O'Reilly logo

Threat Modeling: Designing for Security by Adam Shostack

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Appendix C

Attacker Lists

As discussed in Chapter 2, “Strategies for Threat Modeling,” focusing on attackers is an attractive way to make threats real. This appendix provides you with an understanding of attackers at a variety of levels of details. The first section is four lists of attackers with limited detail about each. That is followed by a discussion of “personas,” and then a fully worked out system of threat personas.

Many projects have floundered because creating these models is challenging. This appendix is presented with the hope that it will help you, and the (cynical) expectation that it will help you by helping you “fail faster.” That is, by providing these lists, you can experiment with a variety of attacker models, rather than needing to create your own to try them out. By failing faster, you can learn lessons and move along, rather than getting mired in an approach.

There is one other attacker worth considering, and that is the expert witness. If you expect your product (or evidence from it) to be used in court, consider how each element of the product, process, or system might come under attack by a motivated skeptic. For an example of this, see “Offender Tagging” by Ross Anderson (Anderson, 2013).

Attacker Lists

This section lays out four sets of attackers which have been developed to various degrees.

Barnard's List

One set of attackers was developed by Robert Barnard in Intrusion Detection Systems (Barnard, 1988) and is covered in Ross Anderson's SecurityEngineering ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required