A threat model is an assessment of what can happen to your business because somebody is trying to achieve something you didn’t intend. This is very useful for planning incident response, security controls and awareness training. We would recommend every company to create a threat model as the basis for their priorities in cyber defence.

Threat modeling is a common technique to use in software development to plan security controls against expected cyberattacks. In this blog post we will apply the same kind of thinking but not to software development. We will focus on how a company works, and how threat actors can interfere with the business. Let us start by defining a few terms that we will be using!

A [threat actor] or [attacker] is a person or organization that takes actions that can cause harm.

We don’t normally know exactly who the attackers are. We don’t really need to; we only need information on what attacks are likely to happen. For a simple threat model we usually limit ourselves to relatively broad attacker categories:

  • Cyber criminals: typical attacks targeting “everyone”, such as credit card fraud
  • Organised crime: more targeted and complex attacks.
  • Hacktivists: hackers who use digital means for activism
  • Industrial espionage: competitors using hacking to steal company secrets
  • Nation state hackers: intelligence organizations, may sometimes be involved in industrial espionage as well
  • Insider threats: people working for the organization but act to steal data or otherwise harm the employer

An [attack vector] is a way an attacker will use to gain access to your systems, steal data or perform other actions as part of an attack.

Before starting the threat assessment we should also collect information that will be useful. First of all, we need to know how our business works. What do we need for production? How do we sell to customers? What systems do we depend on? You don’t need to go into too much detail but a high-level overview of how the business functions is necessary to create a threat model. We have written about business process mapping for threat modeling using a method coined SIPOC Cyber before.

Before we start to create the threat model itself, let us specify what we want to find answers to. Here are the key questions a threat model can help answer:

4 Questions our Threat Model Should Answer

  1. How can a cyber attack hurt my business?
  2. What cyber attacks do we think could happen?
  3. Do we have the necessary controls in place to deal with the risk from those cyber attacks?
  4. What should we do to reduce the risk?

Case Study: Smart Orgcharts

Consider the following hypothetical business; Smart Orgcharts. They have a software as a service product to build fancy organization charts based on exports from a company directory, such as Active Directory. The company is run by two friends, Ronny and Johnny. Ronny does sales, marketing and customer support, while Johnny writes code and maintain the Orgchart technology in the cloud. After discussing briefly over coffee they come up with the following key processes needed for the business to function:

  • Marketing: publish contents, participate in conferences, capture leads
  • Customer support: receive tickets, talk to customers, resolve technical issues, keep ticket system up to date
  • Sales: set up demo meetings, organize trials of the software, get customer buy-in, turn on access, invoice
  • Tech: maintain code, implement new features based on customer requests, monitor logs, maintain the cloud and development environment
  • Backoffice: accounting, office rental, etc. Primarily handled on an ad-hoc basis by either Johnny or Ronny

The product is robust and in “maintenance mode”, and Johnny and Ronny agree that the marketing and sales processes are the most important. They decide to start creating a threat model for the sales process described above. Using SIPOC Cyber they first map the workflow.

SuppliersMarketing (leads)
CRM software
InputsJ&R’s working hours
Leads from marketing
ProcessCall or email lead
Set up video meeting
Demo software
Set up 2-week trial
Get signed contract
OutputsNew user account
Invoice sent
CustomersCompany in need of fancy Organization chart.
Summary of important aspects of the sales process from SIPOC analysis.

Johnny and Ronny goes through the workflow to identify what data and systems are important in the sales workflow. They have indentified the following key assets.

Inventory from Risktool; Cybehave's in-house software for creating threat models.
Inventory of key assets for Smart Orgcharts’ sales workflow. Screenshot from Cybehave’s internal threat modeling software Risktool.

So far we have thought about how the process works and what data and software is used in that workflow. Now we should try to figure out “what could happen”. To do that, we need a bit more background information. We should check what kind of cyber attacks have been reported on recently against companies like Smart Orgcharts, and against the types of technologies they are using. To do this, it is very useful to have access to a threat intelligence service, like the one we at Cybehave provide directly for your collaboration environment. Based on recent reporting and some discussion with a cybersecurity consultant, Smart Orgcharts believes that the following adversaries and attack vectors matter the most:

  • Cyber crime: phishing emails, email account hijacking, banking trojans, ransomware
  • Organised crime: data theft of customer data from the application (not relevant for our sales workflow), invoice fraud, business email compromise, supply-chain attacks on the CRM software

They see no reason to believe nation state actors would be interested in them as a target, and they do trust each other so they don’t think any one of them would be an insider threat, at least not consciously. Hacktivism against organization chart providers is also seen as quite unlikely.

A business oriented data flow diagram

In software threat modeling we normally rely on a data flow diagram to show how data is transferred between parts of the system and how it is being processed. We can use the same here, and present our combined knowledge from the SIPOC table and the system inventory in one drawing.

Systems involved in the sales workflow. First our green friend Johnny or Ronny picks a lead from the CRM, uses O365 to send an email to the prospect. The email is automatically logged in the CRM through an integration, as is any further customer communication. A meeting is set up in Teams, where our friend demos the software with a screen sharing situation. After a successful meeting, the prospective customer is provided with credentials for the Orgchart Software trial. After a happy trial period, Johnny creates a contract in Word in O365, and sends it to the customer for signature. Finally, the deal is closed in the CRM and an integration with the invoicing system triggers an invoice to be sent by email to the customer.

Ok, so now we have a pretty firm understanding of how this should work. Time to take on the role of the attacker. As discussed above, we have two different roles to play – internet criminal, and organised crime lord.

Let us start with the internet criminal. In our day-to-day business we send out massive amounts of spam and non-targeted cyber attacks in the hope that any of it will stick and give us some money.

Thinking like an adversary is fun and useful when you are creating a threat model
Putting yourself inside the head of the adversary is the most interesting part of the threat modeling process. It also helps build understanding of their attack methods, which makes us better at finding defensive measures.

Attack Vectors

In the beginning we used data from threat intelligence to build an understanding of the attack vectors threat actors are likely to use. A structured way to approach the threat modeling aspect here is to look at one part of the data flow diagram at the time and think: “if I am a cyber criminal, how would I interact with this asset”? Based on threat intelligence we have found that the following attack vectors are common: phishing emails, email account hijacking, banking trojans, ransomware. Let us first look at the people asset, and the attack vector phishing.

Phishing as attack vector in threat model.
Phishing attack assessment – taken from Cybehave’s in-house tool Risktool.

Let us further look at one more asset here, the computers used by our organisation chart entrepreneurs. As a typical cyber criminal I want access to those computers to install ransomware and steal documents to use for extortion, and to take control over the computer to use in a botnet for more spam campaigns. My primary attack vector here is the phishing email with a malicious document mentioned earlier.

This is quite common when doing threat modeling: attack vectors are chained together. The initial breach is often through social engineering, with subsequent technical attacks when the attacker has gained access. Don’t over-do it; remember the purpose of the threat model is to answer the 4 questions stated in the beginning of our threat modeling journey: “how can I be hurt, what could happen to cause me to be hurt, am I protected against this and what should I do”. We will not create a complete threat model in this post but let us keep the focus on Johnny and Ronny, but now we take on the shoes of the organised crime lord. From our threat intelligence feeds we know that B2B companies are often targeted with 2 types of attacks here;

  1. invoice fraud
  2. customer data theft

We are primarily concerned with our sales workflow. Invoice scams are often quite elaborate and can lead to large losses. In our case, we are considering the case where criminals change our invoices to divert the customers’ payments to their own accounts.

Threat modeling works better when you start to think of "how would I do this if I were a criminal mastermind" - informed by real-world threat intelligence.
Regaining customer trust after sending out invoices with the account number of a criminal on can be a difficult journey to start.

How would an attacker trying to achieve this go forward? There are several options:

  1. Gain administrative access to the invoicing system and change the account number in the settings. Let’s say that the accounting company used by Smart Orgcharts sets this, in this case we consider it out of scope for the sales process as such.
  2. Intercept invoices and change them (man-in-the-middle). Requires network compromise. Considered out of scope for the sales workflow.
  3. Stop the real invoice and send a fake one instead. Requires access to the CRM/email of the sales representative. Let us focus on this.

The strategy to gain access could mimic the phishing emails of regular criminals, or more elaborate spear-phishing emails. They may also use fake application downloads of trojans giving access to the computer, which has recently been a more common attack under the COVID-19 crisis.

Safeguards: what do we have, what do we need?

In our adversarial modeling workshop we have now identified key assets, what could happen to the business because of attacks, and the attack vectors we expect. We now need to focus on the two remaining questions: (3) do we have the necessary controls in place? and (4) what should we do to reduce the risk?.

Looking at Johnny and Ronny, our asset risk drivers for our people can be summarised as follows:

Attack vectors identified in abuse stories in Cybehave's in-house tool Risktool.
Abuse stories show that the primary attacks are social engineering via emails.

Johnny and Ronny have not focused a lot on systematic security management earlier, and the only control they can think of that is already in place is that they know to be skeptical about attachments from strangers. But still, they do receive Word documents in email regularly from both customers and their accounting firm, so they are unsure how good they actually are at spotting threats.

Discussing with a cybersecurity expert, helped them find good mitigations for the social engineering threats.

Security controls for people.
Planning security controls

Awareness training combined with up-to-date threat intelligence makes it easier to stay on top of cyber threats.

tl;dr – how to create a threat model

In this blog post we used a threat modeling software but you can do the same with pen and paper. The thought processes are the most important things. Before beginning to create a threat model, remember it is a tool to help you plan and manage security. A simple model can provide a lot of value. You are only trying to answer 4 simple questions:

Q1: What could happen to my business?

Q2: What attacks could cause this?

Q3: Do I have security controls in place to deal with it?

Q4: What should I do to reduce the risk so I can sleep better at night?

Creating the model itself is also a multi-step process. First you need to gather some information. Start with the business process you want to figure out how to protect. Then collect data on that process and the systems you use in the process. SIPOC is a good method for this. Also identify the threat actor categories you should worry about and what kind of attack vectors they are likely to use. Threat intelligence is important input here.

Second: think like an attacker. Take on the hat of one attacker at the time, and see how you would interact with each asset to achieve your goals as an attacker. Making a drawing of the business process and how the different assets are used is very helpful. Document your ideas here, simply write them down. Not too much detail but enough to remember what you were thinking. This works best as a group activity, run it like a brainstorming session!

Third: plan your defence. What do you have in place today? What do you need in order for the risk to be acceptable.

Now you have a plan – the next is to implement it. Security engineering and implementation will be the topic of another post.

Feel free to contact us if you have questions about threat modeling, threat intelligence or awareness training.

One thought on “How to create a threat model for your company

Leave a Reply