Posted September 4, 2019
In May, LookingGlass wrote about the benefits of threat modeling – specifically emphasizing its proactive nature. Having had many conversations on this topic since with various customers, partners, and colleagues, I think it’s important to clarify that our view of “threat modeling” focuses on threat actor modeling and not application threat modeling. As a product manager, when I hear this term my mind often goes to the latter, which is an incredibly useful, but decidedly different exercise. Now that we got that out of the way…
Threat Modeling Framework
If the first step is deciding you want to add threat actor modeling to your cyber defense strategy (PSA: there is no silver bullet), then the second step is selecting a threat modeling framework. This will ensure that as your cyber intel team builds its knowledge base on the threat actors you begin to track and model, they’re using a common methodology. One of the most popular frameworks right now is MITRE ATT&CK, and in my opinion this popularity is well-deserved so witnessing its adoption within our own customers’ processes is encouraging. There are also some great people behind the effort, so if you are wondering how you can get started with ATT&CK, MITRE’s own Katie Nickels has you covered. To be clear, even Katie will tell you that there are other frameworks out there and each has their own strength, but in combined interest of keeping your attention and getting to my point, we’ll move on.
Prioritizing Threat Actors to Model
Let’s pretend for a moment that you’re already convinced: threat actor modeling is something you want to add to your arsenal, and maybe you’ve even decided that ATT&CK is the right framework for you. You start to follow Katie’s Level 1, 2, and 3 advice but begin to feel overwhelmed. How do you decide which actors you should model? Beyond focusing on the actors that have been known to target your industry, what other information should you analyze? These kinds of questions are near and dear to my product manager heart because we’re essentially asking: “how can we best prioritize this?” (my entire job can basically be boiled down to prioritizing work). There are many approaches to this, but there are two concepts that I have seen customers find incredibly powerful:
- PIRs: I had to learn a lot about Intelligence (with a capital ‘I’) when I began working in this space. It turns out the Intelligence Community (IC) has thought extremely deeply – for a long time – about this misleadingly simple-sounding problem of “what do we care about?” The practice of identifying priority intelligence requirements (PIRs) goes a long way to formalize the answer to this question. Although that is absolutely not this blog post, I would be happy to offer some recommendations on the sources that helped me better appreciate this concept.
- Target-Centric: A simple, but powerful consideration, “what information would threat actors want?” Building this into your threat models as soon as possible will help both the prioritization and relevance of said models. I won’t make you reach out to me for additional recommendations here because LookingGlass was fortunate enough to collaborate with Jake Williams on a SANS white paper earlier this year which goes deeper into the benefits of this approach.
This seems like… a lot
Your Inner Monologue: Dan, you’ve worn me down. We get it, this is a powerful tool which helps proactively defend the organization. But I’ve got to be honest, it sounds like a lot of work and my team does not have the time for this.
Me [desperately trying not to sound defensive]: I wholeheartedly agree with Katie’s post here – getting started is not as bad as it may seem! Whether or not you have a formal document, you likely already have some form of intel requirements. A quick discussion with your cyber colleagues would produce a rough list of high-value targets. Using this info to do research into the MITRE ATT&CK Groups could likely identify a threat actor your organization should be modeling.
Threat Modeling Output Drives Risk Management
The point of all of this is not necessarily for you to conclude that I’m right, and ultimately decide it would be super helpful if there was a software out there which enabled this. In all seriousness, the actual goal is to get to a point where your intel team is speaking the language of the business: risk management. If you’ve established a process which takes into account your highest value assets, identifies which (if any) of your organization-specific controls protect them, and quantifies that risk in the context of real-world attacks –the value of intelligence will be obvious and appreciated all the way up to the boardroom.
If you would like to learn more about how LookingGlass can enable your team to model & contextualize threats, click here.