Posted May 22, 2019
In security, our biggest battle is getting ahead of the next security incident. Each incident brings a series of fire drills that, in hind sight, could have potentially been avoided. The lessons learned after completing these fire drills are often the most valuable. This cyclical nightmare points to the reactive nature of security, and what organizations need is to develop a more proactive posture and the tools to match.
When speaking of being reactive, we are naturally drawn to all of those security tools that go “ding.” While “ding” has its benefits, isn’t this by definition too late? Instead of seeing the attack coming, we are now faced with the aftermath of a clean-up. Achieving a proactive stance takes time but is achievable. The state of security needs a different approach – with that, two very powerful words come to mind: Threat Modeling.
What is Threat Modeling?
Threat modeling is a visual, logical, and systematic way to connect indicators, tactics, techniques, and procedures (TTPs) of adversaries or threat actors to organizational risk. This type of modeling takes a threat-centric and intelligence- driven approach to risk management. It is a process that extracts proven tradecraft and fits it within the bounds of security teams ultimately driving to a more proactive risk management process.
What is so magical about making threat models lies in what can be leveraged through its constant repetition.
Understanding the Process of Threat Modeling
Let’s first establish ground rules – threat modeling requires security teams to adopt workflows with modeling at its core and drives daily work, role definition, and expected outcomes. Although the art of linking indicators to higher level objects may seem trivial, by piecing together a picture of behaviors, analysts are developing a picture of a threat that will inform them how a threat actor may potentially execute an attack and cause harm to the organization.
At the risk of being a master of the obvious, our first benefit comes by assigning risk scores.
While playing match maker with indicators, threat modeling also allows analysts to assign scores to each model based on the two sets of criteria. For the first set, the risk score is applied answering this question: “How effective is the adversary’s TTPs?” The second set of criteria applies a score that answers “What security controls are in place and how effective are they to counter the adversary’s TTPs?”
For example, Threat Actor Anton’s typical mode of operation utilizes a distributed denial of service (DDoS) attack, which weakens an organization by overloading compute resources with requests beyond their limit and causing platforms to enter a degraded state. The first step is to assess the threat. A threat model typically rates a DDoS attack as “high.” The next step is to assess the existing security controls that the organization has employed to counter such a threat. Ultimately the assessment shows the results in a score of the threat and the controls to produce an overall model preparedness of organization for such a threat.
If a monthly subscription is made to a provider that mitigates any type of DDoS attack at, or above the bandwidth that Anton is able to execute, then the likelihood of a DDoS attack by Anton being successful is unlikely and therefore should not be a focus for the team. In effect, the assessment of the controls should produce a “low” risk score.
After the team has built threat models, visualized threats posed by threat actors, and assigned risk scores based on internal operational processes, the question becomes, “What now?”
Putting Threat Models to Use in Your Organization
Hypothetically speaking, after your team has assessed and modeled the TTPs of a threat actor and assigned risk scores based on the likelihood of something happening, wouldn’t it be great if you could prioritize those models in descending order from highest to lowest risk score?
The foundation created by threat modeling allows the team to actually see where they are most at risk, and from which TTPs. How well prepared an organization is to handle these risks is the next logical conversation piece. The gaps identified serve to inform the security team and organization where energy should be spent, driving an organizational risk-based conversation and helping to justify costs and expenditures of security controls. This is also the juncture at which the team flips from reactive to proactive in addressing threats and begins to create an intelligence-driven risk management capability, thus increasing the overall relevance of the team to the broader business and mission.
The power of threat modeling comes from its ability to be tailored to your specific organization. Like being fitted for a suit, all the measurements taken are to ensure a superb fit. The value of threat modeling is to identify risks ahead of impact to the business. To reiterate – threat modeling requires a change in mindset, moving away from responding to every “ding” in exchange for a strategic approach to providing an intelligence-driven risk management program.