Threat modeling is the process of identifying threats and prioritizing them. The purpose of this is to figure out how to protect against misdeeds of enemies – whether they are third parties or insiders.
A threat model cannot be made in isolation from the world if it is going to provide any value. We have to start with creating a mapping of our threat landscape: who are the threat actors, how do they behave, and how would we expect them to interfere with our business? Intelligence gathering can be a tedious process: establishing the information requirements in terms of “what you need to know” and how much uncertainty is OK for you in terms of accuracy and “freshness” of the data is crucial to avoid spending all your resources on difficult information gathering.
When you watch spy movies, you get the impression that to get your hands on reliable intelligence you need to have a network of spies to rely on. The truth is that most of the information used in intelligence analysis, whether it is the kind that nation states would engage in, or the kind that companies try to gather, is public. The use of public information sources for intelligence analysis is known as OSINT – or open source intelligence.
Here are some key sources for OSINT data relevant for threat modeling in the private sector:
- Your supply chain and its stakeholders (read annual reports and business news)
- People of interest: social media, in particular LinkedIn
- Security reports from vendors such as Verizon, Microsoft, Trend Micro, Kaspersky, etc. These reports will often contain statistics on business sector level and contain information about threat actors
- Threat actor information from US-CERT and similar organizations
The questions you need to answer before you start looking at your own vulnerabilities are:
- What kind of groups are likely to try to attack me directly, or my business partners?
- Why are they doing it?
- What are the methods they are using?
- Are there changes in attack patterns we should be prepared for?
- Do we have people or companies we deal with that stand out as attractive targets for relevant threat actors?
Having this in place, you should start to look at your own attack surface and its vulnerabilities. There are many ways to go about this, but here’s a suggestion that we know works in practice and that keeps it close to actual business operations.
- Describe your key value creating processes and the information processing required for these processes to work. Drawing up diagrams of the business logic is a good idea.
- For each of these processes, create a listing of your inventory. The inventory should cover key people, software, data (documents, databases, configuration files, etc), hardware and cloud services. Keep it on a generic level but detailed enough to understand the role of the item in the business process. You may also need to add computer networks to the list.
- For each inventoried category or item, evaluate the damage from unavialability, or a change to that piece of software or data (integrity) or if the item should become available to third parties or even the public (confidentiality breach). Would it cost money? Ruin your reputation? Lead to legal consequences?
- Finally: start thinking about how an attacker can abuse the business process through one of its system dependencies. Evaluate each scenario for likelihood.
- Now you have a risk mapping. Evaluate the risk and prioritize the assets according to their risk contributions. Now you can start your mitigation planning.
After having done this you have a business level threat model. Now you can start planning for risk reduction.
Guest booking at a hotel: a threat modeling excercise
Imagine you are the director of a fancy hotel. A key business process at your hotel is booking of guests. Your booking process contains the following steps:
- Locate a vacant room
- Input guest personal data and payment information
- Book the vacant room
- Give the guest a confirmation of the booking
The incoming booking requests come in through 3 sources:
- People coming in to the reception from the street
- People calling on the phone to make a booking
- People booking through online booking systems (on the page itself, or with a booking site such as Trivago or Momondo)
Let us assume that the booking system itself is a software-as-a-service platform, that offers integration with other booking platforms. The same system is used by many hotels, and it contains huge amounts of personal data.
Threat landscape – intelligence analysis
The number of possible cyber attacks and “bad luck” events that could possibly occur is huge. In order to focus on those scnearios that can truly disrupt your business and that are credible cases, you need a bit of risk context. For cybersecurity a large part of the context is filled out by the use of threat intelligence. Specifically the following questions become important:
- Who are the threat groups you should worry about?
- What methods do they use?
- Why are they attacking your business?
- Who are the threat actors who are interested in your value chain partners?
A lot of this information does not need to be very accurate to form some important decisions about risk. Most of them can in fact be answered on the business sector level; most hotels see similar risks, most coffee shops see similar risks, most banks see similar risks.
So from the sector itself we can make an assessment of how likely an attack vector is (on a very coarse scale), and we can select the most likely attack vectors to hit us. For our hotel booking process, consider the following intelligence assessment.
|Threat actor||TPP’s||Sector interest (hotels)|
|Hacktivist||Defacement, DDoS||Hotels owned by investors who are seen as politically controversial likely to be hit.|
|Cybercrime||Web application attacks, social engineering for access. Malware for PoS. Targeting payments and personal data. Ransomware also possible.||Large number of hotels hit by PoS malware recently. Ransomware hitting across most sectors.|
|Industrial espionage||Document theft through account takeovers, use of insiders.||Gaining access to e-mail accounts of decision makers, typically through phishing. |
Access to document storage (cloud and local)
Inventory for the booking process
What are the important people, software, data for the booking process?
Starting with the 3 main ingredients for managing booking – we need people, software network. RiskTool is currently in early testing and will launch later this year. The beauty of the tool is it takes threat intelligence into account automatically, so risk ranking scenarios will happen automatically. This way the analyst is left to design risk mitigation plans – where the tool also can lend helping hand (steps 4 and 5 above).
Using hooks for typical attack vectors for each inventory type, we identify abuse cases. These cases are rated for credibility automatically. This makes it clear what the biggest risks are at a glance, even if the risk ranking is coarse. Adjustments to the automatically tuned risk picture can be done by the analyst.
Allocating controls can sometimes also be hard. How effective would a typical control be in reducing risk? How much effort would it be? Having a big library of controls and getting automated suggestions for effective controls can greatly speed up the mitigation planning.
RiskTool is expected to move to early customer testing in May 2019 – if you would like to test drive an innovative threat modeling tool with baked in threat intelligence, credibility assessment and recommendations for your mitigation plan, reach out to us on e-mail firstname.lastname@example.org.