Card play: the intriguing world of threat modelling games

Automotive cybersecurity threat modelling with card play

Elevation of Privilege is a card game that turns threat hunting into an engaging competition complete with actionable output. Plus, game decks can be customized, opening the door to new domains such as automotive cybersecurity.

Most, if not all, cybersecurity teams would agree that threat modelling is an essential step in building safer, more robust products. But distractions can mount up and stakeholders can become disengaged from what should be a priority task. A radical way around this is to ask team members to look beyond their computers and play cards.

The card game in question is ‘Elevation of Privilege’ (EoP) devised by Adam Shostack – formerly of Microsoft’s Security Development Lifecycle Strategy team and now a successful threat modelling consultant. Running the EoP sessions, Shostack asks attendees to suspend their disbelief for 15 minutes (the lively colour scheme and addition of cartoon monsters make the card deck stand out as being very different from other threat modelling tools) and trust the process.

How does it work?

The cards carry descriptions of threats mapped in severity from Ace (highest) down through King, Queen, Jack, Ten, Nine, and so on. And the task for the players is to connect each of the threats to the system being modelled – portrayed as a data flow diagram created at the start of the game.

Those familiar with the STRIDE threat modelling framework will notice that the pack of 74 cards is grouped into suits representing each of the different elements: spoofing, tampering, repudiation, information loss, denial of service and elevation of privilege.

During each round, the first card played sets the STRIDE element for that turn, with the highest card played winning the trick and the player with the most tricks winning the game.

Optionally, players can choose to trade cards, which allows threats that haven’t found their way into play to be reconsidered – noting that each team member will have their own area of expertise.

A final playing detail is that the elevation of privilege suit counts as trumps (cards that are elevated above their usual rank) and can be used when a player doesn’t hold any cards of the current STRIDE element in play.

Collectively, players will soon find themselves identifying security risks and most likely adding more detail to the system diagram as the cards prompt further discussion. Notes are taken throughout play to generate actionable comments that can be fed into development.

Why does it work?

EoP is fun and interactive. And the cards simplify the housekeeping, leaving more energy for threat hunting. Also, there’s scope for the community to customize the deck – for example, to accommodate new legislation. This happened in 2018 when a GDPR-themed ‘Privacy extension’ was added – boosting the pack by 13 cards.

Shostack has a github page that collects some of the tweaks that players have made to its packs – for example, adding depletion attacks such as draining a device’s battery to the denial of service suit.

Dealing with automotive threats

While many of the cards in the base version of EoP are playable against automotive scenarios – for example, attacks against an OEM’s cloud service or on data flowing between ECUs on the vehicle – there’s certainly scope to bring more threats into play.

A great starting point would be the UNECE WP.29 regulations concerning the approval of vehicles with regards to cybersecurity and cybersecurity management. In brief, this 29 page document mandates that vehicle manufacturers have a cybersecurity management system in place, which applies to development, production and post-production phases of their product cycle. Helpfully, the regulations contain an annex of 32 key threats (examples shown below) that such a system must consider – a list that would translate well as a supplementary deck of cards for EoP!

Back-end servers used as a means to attack a vehicle or extract data
Legitimate actors are able to take actions that would unwittingly facilitate a cyber attack
Devices connected to external interfaces used as a means to attack vehicle systems
Network design introduces vulnerabilities
Parts or supplies could be compromised to permit vehicles to be attacked
Table – Examples of the threats described in UNECE WP.29 regulations approved in 2020.

Game on

Tabletop security games are proving to be a popular addition to the cybersecurity arena (Shostack lists more than 30 examples on his website). Over the next 12 months, Secure-CAV consortium member, Copper Horse will be playtesting an automotive-themed expansion, which it hopes will further contribute to this intriguing take on threat analysis and risk assessment.

Elevation of Privilege is available to download for free as a PDF and can be purchased as a professionally printed card deck. The game can also be played remotely.

You May Also Like