STRIDE-LM Threat Model

Introduction to STRIDE-LM

The process of threat modeling can be very beneficial in determining how to best protect a computer application or network. The purpose of the threat modeling is to evaluate the system from the perspective of a potential attacker, then select appropriate controls for reducing the risk of those attacks.

STRIDE is a popular threat model originally developed at Microsoft. It is an acronym for six classifications of threats to systems:

  1. Spoofing – Impersonating another user or system component to obtain its access to the system
  2. Tampering – Altering the system or data in some way that makes it less useful to the intended users
  3. Repudiation – Plausible deniability of actions taken under a given user or process
  4. Information Disclosure – Release of information to unauthorized parties (e.g., a data breach)
  5. Denial of Service – Making the system unavailable to the intended users
  6. Elevation of Privilege – Granting a user or process additional access to the system without authorization

Practitioners at Lockheed Martin noted that STRIDE was developed primarily to address engineering and development projects, rather than network defense. To make the model more applicable to the latter, they added a seventh classification:

  1. Lateral Movement – Expanding control over the target network beyond the initial point of compromise.

STRIDE-LM Components

IDThreat VectorDesired PropertyFramework References
IInformation DisclosureConfidentiality
DDenial of ServiceAvailability
EElevation of PrivilegeLeast Privilege
LMLateral MovementContainment
STRIDE-LM elements and countermeasures

Further Reading