In order to secure your software, you need to understand your attackers, their motivation, their strengths, what you have that they’d want, and where they’ll attack you to get it.
Establishing a threat model is how you do all of this.
Understand what to protect, whom to defend against, and where you’ll be attacked.
What’s a Threat Model?
Threat modeling is an adversary-centric exercise in which you define three things:
- Assets. What do you need to protect?
- Attackers. Whom do you need to defend against?
- Attack surface. Where will you be attacked?
These lay the foundation of your entire security plan. They guide where you invest time, effort, and money. You do not have unlimited resources, so you cannot defend against everything all of the time.
You simply cannot win without this plan. As Warren Buffett famously said, “An idiot with a plan can beat a genius without a plan.”
Establishing your threat model is a collaborative process between in-house staff and your security partner. In theory, you could develop it all on your own. Or alternatively, you could offload it entirely to your partner. But it’s really better to approach this together. There are many threat modeling frameworks out there, and each has its own merits. The point isn’t to compare and contrast the different frameworks. The point is to get super clear on what matters to your company and why in order to determine how to protect it.
Here’s an approach that works really well (which is why we use it): we start with a collaborative discussion with our customers about what they need to protect, which informs our thinking about adversaries and attack scenarios. Those then guide how we think about the various attack surfaces we will explore in the security assessment. As a result, our reports briefly describe the assets that the customer noted as important and then briefly describe the adversaries relevant to those assets. Discussion of attack surfaces is then woven into the vulnerability write-ups throughout the report.
Your threat model documentation could be as extensive as a full-blown, stand-alone document that is dozens of pages long, or it could be as simple as an informal summary of the primary components. Either way, the point is less about documentation and more about understanding. You need to understand your threat model. You simply cannot skip that. Everything you do—from rating severity to prioritizing remediations to communicating to your customers—is all based on the unique circumstances of your threat model.
As far as when to do this, the best time is at the beginning of your security journey. In the next chapter, you’ll learn how to build security into the development process—establishing a threat model is an action you’ll be advised to take during the early stages. However, most people overlook this until much later in the process (and many don’t even do it at all, because they didn’t even know what a threat model was, let alone why they should have one). If that’s your case, that’s OK. It’s never too late to understand your threat model. Just start working on it now. Furthermore, it’s a constantly evolving concept, so you’re going to be updating it periodically anyway.
In The Art of War, Sun Tzu famously proclaimed the secret to success in battle:
“Know thy enemy. Know thyself.”
By establishing your threat model, you do both. You identify and prioritize your attackers. That’s how you “know thy enemy.” You identify and prioritize your assets and your attack surfaces. That’s how you “know thyself.” Taken together, you’re ready to prioritize your investments of time, effort, and money.
Let’s get started.
Understanding Attacker Motivation
It’s called “threat modeling” because it’s focused on attackers, who are also known as threats.
Attacker motivation is critical to understand. Different adversaries attack for different reasons. You must know why they attack so you can know how to defend. For example, some attackers want to make money. If your security measures make it too expensive for them to attack you, they’ll attack someone else instead.
Common attacker motivations include:
- Profit: they want to make money
- Notoriety: they want to make a name for themselves
- Challenge: they want to prove they can do it
- Geopolitical gain: they want to advance their nation’s agenda
- Advocacy: they want to highlight a cause
- Competitive advantage: they want to get an edge over a rival
- Revenge: they want to retaliate for a real or perceived injustice
- Terrorism: they want to instill fear
- Espionage: they want to obtain secrets
- Economic warfare: they want to advance their own financial position and weaken a rival’s financial position
There’s an interesting wrinkle about motivation: even if it’s not immediately obvious why, you actually might be the ideal candidate for an attacker to target. For example, consider when one hundred thousand cheap, basic surveillance cameras were attacked and exploited in the Mirai botnet. Neither the small business owners who bought them nor the manufacturers who produced them thought anyone would care to attack these cameras. Yet, it happened. A botnet is a network of compromised devices that are infected and controlled as a group without the owners’ knowledge. The Mirai botnet was used in an attack that made the internet unusable for substantial portions of the East Coast of the United States. This was massively disruptive. It made many online services and applications unusable. The motivation wasn’t about hurting the store owners. It was about taking the internet offline. The point is this: when you consider why they might attack, you have to think bigger than what’s most immediately obvious. Earlier, you learned how and why to think like an attacker; here’s when you especially want to apply that advice.
Once you’ve considered motivation, consider capabilities and why they matter:
- Skill. The more talented they are, the more sophisticated their attacks will be.
- Time. The more time they dedicate, the more likely they’ll succeed.
- Funding. The more money they have, the more they can invest in tools, people, and capabilities.
- Computing resources. The more processing power, bandwidth, and storage they have, the more effective their attacks will be.
- Attack resources. The likelihood they’ll succeed skyrockets if they have access to the internet backbone (the array of high-speed networks that enable computer-to-computer traffic over the internet) or stockpiles of zero-day vulnerabilities.
Some attackers have nearly infinite amounts of several of these. Others have almost none. Understanding who has what helps you understand how dangerous your enemies are.
The key to all of this is an important lesson: to defend against attackers, you need to think like them. I’ll explain each attacker type and then prompt you to think about whether you need to worry about them. The prompt questions are not exhaustive—I could fill an entire book with the many wild and crazy attack scenarios that exist (and frankly, it would be really fun to do that! Maybe for my next book). Instead, think of these prompt questions as the start of a discussion. Use them to spark the dialogue among your team as you strive to think like an attacker. Definitely involve your security partner with this element (ideally, they should be driving it).
Attackers fall into two primary categories: external attackers and the insider threat. Let’s explore each.
Overview: External Attackers
External attackers don’t have any special privileges or access. There are five types: casual hacker, hacktivists, corporate espionage, organized crime, and nation-states.
Casual Hacker
Casual hackers (also known as individual hackers or small-group hackers) are explorers, problem solvers, and even anarchists. They see hacking as a challenge. They might not even be malicious. They just want to prove they can do it.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you have a prominent brand? If so, a casual hacker would want to brag about exploiting you. Your fame becomes transferable to them if they’re successful.
- Do you have a “cool” technology? If you make something cutting edge, newsworthy, or with a strong fan base, a casual hacker might want to brag about hacking it. Your “cool” factor is transferable to them.
- Could you be used in a stunt? Like the roadside construction signs, if there’s a fun way to pull a prank, a casual hacker may want to attack your technology.
Hacktivists
Hacktivists have an ideology and attack in order to draw attention to it. This group includes terrorists who pursue ruthless causes.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you have a prominent brand? If so, a hacktivist can obtain media exposure for their mission because a security breach of a prominent brand is newsworthy.
- Is your business controversial or politicized? If so, hacktivists who hold the opposing view may want to attack to advocate for their ideology.
- Are any of your key executives publicly outspoken about polarizing beliefs? Like it or not, the personal beliefs of key executives become reflections of the company. If those beliefs are polarizing, hacktivists who share opposing views may attack for ideological reasons.
Corporate Espionage
Some companies attack each other to gain a competitive advantage, steal intellectual property, or save on research and development (R&D). They have significant budgets and hire elite talent. There’s usually a foreign element to this, where a company of one nation attacks companies from another nation. However, domestic examples appear as well.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you protect valuable information or other assets? If so, this attacker might want to obtain the competitive advantage you possess.
- Do you protect valuable intellectual property in development? If so, this attacker could save time and money by stealing it in order to accelerate their own R&D.
- Do you hold the dominant competitive position in your marketplace? If so, this attacker might want to chip away at your advantage in order to increase their own competitive position.
Organized Crime
Organized criminals want to make money. They have extensive financial resources, dedicate lots of time, acquire elite skills, and have access to stockpiles of zero-days. They’re among the most capable adversaries you’ll face.
To determine if you should concern yourself with this attacker, ask yourself:
- Do you need access to your data or operational capabilities every minute, without exception? If so, this attacker might attack in ways that prevent the availability of services in order to force you to pay quickly to avoid downtime.
- Do you protect valuable data or intellectual property that has monetary value to other companies, governments, or groups? If so, this attacker might want to steal those assets in order to monetize them.
- Is your company publicly traded? If so, this attacker might take a short position on your stock and then attack in order to drive the stock price down when the news breaks of your security breach. (Short positions make money when stock value declines.) Alternatively, they might attack to read your earnings reports before they’re made public in order to make lucrative trades based on what those reports will do to your stock value.
Nation-States
Nation-states are the most capable and dangerous attacker type there is. They are countries who seek geopolitical advantage. They have tremendous resources, including plenty of money, skill, and computational power. They have access to the internet backbone as well as stockpiles of zero-days. They have nearly unlimited time.
Many companies assume that a nation-state would not focus on them. That is flawed thinking, though. To determine if you should concern yourself with this attacker, ask yourself:
- Do you collect information that would be beneficial to a rival nation-state (such as location tracking, usage behaviors, or other data about the people of your own nation)? If so, nation-state actors might want this information to inform their financial, political, and other strategies as they compete against your nation.
- Are you involved with critical infrastructure, such as delivery of medical care, power, water, emergency services, food supply, manufacturing, public health, cybersecurity, or any other basic needs of your nation? If so, a nation-state actor may want to disrupt these services, either as a stand-alone attack or in conjunction with a physical attack.
Overview: The Insider Threat
Almost every day, I hear someone boast about their security-testing program being awesome because they do “external penetration testing.” You’ve probably heard people say this, too, and maybe you even think it yourself. Here’s the problem, though: attackers aren’t always coming from an external vantage point. If that’s all you’re considering, you’re already sunk. What about the external attacker who has escalated privileges and now has insider access? What about the attacker who is an insider? What about the people you already know and trust?
External is not enough. You need to look inside, too.
So let’s talk about the insider threat.
Many people think that an insider is an employee. That is often true. However, being an insider is not about employment status; it’s about having elevated trust and elevated access. Elevated trust means this person is trusted more than other people. There is confidence that this person will not harm the company. Elevated access means this person can access more systems and more assets than other people. This person was hired to perform a job and provided the means to do it.
Insiders have these conditions; external attackers do not. All employees have these conditions, of course. However, other trusted parties do, too. Your vendors, third-party integration partners, consultants, advisors, board members, janitors, shareholders, and maybe even your family members can all become the insider threat.
Finally, keep in mind that the insider threat is not a single type of attacker. It’s a collection of attackers, each of which have different motivations, skills, and access to resources. There are four types: accidental insider, opportunistic insider, disgruntled insider, and malicious insider.
Accidental Insider
Accidental insiders are otherwise trustworthy and don’t mean to harm your company—they just do something dumb. Even the smartest people click malicious links, download malicious attachments, give up passwords, and plug-in USB devices.
Opportunistic Insider
Opportunistic insiders are motivated to obtain some personal gain if—and only if—they think they can get away with it. They don’t set out to harm your company, but if a good opportunity arises, they’ll try.
This attacker matters to every company because you must provide access to insiders, and they may attack if they think they can get away with it.
Disgruntled Insider
Disgruntled insiders are motivated by revenge. They start as loyal people, but then something changes. Maybe they are denied a promotion or a contract or disagree with a stance taken by the CEO. Maybe they simply change their political views. As a result, they become angry and set out to hurt your company. Unlike accidental or opportunistic insiders, disgruntled insiders are malicious.
This attacker matters to every company because it’s impossible to keep every insider happy all of the time, and it’s difficult to know when they decide to retaliate.
Malicious Insider
Malicious insiders are your most dangerous insiders because they are an agent of one of the external groups we previously discussed. That group’s resources are often available to malicious insiders, and they are motivated to harm the company. In some cases, the malicious insiders are already an agent when seeking a job or contract with you; in other cases, they’re recruited later.
This attacker matters to every company because your enemies know that getting an insider is the most effective way to achieve their malicious goals. Worse yet, they know that many companies rely on their misplaced confidence in “external penetration testing,” while your attackers want to exploit you from the inside.
Now you have clarity on how to think about your own attackers. You understand the assets they want to take from you. You understand where they’ll attack.
Establish a threat model — it’s the foundation of your security plan.
Content adapted from:
