A Guide to Threat Modelling for Your Organisation

This is not application threat modelling; this is threat modelling for an organisation. In this context, threat modelling is a structured approach to identifying, assessing, and mitigating security risks posed to an organisation. It involves understanding potential cyber threat actors (CTAs), their methods of attack, and the potential impact on your organisation. The objective is to develop a comprehensive strategy to defend against these threats by implementing appropriate security controls.

Define Assets

Start the threat modelling process by conducting a comprehensive brainstorming session to identify all potential assets that could be targeted by adversaries. This includes cataloguing a wide array of assets, from tangible ones like money and computing resources (servers, workstations, and network infrastructure) to intangible assets such as various types of data the organisation holds, including customer information, financial records, and employee data, each possessing distinct sensitivity and value.

Next, consider business processes, which encompass the workflows and procedures essential for the organisation’s operations. Proprietary or classified information, such as trade secrets, product designs, and strategic plans, also require protection due to their high value and potential impact on competitive advantage. Intellectual property, including patents, trademarks, and copyrights, represents significant investment and innovation, making it a prime target for theft or sabotage.

Collaborate across departments to ensure multiple perspectives are considered, thus creating a robust and holistic view of the organisation’s valuable components. Once this list is compiled, set priorities beside each asset.

Define Points of Ingress and Egress into the Network

Identify the points of ingress and egress for your network. Ingress points are the gateways through which external entities can enter the network. These typically include internet-facing services such as web servers, email servers, and VPN gateways, as well as external connections like partner networks, cloud services, and remote access points used by employees. Egress points are the channels through which data can exit the network, including outbound internet traffic, email communications, cloud storage services, and data transfer mechanisms like FTP servers or APIs used for data exchange with external entities. Securing these points is vital as they represent potential entryways for threats and exit routes for data exfiltration.

Define and Profile Specific Cyber Threat Actors

Gather threat intelligence specific to your industry and geographic location. This can be obtained from various sources such as a simple search online for cybersecurity reports, trusted CTI providers, and government advisories. Create a list of CTAs and the rationale for including them.

Then, create profiles for the identified CTAs, including their motivations (e.g., financial gain, espionage) and TTPs. Beside each CTA, list their skill level, likelihood of impacting your organisation, and the potential impact they would have if successful. Ground your likelihood assessments in fact by looking at how often organisations in your industry and geography are impacted by each type of CTA, using data from online sources or a trusted CTI partner. Assign an overall score to each group based on their skill level, likelihood of impact, and potential impact, to prioritise the CTAs.

Map Cyber Threat Actors to Points of Ingress and Egress and Assets

Work through the CTAs from highest to lowest priority. Map the TTPs to points of ingress and egress. Then, based on the applicability of the TTPs and the motivation of the CTA, map TTPs and higher-level CTAs to assets. You should now understand the ways a CTA can come into the network, what they will go for once they are in the network, and how they can communicate and exfiltrate data out of the network.

Define Controls

Working through the highest priority CTAs and assets, assess the controls against each point of ingress and egress and each asset. Identify if you have any missing controls, either preventative or detective. If you are unsure of which controls to implement, refer to the mitigative and detective controls listed in MITRE ATT&CK against each TTP.

You now have a prioritised control list to focus on to enhance your security posture. This list is backed by quantifiable information and a repeatable process.

Threat modelling should be an ongoing process, conducted at least annually. This ensures that the organisation remains responsive to evolving threats and adapts its defences accordingly. Regularly update threat intelligence and threat actor profiles to reflect the latest information. This includes tracking new threat actors, emerging TTPs, and changes in the threat landscape. Continuously assess the effectiveness of implemented controls and make necessary adjustments. This can involve testing controls through simulations, audits, and reviews.

Enhanced Security Posture: By understanding and anticipating threats, organisations can implement targeted controls that address specific risks, leading to a stronger security posture.

Resource Optimisation: Prioritising controls based on actual threats ensures that resources are allocated efficiently, maximising the return on security investments.

Proactive Defence: Regular threat modelling enables organisations to move from a reactive to a proactive defence strategy, staying ahead of adversaries.

Compliance and Regulatory Alignment: Threat modelling helps organisations align their security measures with compliance requirements and industry standards, reducing the risk of regulatory penalties.

Threat modelling is a vital component of an organisation’s cybersecurity strategy. By leveraging threat intelligence to identify relevant threat actors, understanding their TTPs, and mapping these to appropriate security controls, organisations can create a prioritised control list that enhances their defence mechanisms. Conducting this exercise annually ensures that the organisation remains agile and responsive to the ever-changing threat landscape, ultimately safeguarding its assets and operations.

Implementing a comprehensive threat modelling process requires commitment and collaboration across the organisation. However, the benefits of a well-executed threat modelling strategy far outweigh the efforts, providing a robust framework for defending against sophisticated cyber threats.