Shostack + Friends Blog


Managed Attribution Threat Modeling

Let's talk CAKED, a threat model for managed attribution. close view of brightly-colored frosted cupcakes

The more I learn about threat modeling, the more I think the toughest part is how we answer the question: "What can go wrong?" Perhaps that's "finding threats." Maybe it's "discovering" or "eliciting" them. Maybe it's analogizing from threats we know about. I'm not yet even sure what to call it. But what it does for us is valuable.

I was at a conference not long ago, where people were talking about how to make their threat modeling process lightweight, and one person said "We ask just one question: how would you attack this system you're building. And we get good results." Now, maybe that's true. They certainly get better results than they would from a heavyweight system that no one uses, and maybe that's the implicit point of comparison.

In response, I'm going to quote a student from one of my recent classes. They said: "When we brainstormed, I was pretty happy with what we were finding. Then I used this new way, and I felt bad about what we'd done before." (The "new way" in this was STRIDE, and we were discussing people's experience first brainstorming then using a structure.)

I am pretty certain that however we conceptualize it, whatever we call it, the way we do it needs structure. No, actually, that's not quite right. It doesn't need structure. The panelist had a point. But we get more results from the work, more people are able to do the work, and we get more consistency in the results that they give us if we structure the work.

But I think we can do far better by thinking about ways to answer the question "what can go wrong" that are focused on the needs of a given system. That might be focused on the issues a given system faces. It might be a way that helps us know if we've done a good job or have more work to do. It might help us avoid rabbit warrens.

And that brings me to CAKED, a threat model for "managed attribution." Managed attribution is a particular type of privacy: shaping how you're seen online, and it has an unusual collection of threats. (Ntrepid has a blog post, What is Managed Attribution?)

CAKED is an acrostic for:

  • Correlation of entities: Can the attacker connect two accounts, servers, identities, etc. that are not meant to be seen as connected?
  • Attribution of actors: Can an outsider identify who is behind the activity? This could reveal the operator, their organization, or the MA provider.
  • Knowledge of operation: Can the adversary recognize that the activity is part of an operation and possibly understand the nature or purpose of the operation?
  • Exposure of aliases: Can someone discover that an alias account is not a real person?
  • Discovery of resources: Are there any loose threads that could help identify other previously unknown attribution management infrastructure?

What's interesting about CAKED, is that it (and the accompanying list of threat actor perspectives) are specific to the problems that a managed attribution service should be thinking about as they build and evolve technology. Even if you're not interested in managed attribution, your organization has threats that it worries about. Taking those, grouping them results in a new way to structure work.

It is tempting to say 'we need more of these,' but again, that's not quite right. With more of these, we can do a better job of protecting things. We can involve more people in that work. And we can expect that the work done will be more consistent. That's a high leverage result from threat modeling.

part 2, part 3

Disclosure: I'm an advisor to Ntrepid, and provided feedback on at a draft of the model. They did not ask me to write this post, and I don't speak for them. Photo by Pixabay [link to no longer works].