I cringe each time I hear the oft repeated declarations that “every company will be compromised” and that “it isn’t a matter of if, but when”. These statements are the basis of the FUD (fear, uncertainty and doubt) driven cyber sales machine. What is closer to the truth is that Internet connected systems have a high probability of being subject to a targeted or opportunistic attack, inadvertent exposure, or malicious subversion. However, it is (and I stress) not inevitable that the attacker will be successful. Motivation, work factor, evasion capabilities, resiliency, and sometimes, luck all play a part. Threat modeling can be used to understand these factors and influence the outcome.
Threat modeling is used to identify and categorize potential threats. Conventional cybersecurity threat modeling uses one of three approach; attacker-centric, architecture-centric, or asset-centric.
- Attacker-centric threat models starts with identifying an attacker and then evaluates the attacker’s goals and potential techniques.
- Architecture-centric threat models focus on system design and potential attacks against each component.
- Asset-centric threat models begin by identifying asset value and motivation of threat agents.
- Many organizations find this task daunting. Do not despair! Threat modeling does not have to be overwhelming. A simplified approach to threat modeling is to answer four essential questions that identify threat adversary motivation, attack workfactor, organizational threat intelligence and detection capability, and resiliency.
- Why would an adversary target my organization? [Motivation]
- How hard would it be for an adversary to achieve their objective? [Workfactor]
- Would we know if we were being attacked [Threat Intelligence & Detection]
- Are we prepared to respond to an attack? [Resiliency]
Answer these four questions to your satisfaction and you will be well on your way to being a threat-modeling guru.
Let’s start with motivation. We need to ask ourselves, what property, information, or power does the organization have that is so valuable to the attacker that they are willing to risk prosecution and/or retaliation? Once we have identified the asset(s), the natural follow-on questions are – where is it located (physically and logically), why do we have it, and do we really need it?
The last question perhaps seems redundant – why would be have it, if we didn’t need it? Every organization should honestly evaluate the data sets they collect, aggregate and/or mine in terms of both security and privacy. Truth be told, organizations collect, store, configure a multitude of assets that are of less value to them then to an attacker. Simple rule – if you don’t need it; securely dispose of it. What remains, should be your focus.
Workfactor is the time, effort, and talent needed for an attacker to successfully achieve their objective. In other words, how much time they need to invest, how hard they have to work, and what type of skills and expertise are needed to overcome protective barriers. The intensity of the workfactor should match the criticality and/or sensitivity of the asset you are protecting.
It is vital that organizations classify their assets to insure that funding and resources are being properly allocated. Workfactor is a powerful weapon and can be used to dissuade all but the most motivated of adversaries. However, since attack tools and techniques are constantly evolving, assessing workfactor should be a iterative process.
Threat Intelligence & Detection
Evasion is a means of escaping or advoiding detection. What are your organization’s detection capabilities? Would you know if your organization was being attacked or would the attack evade detection for hours, days, weeks, or even months? Incident detection capabilities include monitoring, alerting, incident reporting, and analysis as well as participation in threat intelligence and information sharing activities.
Threat intelligence is verified information about threats, and related vulnerabilities (weaknesses) and exploits. Gartner defines threat intelligence as “evidence based knowledge including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard”. Threat intelligence is available from a variety internal and external government, industry, open-source, and commercial sources including
- CERT [http://www.cert.org]
- National Vulnerability Database [http://nvd.nist.gove]
- Journalists such as Brian Krebs [http://krebsonsecurity.com]
- Product vendors such as Microsoft and Cisco
- Government agencies such as FBI, Department of Justice, Department of Homeland Security)
- Sector-specific Information Sharing and Analysis Centers (ISACs) [For example http://www.fsisac.com]
The true value of threat intelligence is in its application. Good threat intelligence can change your security posture from reactive to proactive. If you understand your adversaries, you can develop tactics to combat current attacks and to prepare for the future.
Resilience is the capacity to withstand attack. A defense-in-depth approach requires that organizations implement layered controls while simultaneously preparing for their failure. The criticality of a practiced rapid response cannot be overstated. Exercises can vary from simple and short to very complex.
Frequent exercises coupled with a rigorous methodology will result in great confidence that your organization will not become a statistic.
Sometimes the hardest part of a task is getting started. My advice to you is to start small. Focus on a single category of assets. Brainstorm threat adversary motivation, related workfactor, organizational threat intelligence and detection capability, and resiliency. Invite others to join in the discussion and challenge each other’s assumptions. Keep your eye on the ball and make threat modeling a winning team sport.