Our Blog | ActZero

Threat Modeling: A Guide for Small to Midsize Enterprises | ActZero

Written by ActZero | Jun 24, 2021 4:00:00 AM

In the non-stop battle to keep your organization secure, there are three vital commodities most IT and security teams seem to never have enough of — time, resources, and money. With a sundry of risks and vulnerabilities to track and remediate, how can a team focus their efforts for maximum impact, and implement the most relevant threat controls first? 

In this blog post, we cover four elements worth adopting to improve the cybersecurity capabilities of your entire organization. First, we describe the tangible outcomes of security controls, i.e., practices that enable risk reduction. Then, discuss the Threat Modeling Frameworks you can apply in your environment, and simplified activities appropriate for SMBs with constraints on the time, resources, and money to cover the assessment, analysis, and mitigation phases of Threat Modeling. We cap off with a visual example that shows how you can protect your organization.

Controls: Driving Security Practices

What do we mean when we talk about security controls? Simply put, they are mitigations, i.e., policies, procedures of technology implemented by an organization to reduce or eliminate risks to the confidentiality, integrity, and availability (CIA) of their computer systems and data. There are many frameworks that outline recommended security controls that we reference for security benchmarks i.e., CIS Critical Security Controls 8.0 , and Cybersecurity Maturity Model Certification (CMMC).

Threats are nothing new but defining them is critical to understanding and establishing thorough mitigation strategies. The rapid rate with which the cyber threat landscape is changing is cause for alarm, and enough reason to stay alert. Emerging threats intended to capitalize on your security vulnerabilities eliminates the option of ‘not ready’. The need to prepare, plan and practice is evident. In response, we created a handy eBook: Foundations for Incident Response Readiness that you can access HERE, to help your business build threat resilience.

Designing for security: Not “one size fits all”

Every organization has a unique environment, encounters distinct threats, and should implement security controls tailored to their specific needs. A structured approach that helps with prioritizing controls against external security threats is Threat Modeling. Originally used in the military to simulate threats and evaluate defense countermeasures, we use this technique today to:

  • Identify vulnerabilities and the threats that are the greatest risk
  • Highlight gaps in safeguards, and
  • Prioritize controls to mitigate or prevent the effects of identified threats

Since there are control variations within the same threat model, it is noteworthy that even organizations with similar infrastructure and processes may not have the same threat model. Company A and B, though in the same industry, could choose different controls based on budget, perceived likelihood and/or damage of a particular threat-type landing, or for a million other reasons. Prioritize your controls to address your specific security needs. For example, if your business environment has a lot of in-person interaction with hardware, you should prioritize controls for removable hardware.

Threat Modeling Frameworks

There are certain frameworks that are used for modeling threats to software or reducing organizational risks, while others focus on threat actors or personas. Popular examples of the top Threat Modeling Methodologies and Techniques are STRIDE, PASTA and OCTAVE. Though impressively valuable, many small and medium-sized enterprises do not have the exhaustive resources needed to deep dive into Threat Modeling. However, SMBs have a unique opportunity to pull important concepts like applying threat intelligence, and threat mapping, to address presenting security issues, iterate for improvements and scale accordingly.

Simplifying the Frameworks

A tried, tested, and true trick of the trade is this: start simple. We can condense a simplified process to three small steps, repeated over time: Assess→ Analyze → Mitigate.

Now, let’s get into the details.

Assess your Environment and Data 

Take a step back and observe your data and infrastructure. Smaller organizations do not need to get too far into the weeds. The deeper you go, the higher probability of discovering unmanageable details, the longer it will take and the harder it will be to remediate the vulnerabilities you uncover. Do not attempt to boil the ocean.

Instead, start by identifying and understanding what your most valuable information assets are. These may include important database servers and will certainly comprise your network directory infrastructure (such as Active Directory). The goal here is to identify the critical systems, services, and data that, if lost or otherwise interrupted, could lead to extreme business disruption, high recovery costs, or even insolvency. These are the core business operations artifacts we cannot delay in fixing or reinstalling, or that are proprietary.

Not to age ourselves, but it is ineffective and a waste of limited resources to start an exercise on modeling threats against AS/400s–you remember those, right? The platform that is perceived as outdated, but still somewhat functional. Yeah that. Let’s aim for a lean approach to solving your company’s security issues.

Assess Threats & Vectors

To assess the likelihood and risks of a cyber-attack that may affect your asset, ask thought-provoking questions like: 

1) What are the threat actors’ motivations and targets? This helps to create a profile of the threat.

2) What is my organization's readiness level in the event of an attack? This provides an abstraction of your systems.

We strongly advocate playing out scenarios that pattern a potential attack, as this helps unearth blind spots. To gain more insight, watch this webinar on Thinking about the adversary: offensive and defensive strategies.

For a broader picture, stay informed on global threat trends and intelligence, and dig into data from internal incidents and events/IOCs (found in your SOC data, RCA minutes), and Red Team exercises or penetration test reports. As an IT or security professional, there may be things not immediately obvious to you that are critical to business operations. Thus, get substantial input by collaborating with stakeholders in finance, leadership, R&D and other key roles that will provide invaluable insight about the organization’s assets as you design safeguards.

Cybersecurity Incident Root Cause Analysis (RCA)

In this phase, examine the information gathered during the assessment for an improved understanding of the incidents and control breakdowns. This process will produce answers to why these incidents occurred in the first place. But be strategic. Focus on a single specific threat—the most likely, important, or potentially damaging threat. Save the rest for the next iteration of the process. Get a comprehensive look into RCA. 

Perform Threat Mapping

Take the high-level steps in the attack pattern and map them into visual boxes. For context, see a visual representation. Cast a wide net. Keep the steps broad so that your model covers all related scenarios and represents emerging threats. Being too specific puts you at a disadvantage because your model will cover a limited scope, causing missed opportunities to map controls that would help protect against related attacks. For example, if you only mapped a threat to one specific operating system (OS) or type of endpoint, you may leave gaps for all the other OSs or endpoints in your environment.

Use Threat Modeling to Mitigate Risk

Now that you know what the threat is, and the stages they can take. Use the rough model created in the previous phase to map your controls for each stage. Then inspect the diagram to see where the gaps are. These are the areas to propose new controls for, to mitigate the risks of exploitation. At ActZero, we use our own maturity model to assist customers with understanding prevalent security issues, realize common mistakes, establish scope, and make targeted actionable improvements. 

It’s a cyber jungle and we strive to keep you equipped with the real-time knowledge and tools needed to not only survive but thrive. Our eBook: Foundations for Incident Response Readiness is yours for the sweet deal of free, and the guide you need to keep you geared and ready. Why wait? Download now!

Once you have mapped your controls and mitigations to the threat model, you will have a clear picture of the stages that require additional controls and mitigations to reduce exposure. Intercepting during the inception of the attack reduces the impact of the potential threat.

Threat Model Implementation

Setting security controls is a futile effort if we do not make them the standard practice of the team. That said, endeavor to validate and test implemented controls to ensure optimal performance. Only then will it yield the benefit of risk reduction. 

Explore more handy information in our white paper: Testing and Validating Maturity of Cybersecurity Programs.

Document and Communicate

Knowledge transfer is vital to continuous improvement. Communicate the final model output to leadership, risk and vulnerability management teams, Red Teams, and affiliate testing partners to help with validation, testing, and improvement. Then store on a platform that is visible and easily accessible. 

This process is not a one time deal, but iterative to ensure comprehensive security measures. Repeat the process to survey other high importance scenarios. We should amend models to stay current with technology and emerging threats. Or in case there is a need to implement controls elsewhere that could affect other scenarios. To reiterate, not one size fits all. Conduct periodic evaluations on your models to guarantee continued relevance.

Conclusion

Threat Modeling is expansive, but simple enough to apply. Get started with this free Threat Modeling exercise. With specific frameworks to draw on, and an abbreviated version to expedite progress, your organization stands to gain the benefits of ebbed gaps and vulnerabilities, and reduced risk of cyberattacks. Remember, the model is only as effective as the inserted controls, so ensure that they are specific to the threats germane to your organization.

No matter the output generated from the threat modeling process, outfitting your organization with actionable steps to take in the event of a threat or attack is imperative. Don’t go without downloading Foundations for Incident Response Readiness to access practical templates to document and operationalize your IR plans and start building strategic resiliency into your security infrastructure today. 

Cybercrime is on the rise, and much to our chagrin, cannot just be swatted away. For the sake of your reputation, revenue, and valued customer trust, you cannot afford to sit on the sidelines.