STRIDE Threat Modeling for Beginners - In 20 Minutes

00:00

if I could save a company a million

00:02

dollar a year on their security budget

00:04

this is how I would do it what's going

00:06

on everybody Welcome to netc explained

00:09

and in this video we're going to be

00:10

talking about a piece of the security

00:12

puzzle that often goes way overlooked

00:15

and that is threat modeling now if the

00:18

first thing you thought when you heard

00:19

threat modeling was H that sounds boring

00:23

it's really not in fact it's really

00:25

exciting to learn the ins and outs of an

00:28

application in that level of detail

00:30

to be honest this is something that I

00:31

wish I knew when I was first starting

00:33

out my career in Consulting and bug

00:35

hunting this would have saved me a lot

00:37

of time and it would have made my

00:39

clients happy too but if you're not

00:41

convinced I have a finished threat model

00:43

in the description below of an AI

00:45

application very similar to chat GPT

00:47

this will give you an idea of what one

00:49

of these threat models can look like and

00:51

how they can help you in identifying and

00:53

determining new bugs in an application

00:55

now if you want to learn how to make one

00:56

yourself to save time headache and money

00:59

then and that's what we're going to get

01:00

into today I'm excited so let's get

01:04

started now for this video we're only

01:06

going to go over the basics of threat

01:08

modeling and we're going to do that in

01:09

three parts we're going to create a DFD

01:12

or a data flow diagram we're going to

01:14

label the trust boundaries and then

01:16

we're going to identify the strengths

01:17

and weaknesses of the application right

01:19

we're going to call out the threats

01:21

there's obviously more we can do after

01:22

that but this will get you started to

01:24

take things further I highly recommend

01:26

the oos threat modeling process for more

01:29

detail it's a really solid guide and I

01:32

highly recommend you check it out after

01:33

this video I also want to point out that

01:35

for this video I'll mainly be focusing

01:37

on applications but this exact same

01:39

process works for any other system such

01:42

as networking or Cloud step one data

01:45

flow diagrams dfds can come into

01:48

different levels of detail so we'll

01:50

starting at zero going down to one two

01:52

all the way down to five getting more

01:54

and more detailed as you go further so

01:57

let's take a look Okay so here's an

02:00

example of a level zero DFD this is for

02:02

a railway reservation system so we see

02:05

that we have a passenger who can submit

02:08

a reservation or cancel a reservation

02:10

and then receive travel information from

02:12

the railway reservation itself and then

02:14

we also have admin which has kind of a

02:16

back Channel access to uh reserve and

02:19

cancel information as well as uh upload

02:21

and download train info and gather

02:24

passenger information so think of data

02:26

flow diagram level zero as a back of the

02:29

napkin kind of thing right it's a very

02:31

quick sketch that you draw out in about

02:33

2 minutes so not a lot of detail but

02:36

they're still very useful in

02:38

understanding parts of the application

02:40

okay the next one is a level one data

02:42

flow diagram notice how this goes into a

02:44

little bit more detail right so we

02:46

separate the railway reservation system

02:48

into the reservation process and the

02:50

inquiry process the passenger still has

02:53

access to both processes uh but we see

02:55

how the reservation process handles

02:57

reservations through the reservation

02:59

storage then we see how inquiries handle

03:01

things through uploads and downloads it

03:03

also connects to a ticket generation

03:05

process and allows you to generate

03:08

reports to the

03:09

admin level one is the one that I use

03:12

most often uh this is goes into enough

03:15

detail to understand a little bit of the

03:16

underlying bits of the system but not

03:18

too much detail where it over

03:20

complicates the process what's also

03:22

really nice is that a lot of application

03:24

developers will already have

03:26

architecture diagram that you can kind

03:27

of read off of so you can overlay your

03:30

threat model with our architecture

03:31

diagrams and it makes things a lot

03:33

easier when you're creating a threat

03:35

model and having those

03:36

conversations the last one I want you to

03:38

take a look at is a level two data flow

03:40

diagram notice how this goes into way

03:43

more detail so we have the reservation

03:45

process query process Railway department

03:48

and inquiry process over here that's

03:50

being used for passengers as well as for

03:53

reporting and

03:54

reservations we're communicating back to

03:57

a searching process and then that talks

04:00

to a waiting process a confirmation

04:02

process a cancellation process and then

04:04

the ticket generation and it goes all

04:06

the way out to generate the ticket for

04:08

the client so this is a lot more detail

04:12

almost a little too much for what we

04:13

need to create a basic threat model but

04:16

this just kind of gives you an idea of

04:18

what a level two data flow diagram looks

04:20

like now that we have a map of our

04:22

application data flow we need to

04:24

identify the trust boundaries I have

04:26

here up on the screen uh an example of a

04:28

data flow with trust boundaries that are

04:30

being labeled trust boundaries are

04:32

places in the DFD where trust levels

04:34

change so think unauthenticated user to

04:37

authenticated user or regular user to a

04:39

power user to admin to internal engineer

04:43

you get the idea I have a couple data

04:45

flow diagrams for us to take a look at

04:47

and label the trust boundaries so you

04:48

can see what that process looks like

04:50

okay here's an example data flow diagram

04:53

this is a level one data flow diagram

04:55

I'm using draw IO I find it to be very

04:58

helpful when creating these things for

04:59

clients because it's easier for me to

05:02

finish up the report create the data

05:04

flow diagram and then pass that off to

05:06

the development team so they can further

05:07

their

05:08

practices so we have a couple things

05:10

labeled here right we have our actor

05:12

which is usually in a small rectangle

05:14

and that's going to be our user in this

05:15

case we have data flows going to

05:18

multiple processes and those processes

05:21

uh communicate to either the user or

05:24

backend systems and then you see this

05:26

multi Circle over here on the right uh

05:29

which is is a multi-process so this is

05:31

something that we use to kind of

05:32

abstract a bunch of different things

05:34

happening all at the same time uh access

05:36

to our database is going to be our data

05:38

store as or asset Library uh so this is

05:41

going to be the app database and it's

05:43

with two lines one on top and one on

05:45

bottom so this is somewhat standard of

05:48

data flow diagrams so if you look online

05:50

on how to create a data flow diagram

05:52

you're going to see a lot of these

05:53

symbols finally we have our trust

05:55

boundary which is represented by a

05:57

dotted line that we saw earlier so in

06:00

this case we have a user that can

06:02

connect to an application backend and

06:04

modify a report they also receive static

06:06

files from what looks like to be a web

06:09

application that application backend

06:11

then also connects to a backend data

06:14

store so this is going to be an

06:15

application database for storing and

06:17

modification and then it has access to

06:19

some other backend processes that either

06:21

May tie back into the user or it may tie

06:23

into some other function being performed

06:25

on the back

06:26

end so in this case what we want to do

06:28

is we want to look for uh change in

06:31

trust levels right so for example if we

06:34

go from an unauthenticated user to an

06:36

authenticated user or maybe we want to

06:39

keep the user separate from the process

06:42

in the application backend itself that's

06:45

usually where you'll find the First

06:46

Trust boundary we want to separate the

06:48

user from the application we don't want

06:49

to give them full access to that

06:51

application so let's go ahead and add a

06:54

trust boundary

06:57

to this spot between the user and the

07:00

application

07:01

backend now there's still a couple more

07:03

that we need to set up if you look

07:05

closely you can see that the application

07:07

backend talks to a back-end database now

07:10

we want to be very careful because

07:11

things like SQL injection can happen or

07:14

data corruption so we want to limit the

07:16

access that the application has to the

07:18

back-end database right we're not going

07:20

to run it with admin credentials or

07:21

anything like that we want to follow the

07:23

principle of least privilege so we're

07:25

going to put another trust boundary

07:27

there in the application database

07:32

oops there we

07:34

go and then finally our application

07:36

backend can communicate to some other

07:38

processes on the back end as well um

07:41

usually this is done through apis but we

07:43

want to continue to follow principle of

07:45

least privileged so especially since

07:47

this application backend has the slim

07:50

but possibility of being compromised by

07:52

a user we want to create a separate

07:54

barrier between the application itself

07:56

that the user can interface with and the

07:58

further services that are down

07:59

Downstream so we're going to create one

08:01

last trust boundary between the

08:02

application process and the backend

08:05

Services I'll just go ahead and rotate

08:08

that so it looks a little

08:13

nicer awesome this is our completed data

08:16

flow diagram for this level one

08:19

DFD I have one more data flow diagram

08:22

for us to take a look at and this is

08:23

going to be the level two data flow

08:25

diagram so here we can see this looks

08:27

like a college library website and even

08:30

though it's a level two we still have a

08:31

couple abstracted multi-processes going

08:33

on and I did that to keep things a

08:35

little simple so it all fit on one

08:36

screen so here we have the users that

08:39

can send requests and receive responses

08:41

from the library website itself and then

08:43

likewise we have Librarians which can

08:45

receive requests and receive responses

08:48

we have web pages that are in disk now

08:50

this can either be static files or

08:52

dynamic files such as PHP go python Java

08:56

you name it uh that's communicating with

08:58

the library website

08:59

and then of course we have a back-end

09:01

database which is part of the College

09:02

library database and the database

09:04

files so when we're looking at this we

09:07

want to make sure that we do have a

09:09

separation between the users and the

09:11

application users should not have full R

09:13

of the application and usually they'll

09:15

have at least somewhat limited access to

09:17

the application even once they log in

09:19

right they're not all going to be

09:20

considered admin or an internal engineer

09:23

likewise the Librarians even though they

09:25

might have more access than a regular

09:27

user in order to do different things

09:30

they're still going to have limited

09:31

access because they're also not admin or

09:33

internal engineer so the First Trust

09:35

boundary we're going to put is actually

09:37

going to be between the library in uh

09:39

the Librarians and the users and the

09:41

library's website

09:43

itself so let's go ahead and add

09:47

that and rotate this a

09:52

bit

09:55

oops and let's

09:58

expand

10:00

so that we create a separate uh

10:02

separation between the users the

10:04

Librarians and then the college website

10:07

itself cool so we see that because we

10:10

have this separation the web pages on

10:12

disk are separate from the users but

10:14

what about the library website and the

10:16

database just like the last data flow

10:18

diagram we want to have a separation

10:20

between the web application that users

10:22

are directly interacting with and then

10:24

any other Downstream system just like

10:26

this database but we don't need a put

10:29

any other boundary between the database

10:31

and the database files right maybe this

10:33

is a distributed database or uh maybe

10:36

this is just an abstraction showing that

10:38

the database has access to some other

10:40

files on the back end right this could

10:42

be an S3 bucket or some sort of local

10:43

file storage or even just a separate

10:45

database entirely so let's go ahead and

10:48

add another data uh another trust

10:52

boundary between the College library

10:55

website and the College library

10:58

database

10:59

and that's it there's only two trust

11:01

boundaries here uh these are the only

11:03

places where trust levels are going to

11:04

change within the application at least

11:06

that we're showing right now uh you'll

11:08

notice that the multiprocess little

11:10

Loops here uh these are here because

11:13

they're also part of that same trust

11:15

level if they were parts of different

11:16

trust levels we would want to separate

11:18

that out and then highlight the trust

11:19

boundaries in there as well again most

11:22

of the time I use level one data flow

11:24

diagrams level two data flow diagrams

11:26

can go into a lot more detail but they

11:27

also become a lot more

11:30

complicated awesome the last thing we're

11:32

going to do here is pick a framework to

11:34

list out our strengths and

11:35

weaknesses for this exercise I'm going

11:37

to use stride but if you're an internal

11:39

team I also really like the idea behind

11:42

pasta as well so you may want to look

11:44

into that stride stands for spoofing

11:47

tampering repudiation basically a fancy

11:50

word for logging that way I can't say

11:52

that I didn't do something information

11:55

disclosure denial of service and

11:57

elevation of privileges

11:59

what you want to do here is look at each

12:01

of your trust boundaries and then write

12:02

down the strengths and weaknesses for

12:04

each category you're going to do this

12:05

for both sides of the trust boundary

12:07

just to make sure you get proper

12:08

coverage your strengths in this case are

12:10

really your mitigations so for spoofing

12:13

as an example we're going to use a

12:15

username and password to log into the

12:16

application so I can't pretend to be

12:18

somebody else but depending on the

12:20

application maybe we need a little bit

12:22

more right maybe we need multiactor

12:24

authentication so that's something that

12:25

we're going to want to write down as

12:27

well or we can use SS TLS to prevent

12:30

tampering or information disclosure for

12:32

anything that's in transit across that

12:34

trust

12:35

boundary so let's take a look here's the

12:38

DFD that we're going to look at we have

12:39

three trust boundaries so we're going to

12:41

want to set up three sections in our

12:42

spreadsheet so this is our example

12:45

spreadsheet I usually use this when I'm

12:47

going through my trust boundaries in

12:48

order to identify this stride

12:51

methodology so we have three trust

12:53

boundaries trust boundary 01 which is

12:55

going from the user to the application

12:57

backend trust boundary 02 two which is

12:59

going from the application backend to

13:00

the application database and then trust

13:03

boundary 3 which is going from the

13:05

application backend to the other

13:07

services that we

13:09

identified so I'm going to keep things

13:10

simple and we're only going to fill out

13:12

trust boundary one in this video uh for

13:15

a complete list of what this looks like

13:17

again take a look at the finished threat

13:18

model at the link in the description

13:21

something I want to point out is that

13:22

not all of the stride categories always

13:24

make sense when you're looking at

13:25

different aspects of the application so

13:28

you'll notice here in trust boundary R1

13:29

I have a couple gray boxes and the

13:31

reason why I have these gray boxes is

13:32

because if we're the user we don't need

13:35

to worry about tampering data that we

13:36

enter into the application but the

13:39

application itself needs to worry about

13:40

information that we tampered into it

13:43

same thing with information disclosure

13:45

denial of service and escalation of

13:47

privileges so the user doesn't really

13:49

need to worry about these things so we

13:51

gray these out to keep things a little

13:53

simple now as I mentioned earlier we're

13:55

going to have something as a strength in

13:57

our application right so we're running

13:58

with the assumption that there's an

14:00

authentication like a login flow so a

14:01

username and

14:04

password so I'm going to list that in as

14:07

one of the strengths but maybe this is

14:09

an application that requires a little

14:10

bit more security so let's call out no

14:13

two-factor authentication as one of our

14:15

first vulnerabilities or first weakness

14:17

in the

14:23

application so this is going to be

14:24

labeled as

14:26

vol01 for repudiation let's say there's

14:28

no logging Trail or Telemetry coming

14:30

from the user uh so this is something

14:32

that we'll want to call out as uh

14:36

limitation right so no audit Trail and

14:40

this is going to be our vul

14:44

O2 we're just going to make

14:46

things look nice I'll just keep

14:49

everything

14:50

lowercase bump that up so we're done

14:53

with the user side now let's look at the

14:54

application side so how do we prevent

14:59

oh I just realized I misspelled

15:01

strengths that's

15:04

funny that's silly all right all

15:09

fixed so on the application side how do

15:13

we make sure that the application isn't

15:15

being spoofed back to the user so if

15:18

this was a regular HTTP site we wouldn't

15:21

be able to tell um somebody could spoof

15:23

the DNS or there could be some bit

15:24

flipping or they could even just visit

15:26

the wrong website maybe they change a

15:28

letter on accident but in this case

15:30

we're going to use a TLS certificate to

15:33

prevent spoofing the application to the

15:34

user so this is going to stop uh Hackers

15:37

from doing something like a man- inthe

15:38

middle attack so this is going to be our

15:42

TLS

15:44

certificate now what about tampering

15:46

what do we have in place to prevent the

15:48

user from tampering with different

15:50

aspects of the application now if you

15:53

know about crossy scripting and input

15:55

injection you're probably already

15:56

familiar with input filtering out output

15:58

en coding but let's run with the

16:00

assumption that this application doesn't

16:01

have either of those so we're going to

16:03

put

16:05

no business validation input and this is

16:09

going to be our

16:10

vul

16:14

vol03 I'll just fix that so it looks

16:16

nice and neat so that's going to be our

16:17

vul 03 uh what

16:20

about uh repudiation let's say for

16:23

instance the application doesn't have

16:25

any logging on itself or at least we

16:26

don't have proper logging on the

16:28

application other than the fact that

16:30

somebody's accessing the app uh so this

16:33

will be no

16:35

logging user actions and this is going

16:38

to be

16:41

v04 uh let's take a look at information

16:43

disclosure let's say that the app was

16:45

really poorly made and so we have uh

16:48

clear text

16:54

credentials and this is going to be

16:55

volum

16:57

05

17:00

and then as far as denial of service

17:02

let's say that we do have a strength and

17:03

we have uh backup ISP and a WF in

17:12

place and then as far as escalation of

17:14

privileges let's say that we have a

17:16

strong authorization control pattern

17:18

that we put at every aspect of the

17:24

application if I can

17:27

spell

17:30

awesome so when we're done this is what

17:33

it's going to look like for each of

17:35

these and we can continue through trust

17:37

boundary 2 and Trust boundary 3 but I'll

17:39

leave that as an exercise for you to see

17:41

if there's any other strengths or

17:43

weaknesses that you can come up with on

17:45

your own if you do this exercise let me

17:47

know in the comments below and see what

17:49

you come up with how many

17:50

vulnerabilities did you identify what

17:52

kind of assumptions did you make it's a

17:54

lot of fun doing this kind of

17:56

exercise perfect and that's threat

17:58

modeling in a nutshell once you finish

18:01

everything that we did in this video I

18:02

really want you to go back to the oos

18:04

threat modeling process and list out the

18:08

threats and identify mitigations for

18:10

each one as I said earlier there's

18:12

obviously a lot more that you can do

18:13

with this and I encourage you to

18:15

continue to play around and learn for a

18:17

finished threat model take a look at the

18:19

one that I have in the description below

18:20

it shows you what a final report looks

18:22

like including my assumptions strengths

18:25

and weaknesses and mitigation approach

18:28

now there's a couple common questions

18:30

that I want to go over before I let you

18:31

go the first question is when should you

18:34

do threat modeling here's a diagram of

18:37

the software development life cycle so

18:41

when you should do threat modeling is

18:42

ideally before any line of code is

18:45

written so that's going to be in the

18:46

planning phase now if this is an

18:48

application that already exists and you

18:50

want to do threat modeling on that then

18:52

make sure that you do threat modeling

18:53

before any major changes are done to the

18:55

application once you get everybody on

18:57

board with threat model then it's a lot

18:59

easier to build the security into the

19:01

application instead of tacking it onto

19:03

the side at the end now the second

19:06

question is how do you work with other

19:08

teams it's important to keep in mind

19:09

that threat modeling isn't a oneandone

19:11

kind of thing right it's a collaborative

19:13

and ongoing process so you're going to

19:15

want to get other stakeholders on board

19:18

the biggest value of a threat model

19:20

isn't the report at the end it's going

19:22

through the process and pushing that

19:24

security responsibility onto your

19:26

developers so that they can feel more

19:28

empowered to do their best work now I

19:31

would recommend three meetings at least

19:34

so the first meeting is for you to work

19:36

with the developers and The Architects

19:37

to get an understanding of how the

19:39

application works and any possible

19:41

threats that you can come up with right

19:43

out the gate from there you're going to

19:45

want to create your first draft of the

19:47

data flow diagram the test boundaries

19:49

and the threats identified then you're

19:52

going to have your second meeting and in

19:53

your second meeting you're going to

19:54

confirm with developer teams and the

19:57

architects in order to make sure that

19:58

everybody's on the same page usually in

20:01

the second meeting you're going to

20:02

notice that there are some things that

20:03

you're missing or some assumptions that

20:05

you made or maybe the developers didn't

20:06

communicate certain things properly so

20:08

they'll be able to correct you there now

20:10

if everything goes well then you're

20:12

going to have one more meeting and

20:13

that's going to be after you draft your

20:14

final version of the threat model which

20:17

includes your data flow diagram and your

20:20

threats uh I would also add in

20:22

mitigations and prioritize risks as well

20:25

which you'll see in the OAS threat

20:26

modeling process so so this final

20:28

meeting is really just to get a check

20:30

off from everybody to make sure that

20:32

we're all on the same page we've

20:33

identified everything that we need to

20:35

and we're good to go the last common

20:37

question is how long does it take to

20:39

make a threat model well the answer to

20:42

this kind of depends on the application

20:43

and the team and a lot of other factors

20:45

so I can't give you a solid number I

20:47

would recommend spending at least two to

20:49

three weeks especially if you're not

20:51

part of the org or if you're not part of

20:53

the development team remember it takes a

20:56

lot of time to get all of the St steh

20:58

holders into their same room for a

20:59

meeting so factor that into your

21:02

timeline once you have all your

21:04

information and everybody signed off the

21:06

actual creation of the threat model

21:08

doesn't take that long at all so to give

21:11

you an example the AI threat model that

21:13

I put together in the description that

21:15

took me only a couple of days once I

21:16

knew how I wanted to lay out the

21:18

application and what common applications

21:20

look like so there you have it a brief

21:22

introduction to threat modeling systems

21:25

I hope this video has convinced you of

21:26

how helpful threat models can be and

21:29

give you the confidence to start

21:30

building them on your own well that's

21:33

all I have for you guys today for more

21:35

information check out the links in the

21:36

description below if you like this video

21:38

let me know by leaving a thumbs up it

21:40

really helps with the YouTube algorithm

21:42

and don't forget to subscribe to see

21:44

more videos like this I'll see you next

21:47

time