Modeling Threats Against your Organization

The shift towards thinking like an attacker

By: Paul Marco

Organizations tend to focus on the result of an attack, the point when the risk is already realized. While this makes sense, as everyone is concerned about the outcome of a Cyber event, understanding how those attacks work and who is behind them will give you insights into what the actor will target, and how well your controls are positioned to disrupt the attack over its progression.

Using some basic variables, you can model out the attacks that concern you most. This will give you some insight into how those attacks may unfold for your organization. Understanding the variables behind an attack provides insight into how to PLAN for, DISRUPT and RECOVER if a Cybersecurity incident is realized. Below are some the variables you can use to model attacks against your organization.

ACTOR: There are multiple types of malicious actors. Each type of actor will align to different motives, goals, and tactics. Starting here will help inform the other variables. Some examples of Threat Actors could be: Cyber Criminal Groups, Malicious Insiders, Hacktivists.

 VECTOR: The vector is the attacker’s way in. This variable should identify how the attacker will gain access to or interact with your systems. Some typical vectors are: Excessive Access, Misconfigured Systems, Phishing

MOTIVE: The motive is what is fundamentally drives the attack. This will align with an Actor’s goals and may inform the vectors an attacker will use, and in some cases the attack itself. Some Examples of motive may be: Intellectual Property Theft, Financial Gain, Awareness.

GOAL: An actor’s goal will inform the tactics techniques and procedures leveraged based on what they are trying to achieve. For example, if the goal is Reputational harm, the attacker will make their actions public, but if the goal is fraud, they will want to ensure their actions are kept unknown for as long as possible. Some examples of goals may Include: Fraud, Extortion, Reputational Harm.

ATTACK: The attack is where most people start. This is the culmination of all the variables and will be the collection of actions that you will want to disrupt. Some Attacks may include: System Takeover, Data Encryption, Data Exfiltration

Modeling a Threat against your Organization

As an example of how this process works let’s model a INSIDER THREAT. Using these basic variables, we can begin to really articulate the attack and understand with context how to PLAN for the attack, what we can do to DISRUPT the attack progression, and RECOVER from the attack should our disruption fail. This context is then be used to implement, validate, or strengthen the controls you have identified in each of these stages.

As an example, we can look at this threat model:

ACTOR | INSIDER

VECTOR | EXCESSIVE ACCESS

MOTIVE | REVENGE

GOAL | REPUTATIONAL HARM

ATTACK | DATA DESTRUCTION

Immediately we can see context.  This threat model will provide more direction than simply saying “How do we protect against Data Destruction?” While that is an important conversation to have, it omits planning for key variables that your organization should consider.

 Working through the threat model we can organize around:

 Insider: Who on your network has the ability to do harm? Do you understand what “Privilege” means on your network? Could you identify if someone has abused their Privilege?

 Excessive Access: Do you have a method to ensure that the people on your network have the access that is appropriate for their role? Can you use process to ensure that privilege is controlled?

 Revenge: Does a process exist to properly offboard people who have left your organization? Can you use internal indicators to identify if an employee is angry with the organization?

 Reputational Harm:  Have you identified your critical data? If this data is destroyed, could you operate? What impact would this have on your business and your customers?

 Data Destruction: Can you alert when critical data is accessed? Do you have good backups of that data? Have you tried restoring from backup to prove it would work?

We at TALAS Security are passionate about control. We hope this information has helped you understand how you can control threats in a way that enable you PLAN, DISRUPT and RECOVER from a Cyber Incident. Our mission is to enable your Cybersecurity advantage and making Cybersecurity accessible is one of the ways we achieve that mission.