Shostack + Friends Blog

 

Magical Approaches to Threat Modeling

[no description provided] magician lego man

I was watching a talk recently where the speaker said "STRIDE produces waaaay to many threats! What we really want is a way to quickly get the right threats!"*

He's right and he's wrong. There are exactly three ways to get to a short list of the most meaningful threats to a new product, system or service that you're building. They are:

  • Magically produce the right list
  • Have experts who are so good they never even think about the wrong threat
  • Produce a list that's too long and prune it

That's it. (If you see a fourth, please tell me!)

Predictions are hard, especially about the future. It's hard to know what's going to go wrong in a system under construction, and its harder when that system changes because of your prediction.

So if we don't want to rely on Harry Potter waving a wand, getting frustrated, and asking Hermione to create the right list, then we're left with either trusting experts or over-listing and pruning.

Don't get me wrong. It would be great to be able to wave a magic wand or otherwise rapidly produce the right list without feeling like you'd done too much work. And if you always produce a short list, then your short list is likely to appear to be right.

Now, you may work in an organization with enough security expertise to execute perfect threat models, but I never have, and none of my clients seem to have that abundance either. (Which may also be a Heisenproblem: no organization with that many experts needs to hire a consultant to help them, except to get all their experts aligned.)

Also I find that when I don't use a structure, I miss threats. I've noticed that I have a recency bias, towards attacks I've seen recently, and bias towards "fun" attacks, including spoofing these days because I enjoy solving those. And so I use techniques like STRIDE per element to help structure my analysis.

It may also be that approaches other than STRIDE produce lists that have a higher concentration of interesting threats, for some definition of "interesting." Fundamentally, there's a set of tradeoffs you can make. Those tradeoffs include:

  • Time taken
  • Coverage
  • Skill required
  • Consistency
  • Magic pixie dust required

I'm curious, what other tradeoffs have you seen?

Whatever tradeoffs you may make, given a choice between overproduction and underproduction, you probably want to find too many threats, rather than too few. (How do you know what you're missing?) Some of getting the right number is the skill that comes from experience, and some of it is simply the grindwork of engineering.

(* The quote is not exact, because I aim to follow Warren Buffett's excellent advice of praise specifically, criticize generally.)

Photo: Magician, by ThaQeLa.