Hi, today I want to write about DREAD. DREAD is an risk assessment model, which assesses the severity of a cyberthreat using a scaled rating system.
The scaled rating system uses numeric values from 0...10, which are assigned to risk categories.
DREAD was developed by Microsoft and first published in Writing Secure Code 2nd edition in 2002 by David LeBlanc and Michael Howard.
DREAD is broken down into these 5 categories:
- Damage potential: How much damage can be caused by the threat
- Reproducibility: How easy it is to get an relieable attack to work
- Exploitability: How much effort and knowledge is reuired to mount an attack
- Affected users: How many users are affected, by the attack
- Discoverability: How easy it is to discover the vulnerability for that attack. Per default is to assume the max score.
The DREAD model enables analysts to tate, compare, and prioritize the severity each threat. Each category of the threat gets a rating and the final score is calculated as the average of all these ratings. The final score indicates the total severity of the threat.
The ratings for the category Damage potential
consists of:
- 0: which is no damage
- 5: which is information disclosure
- 8: which is non-sensitive data of individuals being compromised
- 9: which is non-sensitive administrative data being compromised
- 10: which is destruction of the system in scope, the data, or loss of system availability
The ratings for the category Reproducibility
consists of:
- 0: which is nearly impossible or difficult
- 5: which is complex
- 7,5: which is easy
- 10: which is very easy
The ratings for the category Exploitability
consists of:
- 2,5: which requires advanced technical skills
- 5: which requires tools that are avaiable
- 7,5: which requires applocation proxies
- 10: which only requires a web browser
The ratings for the category Affected users
consists of:
- 0: which is no users affected
- 2,5: which is only individual users are affected
- 6: which is few users are affected
- 8: which is administrative users are affected
- 10: which is all users are affected
The ratings for the category Discoverability
consists of:
- 0: which is hard to discover
- 5: which is requests can uncover the vulnerability
- 8: which is vulnerability is publicy known or found
- 10: which is vulnerability is easy to disover in web bar or form.
The total severity score of a threat will be calculated as follows:
The resulting score can be interpreted as follows:
Score | Label |
---|---|
0 | Low |
2,5 | Medium |
5 | High |
7,5 | Critical |
Example scenario 1
There is an helpdesk of an company XYZ Ltd. Attackers may be able to social engineer some heldesk employees, which has access organizations user accounts.
-
Damage potential: Accessing administrative accounts would be used by an attacker for further attacks which may cause disrupting systems or total damage.
The rating here is 10 -
Reproducibility: Not every helpdesk employee can be social engineered, to archeive the goal to gain access to administative accounts, therfore is would be a bit complex. The rating here is 5
-
Exploitability: Social engineering attacks requires tools like SEToolkit which is publicy avaiable. The rating here is 5
-
Affected users: The attack would be affect administrative accounts.
The rating here is 8 -
Discoverability: Helpdesk is known in the entire organization and also known outside the organization, because of customers. The rating here is 8
The total severity score would be:
The total severity score is 7.2 which is High.
Example scenario 2
There is an server which is no longer used by the organization. The system is outdated and will be disabled at the next time.
-
Damage potential: Disabling the old server will made it unavailable for the users, but not disrupting any other system. The rating here is 0
-
Reproducibility: When the server is disabled, it will be wiped and selled. There is no reproducability after that. The rating here is 0
-
Exploitability: The vulnerabilities are wiped. The rating here is 0
-
Affected users: The disabled server will affect asome indiviual users like admins which stored the credentials of the old server. The rating here is 2.5
-
Discoverability: May the users don't know that the old server has been disabled and they accessing the new server on the same domain. To discover the new server behind the domain it requires tools to send and debug requests. The rating here is 5
The total severity score would be:
The total severity score is 1.5 which is Low.
I hope you liked it, and could see how the DREAD risk assessment model works 😄