A key step in threat modelling is building an initial list of potential security threats your system is vulnerable to. That can feel daunting given the variety of attacks a system can face. STRIDE makes it manageable.
STRIDE is a mnemonic, with each letter referring to a different category of attack. Almost any attack you can think of falls into one of these six categories.
Spoofing
Spoofing refers to an attacker impersonating an asset or identity. An attacker could spoof your website, leading users to visit the attacker's version instead. Users might then share personal details, payment information, usernames and passwords, or download malware without realising it.
Attackers can also spoof a person by taking over email accounts or crafting convincing impersonation emails. Files and data can be spoofed too. If an attacker spoofs a temporary file that carries access privileges, they may be able to access sensitive data or execute code with those privileges, leading to system compromise.
Tampering
Tampering means an attacker modifying data, either at rest (on a hard disk, USB drive or similar) or in transit (moving across networks).
If an attacker gains access to a database they may be able to edit or delete data, with the business impact depending on what that database contains: finance data, employee data, customer data, intellectual property and so on. Data sent across networks without encryption can be intercepted and modified. Though interception can sound out of reach, incidents of this type have occurred at scale.
Repudiation
Repudiation is about confirming or denying that a particular activity took place. Robust audit trails and logs that prove the occurrence of specific actions by specific users are crucial for many systems.
In a banking context or a ledger, a log can confirm whether a user made a particular transaction, even if they later deny it. Without this kind of evidence, disputes become very hard to resolve.
Information disclosure
Information disclosure is where an attacker gains access to privileged information they should not have. A common cause is misconfigured permissions. If a file should only be accessible to a specific staff member or department but the permissions are set incorrectly, that information can suddenly be readable to a much wider audience, potentially including the entire internet.
Denial of service
A denial of service attack renders a system inaccessible or unable to function normally. Most people think of this as overwhelming a system with traffic until it cannot process requests, and that is one form. But DoS attacks can take many forms, particularly in systems heavily dependent on third-party services.
With the right cloud credentials, an attacker could shut down your system entirely. If they gain access to the firewall between your service and the outside world, they could block all traffic, achieving the same effect as a traffic flood but with much less effort.
Elevation of privilege
This is where someone obtains privileges they should not have. In cloud environments, misconfigured identity and access management (IAM) policies are an obvious source of elevation of privilege vulnerabilities. A user or process that can do more than it is supposed to creates a risk that can be exploited to compromise much more than the original entry point.
STRIDE is an essential element of an effective threat model. It is not the only methodology for discovering threats, but it is widely used in the security industry and easy to apply in practice. Working through each category gives you a structured way to find most of the security risks facing any given system.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →