{"id":227106,"date":"2023-03-09T06:54:06","date_gmt":"2023-03-09T06:54:06","guid":{"rendered":"https:\/\/www.devsecops.ltd\/?p=227106"},"modified":"2024-01-31T08:15:06","modified_gmt":"2024-01-31T08:15:06","slug":"dread-threat-modeling","status":"publish","type":"post","link":"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/","title":{"rendered":"DREAD Threat Modeling Methodology"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In our hyper-connected world, security breaches, and incidents are a certainty. According to a report from Statista, the cost of cybercrime committed globally is expected to rise from <\/span><span style=\"font-weight: 400;\">$8.44 trillion in 2022 to $23.84 trillion by 2027.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p>Statista&#8217;s report expects the cost of cybercrime committed globally to rise from $8.<span style=\"font-weight: 400;\">4 trillion in 2022 to $23.84 trillion by 2027. In fact, <\/span>Cyber attackers do 86% of cyberattacks for financial gain, and &#8220;state espionage&#8221; is a close second.<\/p>\n<p>Although there are several strategies to address and prevent cyber attacks, one approach that can be used to gauge and reduce cyber attacks is threat modeling, among several other strategies. The foundation when &#8220;shifting left&#8221; in a DevSecOps environment is the threat modeling approach, as it helps to find vulnerabilities and threats much earlier in the software development lifecycle. This, in turn, saves the organization&#8217;s reputation and reduces monetary and timely losses. While there are several threat modeling approaches, such as <a href=\"https:\/\/www.devsecops.ltd\/what-is-stride-threat-model\/\">STRIDE<\/a>, PASTA, VAST, STRIKE, and more, we will be discussing the DREAD threat modeling approach in this post.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_67_1 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/#What_is_the_DREAD_Threat_Modeling_approach\" title=\"What is the DREAD Threat Modeling approach?\">What is the DREAD Threat Modeling approach?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/#Expanding_the_acronyms_in_DREAD_Threat_Model\" title=\"Expanding the acronyms in DREAD Threat Model\">Expanding the acronyms in DREAD Threat Model<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/#Damage_potential\" title=\"Damage potential:\">Damage potential:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/#Reproducibility\" title=\"Reproducibility:\">Reproducibility:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/#Exploitability\" title=\"Exploitability:\">Exploitability:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/#Affected_Users\" title=\"Affected Users:\">Affected Users:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/#Discoverability\" title=\"Discoverability:\">Discoverability:<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.devsecops.ltd\/dread-threat-modeling\/#Summary\" title=\"Summary\">Summary<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"What_is_the_DREAD_Threat_Modeling_approach\"><\/span>What is the DREAD Threat Modeling approach?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Microsoft developed the DREAD threat modeling approach to detect and prioritize threats so that serious threats can be mitigated first. <span style=\"font-weight: 400;\">It was first published in \u2018<\/span><span style=\"font-weight: 400;\">Writing Secure Code\u2019 2nd edition by David LeBlanc and Michael Howard in 2002<\/span><span style=\"font-weight: 400;\">. Though Microsoft stopped using the DREAD threat modeling approach, smaller organizations, Fortune 500 companies, and the military continue to use it.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">DREAD stands for\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">D &#8211; Damage potential<\/span><\/p>\n<p><span style=\"font-weight: 400;\">R &#8211; Reproducibility<\/span><\/p>\n<p><span style=\"font-weight: 400;\">E &#8211; Exploitability<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A &#8211; Affected users<\/span><\/p>\n<p><span style=\"font-weight: 400;\">D &#8211; Discoverability<\/span><\/p>\n<p>We rank these factors on a scale from 0-10 and calculate the sum of these values. If the resulting value is higher, the risk of a potential attack on the organization is greater and we need to employ mitigation strategies immediately.<\/p>\n<p><span style=\"font-weight: 400;\">Let us explore these factors in greater detail:<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Expanding_the_acronyms_in_DREAD_Threat_Model\"><\/span>Expanding the acronyms in DREAD Threat Model<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Damage_potential\"><\/span><b>Damage potential:<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The organization measures the amount of damage that a threat actor can cause as the damage potential on the following scale:<\/p>\n<p><span style=\"font-weight: 400;\">0 &#8211; Indicates no damage caused to the organization<\/span><\/p>\n<p><span style=\"font-weight: 400;\">5 &#8211; Information disclosure said to have occurred<\/span><\/p>\n<p><span style=\"font-weight: 400;\">8 &#8211; Non-sensitive user data has been compromised<\/span><\/p>\n<p><span style=\"font-weight: 400;\">9 &#8211; Non-sensitive administrative data has been compromised<\/span><\/p>\n<p><span style=\"font-weight: 400;\">10 &#8211; The entire information system has been destructed. All data and applications are inaccessible<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Reproducibility\"><\/span><b>Reproducibility:<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Reproducibility indicates if it&#8217;s simple to replicate an attack. These are again plotted on a scale of 0 &#8211; 10.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">0 &#8211; Difficult to replicate the attack<\/span><\/p>\n<p><span style=\"font-weight: 400;\">5 &#8211; Complex to replicate the attack<\/span><\/p>\n<p><span style=\"font-weight: 400;\">7.5 &#8211; Easy to replicate the attack<\/span><\/p>\n<p><span style=\"font-weight: 400;\">10 &#8211; Very easy to replicate the attack<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Exploitability\"><\/span><b>Exploitability:<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Different vulnerabilities in an organization can be exploited by using different tools and skills, as indicated by their ratings.<span style=\"font-weight: 400;\">\u00a0They are rated as follows:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">2.5 &#8211; Indicates that advanced programming and networking skills needed to exploit the vulnerability<\/span><\/p>\n<p><span style=\"font-weight: 400;\">5 &#8211; Available attack tools\u202f needed to exploit the vulnerability<\/span><\/p>\n<p><span style=\"font-weight: 400;\">9 &#8211; Web application proxies\u202fare needed to exploit the vulnerability<\/span><\/p>\n<p><span style=\"font-weight: 400;\">10 &#8211; Indicates the requirement of a web browser\u202f needed to exploit the vulnerability<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Affected_Users\"><\/span><b>Affected Users:<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Calculate the number of users who will be affected by an attack to determine the potential impact of the attack.<span style=\"font-weight: 400;\">\u00a0This is again rated on a scale of 1 &#8211; 10.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">0 &#8211;\u00a0 no users\u202f affected<\/span><\/p>\n<p><span style=\"font-weight: 400;\">2.5 &#8211; Indicates chances of fewer individual users\u00a0 affected<\/span><\/p>\n<p><span style=\"font-weight: 400;\">6 &#8211;\u00a0 Few users\u202faffected<\/span><\/p>\n<p><span style=\"font-weight: 400;\">8 &#8211; Administrative users affected<\/span><\/p>\n<p><span style=\"font-weight: 400;\">10 &#8211; All users\u202faffecte<\/span><span style=\"font-weight: 400;\">d<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Discoverability\"><\/span><b>Discoverability:<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">On a scale of 1 &#8211; 10, this factor rates the discoverability of a vulnerability.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">0 &#8211; Indicates it&#8217;s hard to discover the vulnerability<\/span><\/p>\n<p><span style=\"font-weight: 400;\">5 &#8211; HTTP requests can uncover the vulnerability<\/span><\/p>\n<p><span style=\"font-weight: 400;\">8 &#8211; Vulnerability\u00a0 found in the public domain<\/span><\/p>\n<p><span style=\"font-weight: 400;\">10 &#8211; Vulnerability found in\u202f web address bar or form<\/span><\/p>\n<blockquote><p>Read more about other <a href=\"https:\/\/www.devsecops.ltd\/threat-modeling-methodologies\/\">Threat Modeling Methodologies<\/a><\/p><\/blockquote>\n<blockquote><p>Also Read, <a href=\"https:\/\/www.devsecops.ltd\/threat-modeling-vs-penetration-testing\/\">Threat Modeling VS Pen testing<\/a><\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Let&#8217;s assume an organization wants to identify and prioritize potential threats to their online banking platform using the DREAD model. Here&#8217;s an example of how the factors in the DREAD model could be applied:<\/span><\/p>\n<ol>\n<li><span style=\"font-weight: 400;\"> Damage potential: The organization assesses the potential damage caused by a threat based on the following scale:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 0: No damage caused<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 5: Information disclosure<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 8: Non-sensitive user data compromise<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 9: Non-sensitive administrative data compromise<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 10: Complete system destruction, rendering data and applications inaccessible<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"2\">\n<li><span style=\"font-weight: 400;\"> Reproducibility: Evaluating how easily an attack can be replicated. Ratings might look like this:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 0: Difficult to replicate<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 5: Complex to replicate<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 7.5: Easy to replicate<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 10: Very easy to replicate<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"3\">\n<li><span style=\"font-weight: 400;\"> Exploitability: Considering the tools and skills required for exploitation:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 2.5: Advanced programming and networking skills needed<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 5: Available attack tools needed<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 9: Web application proxies required<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 10: Only a web browser needed<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"4\">\n<li><span style=\"font-weight: 400;\"> Affected users: Calculating the potential impact of an attack by determining the number of users affected:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 0: No users affected<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 2.5: Fewer individual users affected<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 6: Few users affected<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 8: Administrative users affected<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 10: All users affected<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"5\">\n<li><span style=\"font-weight: 400;\"> Discoverability: Assessing how easily a vulnerability can be discovered:<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 0: Hard to discover<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 5: Discoverable through HTTP requests<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 8: Vulnerability found in the public domain<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0&#8211; 10: Vulnerability found in the web address bar or form<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">By assigning a numerical value to each factor and calculating the average, the organization can prioritize the identified threats based on the resulting risk value which allows them to focus their mitigation efforts on addressing the most critical threats that pose a highest risk to their online banking system.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Keep in mind that this is just an example of applying the DREAD threat modeling approach to a specific scenario. The actual assessment process may involve more extensive analysis, consideration of additional factors, and customization based on the organization&#8217;s unique requirements and risk profile.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>After scaling each factor to a numerical value, the sum of the values calculated shows the risk value to the organization if an attack occurs. The organization can then take steps to mitigate the risks and reduce the possibility of cyber attacks. <span style=\"font-weight: 400;\">We have seen the DREAD threat modeling approach in this post. Stay tuned for further posts that seek to bolster your knowledge of threat modeling and DevSecOps!<\/span><\/p>\n<p><strong>Interested in upskilling in Threat Modeling?<\/strong><\/p>\n<p><em>Get trained through the <a href=\"https:\/\/www.devsecops.ltd\/certified-threat-modeling-professional\/\"><b data-stringify-type=\"bold\">Certified Threat Modeling Professional (CTMP)<\/b><\/a> course offered by Practical DevSecOps.<\/em><\/p>\n<p>This vendor-neutral course provides you with hands-on training in important threat modeling concepts such as Security requirements in Agile environments, Agile Threat modeling, Threat Modeling as Code, Secure Design Principles to help you ensure security in the design phase, and other core threat modeling concepts and tools.<\/p>\n<p><b>References:<br \/>\n<\/b>Satoricacyber: <a href=\"https:\/\/satoricyber.com\/glossary\/threat-modeling-with-microsoft-dread\/\">Threat Modeling with Microsoft<\/a> DREAD<\/p>\n<p>Haider: Stride Threat Modeling VS DREAD Threat Modeling<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In our hyper-connected world, security breaches, and incidents are a certainty. According to a report from Statista, the cost of cybercrime committed globally is expected to rise from $8.44 trillion in 2022 to $23.84 trillion by 2027.\u00a0 Statista&#8217;s report expects the cost of cybercrime committed globally to rise from $8.4 trillion in 2022 to $23.84 [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":227118,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/227106"}],"collection":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/comments?post=227106"}],"version-history":[{"count":5,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/227106\/revisions"}],"predecessor-version":[{"id":230357,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/227106\/revisions\/230357"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/media\/227118"}],"wp:attachment":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/media?parent=227106"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/categories?post=227106"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/tags?post=227106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}