Moai Security Threat

STRIDE Threat Model

S - Spoofing: Pretending to be someone else
    Example: Attacker uses stolen credentials
    Mitigation: Multi-factor authentication, digital signatures

T - Tampering: Modifying data in transit or at rest
    Example: Man-in-the-middle modifies API response
    Mitigation: Encryption, integrity checks, TLS

R - Repudiation: Denying responsibility for actions
    Example: User claims they didn't perform action
    Mitigation: Audit logging, non-repudiation tokens

I - Information Disclosure: Leaking sensitive data
    Example: Attacker reads unencrypted database
    Mitigation: Encryption, access control, data masking

D - Denial of Service (DoS): Preventing access to service
    Example: Botnet floods API with requests
    Mitigation: Rate limiting, DDoS protection, auto-scaling

E - Elevation of Privilege: Gaining higher access than permitted
    Example: Regular user becomes admin
    Mitigation: Least privilege, RBAC, privilege escalation prevention

DFD Example

User
  ↓ [Request] → API Gateway
              ↓ [Route]
              Web Server
              ↓ [Query]
              Database
              ↓ [Return]
              Web Server
              ↓ [Response]
User ← [HTTP Response]

Threats:
- Spoofing: User with stolen credentials → need MFA
- Tampering: Request/response interception → need TLS
- I-Disclosure: Database exposed → need encryption + access control
- DoS: Gateway overloaded → need rate limiting
- Elevation: Web server compromise → need container security

Level 2: Core Patterns

Pattern 1: STRIDE Threat Modeling Worksheet

class STRIDEThreatModel {
  constructor(systemName) {
    this.systemName = systemName;
    this.threats = [];
    this.mitigations = [];
  }
  
  identifyThreats(asset, category) {
    const threatPatterns = {
      'Spoofing': {
        examples: ['fake credentials', 'DNS spoofing', 'IP spoofing'],
        controls: ['MFA', 'Digital signatures', 'DNS validation'],
      },
      'Tampering': {
        examples: ['data modification', 'MITM', 'code injection'],
        controls: ['TLS', 'Checksums', 'Code signing'],
      },
      'Repudiation': {
        examples: ['deny actions', 'unauthorized transactions'],
        controls: ['Audit logging', 'Digital signatures', 'Timestamps'],
      },
      'InformationDisclosure': {
        examples: ['data leaks', 'SQL injection', 'exposed APIs'],
        controls: ['Encryption', 'Access control', 'Input validation'],
      },
      'DoS': {
        examples: ['botnet attacks', 'resource exhaustion'],
        controls: ['Rate limiting', 'DDoS protection', 'Auto-scaling'],
      },
      'ElevationOfPrivilege': {
        examples: ['privilege escalation', 'insecure defaults'],
        controls: ['RBAC', 'Least privilege', 'Secure defaults'],
      },
    };
    
    const patterns = threatPatterns[category];
    
    return {
      asset,
      category,
      examples: patterns.examples,
      suggestedControls: patterns.controls,
    };
  }
  
  createAttackTree(rootThreat) {
    // Build attack tree showing attack paths
    return {
      root: rootThreat,
      branches: [
        {
          attack: 'Compromise web server',
          subattacks: [
            'Find unpatched vulnerability',
            'Exploit via public PoC',
            'Gain RCE (Remote Code Execution)',
          ],
          likelihood: 'MEDIUM',
          impact: 'HIGH',
        },
      ],
    };
  }
  
  riskScore(threat) {
    // Risk = Likelihood × Impact × Exposure
    const likelihood = { LOW: 1, MEDIUM: 2, HIGH: 3 };
    const impact = { LOW: 1, MEDIUM: 2, HIGH: 3 };
    const exposure = threat.isNetworkAccessible ? 3 : 1;
    
    return likelihood[threat.likelihood] * impact[threat.impact] * exposure;
  }
}

// Usage
const threatModel = new STRIDEThreatModel('Payment API');

const threats = [
  threatModel.identifyThreats('Customer Payment', 'Spoofing'),
  threatModel.identifyThreats('Payment Database', 'InformationDisclosure'),
  threatModel.identifyThreats('API Endpoint', 'DoS'),
];

threats.forEach(threat => {
  console.log(`Threat: ${threat.category} on ${threat.asset}`);
  console.log(`Controls: ${threat.suggestedControls.join(', ')}`);
});

Pattern 2: Snort 3.x IDS Rules

# Snort rule syntax for network-based intrusion detection
# Format: action protocol source_ip source_port -> dest_ip dest_port (options)

# Rule 1: Detect SQL injection in HTTP requests
alert http any any -> any any (
  msg:"Possible SQL Injection Attempt";
  flow:to_server,established;
  content:"GET"; http_method;
  pcre:"/\bunion\b.*\bselect\b/i";
  sid:1000001;
  rev:1;
  priority:1;
)

# Rule 2: Detect XXE (XML External Entity) attacks
alert http any any -> any any (
  msg:"XXE Attack Detected";
  content:"POST"; http_method;
  content:"Content-Type|3a|"; http_header;
  content:"xml"; http_header;
  pcre:"<!ENTITY.*SYSTEM|<!DOCTYPE.*SYSTEM/i";
  sid:1000002;
  rev:1;
  priority:1;
)

# Rule 3: Detect SSRF to AWS metadata service
alert http any any -> any any (
  msg:"SSRF to AWS Metadata Service";
  content:"GET"; http_method;
  http_uri; content:"169.254.169.254";
  sid:1000003;
  rev:1;
  priority:1;
)

# Rule 4: Detect command injection in user input
alert http any any -> any any (
  msg:"Command Injection Detected";
  content:"POST"; http_method;
  pcre:"/(;|\||&|\$\(|`).*(cat|ls|whoami|id|bash)/i";
  sid:1000004;
  rev:1;
  priority:1;
)

Pattern 3: Suricata 7.x Rules (Multi-threaded)

// Suricata configuration (YAML format, faster than Snort)
const suricataConfig = `
rules-files:
  - rule-file: /etc/suricata/rules/web-app-threats.rules
  - rule-file: /etc/suricata/rules/ssrf-detection.rules
  - rule-file: /etc/suricata/rules/injection-attacks.rules

# Suricata handles multi-core natively