In our hyper-connected world, security breaches, and incidents are a certainty. According to a report from Statista, the cost of cybercrime committed globally is expected to rise from $8.44 trillion in 2022 to $23.84 trillion by 2027.
Statista’s report expects the cost of cybercrime committed globally to rise from $8.4 trillion in 2022 to $23.84 trillion by 2027. In fact, Cyber attackers do 86% of cyberattacks for financial gain, and “state espionage” is a close second.
Although there are several strategies to address and prevent cyber attacks, one approach that can be used to gauge and reduce cyber attacks is threat modeling, among several other strategies. The foundation when “shifting left” in a DevSecOps environment is the threat modeling approach, as it helps to find vulnerabilities and threats much earlier in the software development lifecycle. This, in turn, saves the organization’s reputation and reduces monetary and timely losses. While there are several threat modeling approaches, such as STRIDE, PASTA, VAST, STRIKE, and more, we will be discussing the DREAD threat modeling approach in this post.
What is the DREAD Threat Modeling approach?
Microsoft developed the DREAD threat modeling approach to detect and prioritize threats so that serious threats can be mitigated first. It was first published in ‘Writing Secure Code’ 2nd edition by David LeBlanc and Michael Howard in 2002. Though Microsoft stopped using the DREAD threat modeling approach, smaller organizations, Fortune 500 companies, and the military continue to use it.
DREAD stands for
D – Damage potential
R – Reproducibility
E – Exploitability
A – Affected users
D – Discoverability
We rank these factors on a scale from 0-10 and calculate the sum of these values. If the resulting value is higher, the risk of a potential attack on the organization is greater and we need to employ mitigation strategies immediately.
Let us explore these factors in greater detail:
Expanding the acronyms in DREAD Threat Model
The organization measures the amount of damage that a threat actor can cause as the damage potential on the following scale:
0 – Indicates no damage caused to the organization
5 – Information disclosure said to have occurred
8 – Non-sensitive user data has been compromised
9 – Non-sensitive administrative data has been compromised
10 – The entire information system has been destructed. All data and applications are inaccessible
Reproducibility indicates if it’s simple to replicate an attack. These are again plotted on a scale of 0 – 10.
0 – Difficult to replicate the attack
5 – Complex to replicate the attack
7.5 – Easy to replicate the attack
10 – Very easy to replicate the attack
Different vulnerabilities in an organization can be exploited by using different tools and skills, as indicated by their ratings. They are rated as follows:
2.5 – Indicates that advanced programming and networking skills needed to exploit the vulnerability
5 – Available attack tools needed to exploit the vulnerability
9 – Web application proxies are needed to exploit the vulnerability
10 – Indicates the requirement of a web browser needed to exploit the vulnerability
Calculate the number of users who will be affected by an attack to determine the potential impact of the attack. This is again rated on a scale of 1 – 10.
0 – no users affected
2.5 – Indicates chances of fewer individual users affected
6 – Few users affected
8 – Administrative users affected
10 – All users affected
On a scale of 1 – 10, this factor rates the discoverability of a vulnerability.
0 – Indicates it’s hard to discover the vulnerability
5 – HTTP requests can uncover the vulnerability
8 – Vulnerability found in the public domain
10 – Vulnerability found in web address bar or form
Read more about other Threat Modeling Methodologies
Also Read, Threat Modeling VS Pen testing
After scaling each factor to a numerical value, the sum of the values calculated shows the risk value to the organization if an attack occurs. The organization can then take steps to mitigate the risks and reduce the possibility of cyber attacks. We have seen the DREAD threat modeling approach in this post. Stay tuned for further posts that seek to bolster your knowledge of threat modeling and DevSecOps!
Interested in upskilling in Threat Modeling?
Get trained through the Certified Threat Modeling Professional (CTMP) course offered by Practical DevSecOps.
This vendor-neutral course provides you with hands-on training in important threat modeling concepts such as Security requirements in Agile environments, Agile Threat modeling, Threat Modeling as Code, Secure Design Principles to help you ensure security in the design phase, and other core threat modeling concepts and tools.
Satoricacyber: Threat Modeling with Microsoft DREAD
Haider: Stride Threat Modeling VS DREAD Threat Modeling