In order to focus a security organization’s efforts, certain information is necessary, such as Priority Information Requirements (PIR) and Collection Requirements. However, how can an organization focus these requirements in a manner that it relevant to the organization and refrains from tangents? The development of a robust threat model can assist security teams understand the risks posed to the organization, how threat actors may exploit those risks, and how to develop defenses to mitigate attacks.

What is a Threat Model?

A threat model is a framework, which organizations can use to understand threats against the organization. There are several types of threat models, some which address general security ideas in the cyber and physical security fields, and others which use refined methodologies to assist in developing highly specific targeting profiles.

For example, some threat models, such as the Process for Attack Simulation and Threat Analysis (PASTA), are risk-centric, meaning that they focus on the business risks of certain challenges. Those challenges which present the higher risks deserve greater attention, and those risks which may not address specific organizational issues do not require as much time and effort for their defense.

On the other hand, other threat models may be threat-centric, which means that they focus on specific threats and how to the organization may mitigate them, without any focus on risks to the organization or its personnel. The STRIDE model, developed by Microsoft, defines six specific threat domains and the properties violated by each. These definitions provide something of a checklist for security personnel to consider when developing defenses.

Threat Models are Dynamic

Threats come and go. Some threat paradigms remain fairly constant, but individual actors, and their idiosyncratic techniques and capabilities, change with time. As such, threat models are meant to be dynamic and evolve along with the threats facing the organization.

Threats are multilayered, complex events that often require long periods of planning and reconnaissance, often for a short period of actual operation. Thus, security units must also engage in their own planning and reconnaissance of their own assets in order to understand how threats may engage those assets, as well as the potential risks that each asset may pose to the organization.

To illustrate this point, we will use a fairly standard scenario for most companies that do some sort of business online. Over the next few posts, this scenario will continue to appear as the blog explores different threat models.

If your organization is dependent on a collection of databases which house sensitive data, your model should clearly indicate that those databases, the “crown jewels”, would be the highest priority target for a threat actor. Since the security team understands this threat, it has taken every known precaution to limit access to the database and prevent intrusions.

However, pure intrusion from the internet wilderness is a somewhat rare occurrence, as it is phishing and credential harvesting which likely pose the single largest threat to the security of those crown jewels. Therefore, the security must focus significant effort on both the prevention and mitigation of phishing attacks, as well as user education to prevent the attack from occurring in the first place.

Threat Models and the Intelligence Cycle

The intelligence cycle is one of the major informers for an organization’s model. After all, without proper intelligence, an organization would only be guessing about the threats it faces. But with intelligence, an organization can piece together a detailed strategic picture of the threats targeting the organization, the organization’s individual personnel, and the organization’s partners and vendors.

As stated earlier, threats constantly evolve, and so too must the security team’s posture towards those threats. This is where the intelligence cycle is so vital to the team’s success. By ingesting and analyzing data in a loop, the team will be in a position to evolve along with the threats it faces.

Once the security team receives the Priority of Information Requirements (PIR) and develops targeted collection requirements, it can use that information to focus on newly-discovered vulnerabilities and threat actor tactics, techniques, procedures (TTPs) and indicators of compromise (IOCs). With this information, the team can monitor if the IOCs have appeared in their networks and look to see if certain TTPs are potentially in use in the network, such as if a threat actor likes to use DNS tunneling, the team can look to see if any data has left specific ports, which should not normally be in use.

With this information, the team can analyze any findings to determine if those findings are false positives, single anomalous events, or signs of possible compromise. This analysis helps to generate new leads, which will contribute to further analysis. Once the team is satisfied with its findings, it can report the findings to leadership, who can conduct its own analysis and then choose to refine PIRs and collection requirements to suit the current threat landscape.

In our example above, raw intelligence provides insight into how threat actors are working to compromise systems, from technical TTPs to malware distribution campaigns through spam and phishing. The security team will enter the IOCs, including domains, IP addresses, and malware file hashes, into their monitoring systems in order to understand if the network is reaching out to the internet destinations or those files exist somewhere on the network. The intelligence cycle allows the team to investigate the raw intelligence on the organization’s network, analyze the results, and report that finished intelligence to the decision makers.

In terms of threat models, this process provides high levels of visibility to risks, vulnerabilities, and blind spots across the organization’s entire digital landscape. This visibility contributes to greater model maturity, which loops back to leadership to further refine their philosophies and models.

In security, nothing is ever finished – leads are merely exhausted until a new lead appears. Security personnel must view all processes as loops, and even loops within loops, never as straight lines with a definitive end point.

MITRE PRE-ATT&CK and Threat Modeling

Whereas intelligence drives knowledge informing the strategic level, the PRE-ATT&CK framework offers detailed insight into the operational and tactical levels. It’s one thing to read about certain TTPs in analysis reports, but it’s somewhat more difficult to lay out all of the steps involved in those TTPs, not to mention how a security analyst can monitor or investigate such activity.

Thus, the PRE-ATT&CK framework provides that knowledge base. When used in conjunction with robust threat models, teams can map out detailed plans that simulate how an attacker might attempt to breach the organization’s defenses, as well as action plans both for defensive monitoring and incident response.

While a security team can gather intelligence regarding IOCs and TTPs, proactive security postures require that the teams also understand how threat actors prepare for attacks and address those issues in order to shrink the attack surface as much as possible. This includes social media footprints which could be used in phishing campaigns, typosquatting for other phishing campaign, the establishment of attack infrastructure which may resemble the organization’s legitimate infrastructure, and much more.

Threat models take this into account and help security teams understand what they can and cannot protect, where they should and should not direct their focus and energies. If protecting a database is the goal, social media impersonation and extortion threats are much lower priorities than ongoing malspam campaigns.

Which Model is Best for Your Organization?

So which threat model is best for your organization? In truth, there is no single answer. Modeling requires the use of several models, because each one serves its own specific purpose, and sometimes that specific purpose is intentionally highly general. Therefore, developing an understanding of various models will assist in developing a highly robust and mature security posture for your organization.

Over the next few posts in this blog, we will look at specific models and what they provide security teams in terms of understanding risks, defining threats, and preventing successful attacks, as well as some specific tools that can help in identifying and countering specific tactics and techniques.