Sage Advice - Cybersecurity Blog

Threat Modeling Simplified

threat-modelingI cringe each time I hear the oft repeated declarations that “every company will be compromised” and that “it isn’t a matter of if, but when.” These statements are the basis of the FUD-driven (fear, uncertainty and doubt) cyber-sales machine. What is closer to the truth is that Internet connected systems have a high probability of being subject to a targeted or opportunistic attack, inadvertent exposure, or malicious subversion. However, it is (and I stress) not inevitable that the attacker will be successful. Motivation, work factor, evasion capabilities, resiliency, and sometimes, luck all play a part. Threat modeling can be used to understand these factors and influence the outcome.

Threat modeling is used to identify and categorize potential threats. Conventional cybersecurity threat modeling uses one of three approach:

  1. Attacker-centric threat models start with identifying an attacker, and then evaluates the attacker’s goals and potential techniques.
  2. Architecture-centric threat models focus on system design and potential attacks against each component.
  3. Asset-centric threat models begin by identifying asset value and motivation of threat agents.

Many organizations find this task daunting. Do not despair! Threat modeling does not have to be overwhelming. A simplified approach to threat modeling is to answer four essential questions that identify threat adversary motivation, attack workfactor, organizational threat intelligence and detection capability, and resiliency.

  1. Why would an adversary target my organization? [Motivation]
  2. How hard would it be for an adversary to achieve their objective? [Workfactor]
  3. Would we know if we were being attacked? [Threat Intelligence & Detection]
  4. Are we prepared to respond to an attack? [Resiliency]

Answer these four questions to your satisfaction, and you will be well on your way to being a threat-modeling guru.

Motivation - Why would an adversary target my organization?

Let’s start with motivation. We need to ask ourselves, what property, information, or power does the organization have that is so valuable to the attacker that they are willing to risk prosecution and/or retaliation? Once we have identified the asset(s), the natural follow-on questions are – where is it located (physically and logically), why do we have it, and do we really need it?

The last question perhaps seems redundant – why would we have it, if we didn’t need it? Every organization should honestly evaluate the data sets they collect, aggregate and/or mine in terms of both security and privacy. Truth be told, organizations collect, store, and configure a multitude of assets that are of less value to them then to an attacker. Simple rule – if you don’t need it; securely dispose of it. What remains, should be your focus.

Workfactor - How hard would it be for an adversary to achieve their objective?

Workfactor is the time, effort, and talent needed for an attacker to successfully achieve their objective. In other words, how much time they need to invest, how hard they have to work, and what type of skills and expertise are needed to overcome protective barriers. The intensity of the workfactor should match the criticality and/or sensitivity of the asset you are protecting.

It is vital that organizations classify their assets to insure that funding and resources are being properly allocated. Workfactor is a powerful weapon and can be used to dissuade all but the most motivated of adversaries. However, since attack tools and techniques are constantly evolving, assessing workfactor should be an iterative process.

Threat Intelligence & Detection - Would we know if we were being attacked?

Evasion is a means of escaping or advoiding detection. What are your organization’s detection capabilities? Would you know if your organization was being attacked? Or would the attack evade detection for hours, days, weeks, or even months? Incident detection capabilities include monitoring, alerting, incident reporting, and analysis, as well as participation in threat intelligence and information sharing activities.

Threat intelligence is verified information about threats, related vulnerabilities (weaknesses), and exploits. Gartner defines threat intelligence as “evidence-based knowledge including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” Threat intelligence is available from a variety of internal and external government, industry, open-source, and commercial sources including:

The true value of threat intelligence is in its application. Good threat intelligence can change your security posture from reactive to proactive. If you understand your adversaries, you can develop tactics to combat current attacks and prepare for the future.

Resilience - Are we prepared to respond to an attack?

Resilience is the capacity to withstand attack. A defense-in-depth approach requires that organizations implement layered controls while simultaneously preparing for their failure. The criticality of a practiced rapid response cannot be overstated. Exercises can vary from simple and short to very complex.

Frequent exercises coupled with a rigorous methodology will result in great confidence that your organization will not become a statistic.

Get started

Sometimes the hardest part of a task is getting started. My advice to you is to start small. Focus on a single category of assets. Brainstorm threat adversary motivation, related workfactor, organizational threat intelligence and detection capability, and resiliency. Invite others to join in the discussion and challenge each other’s assumptions. Keep your eye on the ball and make threat modeling a winning team sport.


Penetration Testing Guide Banner CTA

Topics: Cybersecurity Assessment, Cyber Defense, Risk Management

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More