Posted May 22, 2019
In security, our biggest battle is getting ahead of the next security incident. Each incident brings a series of fire drills that, in hind sight, could have potentially been avoided. The lessons learned after completing these fire drills are often the most valuable. This cyclical nightmare points to the reactive nature of security, and what organizations need is to develop a more proactive posture and the tools to match.
When speaking of being reactive, we are naturally drawn to all of those security tools that go “ding.” While “ding” has its benefits, isn’t this by definition too late? Instead of seeing the attack coming, we are now faced with the aftermath of a clean-up. Achieving a proactive stance takes time but is achievable. The state of security needs a different approach – with that, two very powerful words come to mind: Threat Modeling.
Threat modeling is a visual, logical, and systematic way to connect indicators, tactics, techniques, and procedures (TTPs) of adversaries or threat actors to organizational risk. This type of modeling takes a threat-centric and intelligence- driven approach to risk management. It is a process that extracts proven tradecraft and fits it within the bounds of security teams ultimately driving to a more proactive risk management process.
What is so magical about threat modeling lies in what can be leveraged through its constant repetition.
Threat Modeling with Benefits
Let’s first establish ground rules – threat modeling requires security teams to adopt workflows with modeling at its core and drives daily work, role definition, and expected outcomes. Although the art of linking indicators to higher level objects may seem trivial, by piecing together a picture of behaviors, analysts are developing a picture of a threat that will inform them how a threat actor may potentially execute an attack and cause harm to the organization.
At the risk of being a master of the obvious, our first benefit comes by assigning risk scores.
While playing match maker with indicators, threat modeling also allows analysts to assign scores to each model based on the two sets of criteria. For the first set, the risk score is applied answering this question: “How effective is the adversary’s TTPs?” The second set of criteria applies a score that answers “What security controls are in place and how effective are they to counter the adversary’s TTPs?”
For example, Threat Actor Anton’s typical mode of operation utilizes a distributed denial of service (DDoS) attack, where an organization is brought to its knees by overloading compute resources with requests beyond their limit, causing the corresponding platforms to enter into a degraded state or to stop responding as a result of complete resource exhaustion. The first step is to assess the threat. Typically, a DDoS attack would be rated as “high.” The next step is to assess the existing security controls that the organization has employed to counter such a threat. Ultimately the assessments result in a score of the threat and the controls to produce an overall model of how well the organization is prepared for such a threat.
If a monthly subscription is made to a provider that mitigates any type of DDoS attack at, or above the bandwidth that Anton is able to execute, then the likelihood of a DDoS attack by Anton being successful is unlikely and therefore should not be a focus for the team. In effect, the assessment of the controls should produce a “low” risk score.
After the team has built threat models, visualized threats posed by threat actors, and assigned risk scores based on internal operational processes, the question becomes, “What now?”
Minding the Gap
Hypothetically speaking, after your team has assessed and modeled the TTPs of a threat actor and assigned risk scores based on the likelihood of something happening, wouldn’t it be great if you could prioritize those models in descending order from highest to lowest risk score?
The foundation created by threat modeling allows the team to actually see where they are most at risk, and from which TTPs. How well prepared an organization is to handle these risks is the next logical conversation piece. The gaps identified serve to inform the security team and organization where energy should be spent, driving an organizational risk-based conversation and helping to justify costs and expenditures of security controls. This is also the juncture at which the team flips from reactive to proactive in addressing threats and begins to create an intelligence-driven risk management capability, thus increasing the overall relevance of the team to the broader business and mission.
The power of threat modeling comes from its ability to be tailored to your specific organization. Like being fitted for a suit, all the measurements taken are to ensure a superb fit. The value of threat modeling is to identify risks ahead of impact to the business. To reiterate – threat modeling requires a change in mindset, moving away from responding to every “ding” in exchange for a strategic approach to providing an intelligence-driven risk management program.