A threat is any circumstance or event that can negatively impact assets.
- People are the biggest threat to a company’s security. This is why educating employees about security challenges is essential for minimizing the possibility of a breach.
Threat actor types#
Advanced persistent threats#
Advanced persistent threats (APTs) have significant expertise accessing an organization’s network without authorization. APTs tend to research their targets (e.g., large corporations or government entities) in advance and can remain undetected for an extended period of time. Their intentions and motivations can include:
- Damaging critical infrastructure, such as the power grid and natural resources
- Gaining access to intellectual property, such as trade secrets or patents
Insider threats#
Insider threats abuse their authorized access to obtain data that may harm an organization. Their intentions and motivations can include:
- Sabotage
- Corruption
- Espionage
- Unauthorized data access or leaks
Shadow IT refers to individuals who use technologies that lack IT governance. A common example is when an employee uses their personal email to send work-related communications.
Hacktivists#
Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to accomplish their goals, which may include:
- Demonstrations
- Propaganda
- Social change campaigns
- Fame
Attack vectors#
An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited.
- Direct access, referring to instances when they have physical access to a system
- Removable media, which includes portable hardware, like USB flash drives
- Social media platforms that are used for communication and content sharing
- Email, including both personal and business accounts
- Wireless networks on premises
- Cloud services usually provided by third-party organizations
- Supply chains like third-party vendors that can present a backdoor into systems
Threat Modeling#
A typical threat modeling process is performed in a cycle:
- Define the scope
- Identify threats
- Characterize the environment
- Analyze threats
- Mitigate risks
- Evaluate findings
Threat modeling frameworks#
STRIDE#
STRIDE is a threat-modeling framework developed by Microsoft. It’s commonly used to identify vulnerabilities in six specific attack vectors. The acronym represents each of these vectors: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
PASTA (Process for Attack Simulation and Threat Analysis)#
The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling process developed by two OWASP leaders and supported by a cybersecurity firm called VerSprite. Its main focus is to discover evidence of viable threats and represent this information as a model. PASTA’s evidence-based design can be applied when threat modeling an application or the environment that supports that application. Its seven stage process consists of various activities that incorporate relevant security artifacts of the environment, like vulnerability assessment reports.
Steps:
- Define business and security objectives
- Define the technical scope
- Decompose the application
- Perform a threat analysis
- Perform a vulnerability analysis
- Conduct attack modeling
Trike #
Trike is an open source methodology and tool that takes a security-centric approach to threat modeling. It’s commonly used to focus on security permissions, application use cases, privilege models, and other elements that support a secure environment.
VAST#
The Visual, Agile, and Simple Threat (VAST) Modeling framework is part of an automated threat-modeling platform called ThreatModeler®. Many security teams opt to use VAST as a way of automating and streamlining their threat modeling assessments.