilege? Enter the (modern) non-linear attack:

  • Spoofing and Elevation of Privilege are the entry points to pry open the doors.
  • Repudiation is covering the adversary’s tracks during the initial compromise and the breach. This also happens when you cannot distinguish the attacker’s actions from the legitimate user ones. Note: sometimes repudiation is an attempt by a legitimate user (turned adversary) to dispute transactions (Dear Gullible Bank, I never transferred that money from my account; you owe me $20,000 in damages).

Non-Linear Attack

Graph thinking does not (primarily) worry about traditional network defenses, such as a firewalls, DMZs, VPNs and similar. Note: these defenses are still useful to some extent.

Let’s construct a fictional scenario (any resemblance to actual attacks is coincidental):

  • Plan the attack (can take months for intelligence gathering).
  • Initial compromise to gain command and control (STIE)
    • Social engineering attack (Spoofing)
    • Deploy malware (Tampering the OS to facilitate Information Disclosure)
    • Steal credentials (Information Disclosure in preparation of Spoofing)
    • Attempt lateral traversal and escalating to Domain Administrator (Elevation of Privilege)
    • Add additional high-privilege user accounts such as domain administrators (Elevation of Privilege and Spoofing)
  • Execute the attacker’s mission (Violate CIA through TID)
    • Retrieve the data (Information Disclosure)
    • Execute fraudulent transactions (Tampering)
    • Encrypt for ransom demand (Denial of Service)
    • Destroy data (Denial of Service and/or Tampering)
    • Persist compromise for future exploits
  • Hide the tracks and hide Command and Control capability (Repudiation)
    • Encrypt stolen data during exfiltration to avoid detection
    • Erase logs
    • Tamper with anti-malware and intrusion detection systems
    • Use additional created credentials instead of the original high privilege account(s)

Prioritizing CIA and the Relative Importance of TID

STRIDE mitigations need to be prioritized. Therefore, you must consider the importance of C, I and A for your scenario:

  • Many industries (e.g. banking, health care insurance, …) value Confidentiality and Integrity almost equally and Availability much lower (but not at zero).
  • In other industries, such as SCADA (Supervisory Control and Data Acquisition) systems or any IoT, Availability trumps all else, followed closely by Integrity with Confidentiality lower. If you wonder why, just think about a nuclear power plant or a connected car: unavailability leads to a catastrophic failure.

Summary

Each letter of STRIDE maps to an adversaries and/or the defender’s goals. Of course the primary goals can also be useful during the initial compromise to open the door.

Goal Defender Attacker Threat Category
Open the Door Prevent door opening Compromise Spoofing
Integrity Preserve Violate Tampering
Hide Activity Preserve visibility Hide Activity Repudiation
Confidentiality Preserve Violate Information Disclosure
Availability Preserve Deny Denial of Service
Open the Door Prevent door opening Compromise Elevation of Privilege

 

Acknowledgements

A special thank you goes to my colleagues Michael Howard, John Rodriguez and Walter Dominguez for their valuable feedback.