NOTE: Practical examples and more information is available at MITRE ATT&CK:
Threat modeling is the process of adopting a strategic, risk-based approach to identifying and resolving your security blind spots.
- Discovery: the process of identifying desirable assets, the threats to the environment surrounding them (attack vectors), and the paths hackers may take to reach such assets.
- Implementation: the information gathered in the discovery phase is analyzed for potential organizational and repetitional impact, the prioritization of the most damaging attacks, and the discovery of the steps needed to take to resolve the vulnerabilities associated with the prioritized threat routes.
Discovery: Identify Your Assets, Examine the Surrounding Environment for Vulnerabilities, and Trace the Path Hackers May Take to Reach Your Assets
Conducted in three steps, the discovery phase of threat modeling is all about locating, then prioritizing your most important data assets, gaining a holistic understanding of the risks to the environment surrounding those assets.
Step 1: Asset Identification
Your first task is to catalog your assets, including data, applications, network components, and many others. Assets can be broken down into the following two buckets:
- Business Assets: Data, various components, and functions (applications) that are necessary for the continued operations of your business. Those targeting business assets can be better seen as malicious actors committing sabotage intended to disrupt continued activity.
- Data Assets: These are data, components, and functions of particular use to the hacker, who can gain access to certain functions to perform further reprehensible deeds. For example, cybercriminals may exploit data assets to help their crypto-mining operations, or look for customer data they can sell on dark web exchanges.
Note that there may be assets that live somewhere between business assets and data assets. It’s more important that these are cataloged comprehensively than strictly defined.
Step 2: Attack Surface Analysis
It’s a myth that today’s hackers perform custom attacks on their victims. Rather than the ultra-competent cyber sleuths we see in the media, they’re instead opportunists who look for the most direct entry points and exploit already-known vulnerabilities.
Since many organizations are often unaware that they may have compromised hardware, software and/or unprotected admin accounts (those set with default passwords), hackers have to find the right target and apply the tried-and-true exploit.
Step 2 involves mapping out the components of the environment surrounding the above assets. That includes all components that communicate with the asset, contain it, or otherwise provide access to it.
This makes up your attack surface – essentially the totality of your exposed components that may connect a bad actor to one to your assets. Within threat modeling, teams outline all elements of the attack surface, and demonstrates how data flows to and from these components.
Step 3: Attack Vectors
If an attack surface is your exposed asset-related components, attack vectors are the paths intruders may take to arrive there – all the way from system penetrating to asset ex-filtration.
Map your components and the functionality that’s available to these components – this should include security applications and controls. Note as well that there may be multiple ways hackers can exploit a particular path.
You’ll also need to collect all relevant information about known exploits and vulnerabilities associated with each component in all attack vectors.
It’s time to think like a hacker. Using the collected information on vulnerable components and attack vectors, figure out the approaches a cybercriminal can take to launch an attack. Consider their potential objectives, motivations, and their hacking skill level. From there, assess how potential hackers may get to your assets.
Implementation: Analyzing the Impact of Potential Attacks, Prioritization, and the Application of Relevant Security Controls
The second and final phase of threat modeling begins with a comprehensive analysis of all information gathered in the discovery phase. The three-step process involves a breakdown of each attack vector’s impact, prioritized by their potential impact on the entire organization, and the collection of instructions for how each vulnerability may be mitigated.
Step 4: Analysis
Since we don’t live in a world of perfect security, risk management is essential to make sure you’re making the best possible security decisions based on your risks and resources.
Information collected in the prior phase should be used to assess each attack type’s potential impact. Look at the assumptions made during the discovery phase, and include any threat intelligence or indicators.
Cyberattacks have been known to set off complex chains of events, so it’s crucial to think broadly about various ways damage may be done. Consider the following occurrences and their impact:
- Damage to reputation among organizations and consumers
- Leaked data (on all parties involved)
- Any legal action taken in response
- Costs to replace compromised equipment
- Application downtime should attackers effectively sabotage crucial components
Step 5: Prioritization
The penultimate step of the threat modeling process revolves around prioritizing the previously-discovered vulnerabilities. The goal here is not to stop every possible attack; rather, it’s to protect against the most dangerous, high-impact attacks. The likelihood of such attacks occurring is an essential part of the risk prioritization process, but greater weight should still be given to impact. Ideally, once the most critical threats are addressed, you will mitigate as many additional threats as possible in a hierarchical fashion.
Step 6: Security Controls
The sixth and final step in the threat modeling process is the discovery of security controls that effectively remove, counter, or mitigate all relevant vulnerabilities. Also critical is the analysis of existing security controls for iterative improvements. This process is additionally useful in identifying security gaps not discovered in the initial discovery phase.
Security validation through drift is a part of an ongoing security practice as the threat model becomes a living, breathing document that evolves with your infrastructure.
ATT&CK gives analysts a common language to structure, compare, and analyze threat intelligence.
- Getting Started with ATT&CK: Threat Intelligence Blog Post: This blog post describes how you can get started using ATT&CK for threat intelligence at three different levels of sophistication.
- ATT&CKing Your Adversaries Presentation: This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections.
- Blog posts on threat intelligence: These blog posts explain the fundamentals of how to use ATT&CK for threat intelligence.
- ATT&CKing the Status Quo Presentation: This middle part of this presentation provides an introduction to using ATT&CK for threat intelligence. Slides are also available.
- ATT&CKing with Threat Intelligence Presentation: This presentation provides perspective on how to use threat intelligence for ATT&CK-based adversary emulation. Slides are also available.
- ATT&CK Navigator Use Case for Threat Intelligence: This demo provides an overview of the ATT&CK Navigator as well as a threat intelligence use case for how to compare group behaviors. A corresponding written tutorial on comparing Navigator layers is available here.