Most of the posts in the past couple of months have focused on threat modeling tools and use cases. Process-level stuff is interesting, but how do we make sure the inputs are valid? My good friend Mark and I explore that with customers during our Cisco Live interactive breakout, and the things we learn are eye-opening! You can have all the process in the world, but if the inputs are trash, so too will be the outputs. How do we get to the root of it all: What scares you most? We need to ensure we aren’t just wasting our time, right? So how do we paint a great threat picture?

What is a threat picture?

When we discussed threat modeling, there were two aspects: know yourself and know your enemy. Each of the tools we covered since mixed those in various proportions. When discussing how to “know your enemy”, we need to first figure out who that enemy is – who scares us most? A threat picture isn’t a fancy piece of art, but rather a shared understanding amongst stakeholders of exactly who and what we are most scared of. Like fingerprints and earlobes, this will be different from company to company. I used the analogy of Monsters Inc. before: every kid has that one monster that really gives them the creeps!This is key – building your threat model while ripping off someone else’s threat picture just saps resources. Your decisions and defenses will be built to counter threats that may not apply, or might not be as important.

Who makes it into the family photo?

It makes sense that this first step dictates how the modeling will go. But how do we choose who or what makes it into the picture? That depends on your own sophistication and on just how well you fit into some well-understood buckets. If you are in a market where there is a lot of variability, you will probably fare better with a bottoms-up approach to conducting threat analysis. If you are a higher profile environment, or one that is very well understood by adversaries, you might benefit from something more externally focused. Keep in mind – you can mix and match to meet in the middle here. What matters most is that your threat picture includes all of the right threats.

Bottoms-Up (or the “Look inside yourself” approach)

If you’re the type of organization that defies categorization, or are not often directly targeted for major operations, this approach is going to be important. Here we must leverage our own context rather than build the picture based on unfiltered news feeds. We (should) know what we’re protecting. We know what systems we have in place that would be worthwhile to an adversary. And we know which systems are critical to our own mission.

Based on this information, we can begin to evaluate the relative risks (impact and likelihood) of an adversary attacking and succeeding against those key elements. Sometimes you can’t put a name to the threat actor, but you understand what you hold that may be of value. In these cases, you can achieve awesome results by looking within to understand your vulnerabilities and exposure. Threat Analysis using tools like STRIDE/DREAD can give you an adversary agnostic view and evaluate based on a bottoms-up approach.

Top-Down approach

For some of you, threat analysis might be a lot easier. If you’re not in that category, count yourself lucky! Folks who predominantly use this threat analysis approach can do so because we all know who is targeting them and why. If your organization has a profile large enough that any intelligent security analyst could name or refine which adversaries might attack, you are here.

Past attacks against you or your peers offer solid material: “those baddies are not cool, we should probably account for them!” If your particular market segment has its own ISAC, then you are in this boat! Advisories from government agencies or outside help (Red Teams, consultants, vendors) might also reveal who should be in your threat picture. In most cases the threat intelligence you have on hand will be a mix of IOCs, TTPs, or threat actor names that then need to be normalized and compared against your own environment’s context.

Painting the Picture

After you’ve decided who’s in the picture, you must prioritize and analyze each of the chosen level of threats. Threat actors certainly inspire fear with their dark and sinister nicknames (Cozy Bear, Mint Sandstorm, CopyKittens, Admin@338). Butwe need something more tangible. I like to use ATT&CK Navigator to identify the TTPs each will use. Then I can weigh them in a combined matrix. If you are also taking a bottoms-up approach, you can then directly add those TTPs to that composite picture.

This threat picture doesn’t stress the Aloha Shirt adversary enough…

When you are done, you should have a matrix that stakeholders can rally around and form consensus on. Supporting documents might include a Risk matrix to help communicate the exposure of the business. You may also want to take the opportunity to assign those risks or portions of the picture for further follow-up.

By the way, this process should fit in with whatever Risk Management process the entire organization uses. The best way to ensure the non-security folks grasp the importance and impact to the business is to remove excuses. Conforming to the format other aspects of the business uses helps eliminate that potential cop-out.

Putting it all together

My brother and sister-in-law are the artists, but I consider how they break down a landscape to be similar to how we build an accurate threat picture. TTPs are the paints. Our analysis of which is more or less threatening is the weight and brush stroke. The identification and mapping of those to each portion of our environment is similar to the general composition (birds here, mountain there). The real difference? The tears threat pictures generate are by fear, not inspiration. And my works don’t hang in a place of honor but rather a PowerPoint slide printed in black & white.

Meme of famous painter Bob Ross painting a threat picture but thinking maybe Fancy Bear should be in it as a happy little accident.
Maybe our APT’s need a little friend in the picture too!

Don’t be afraid to ‘fail’. Bob Ross called these happy little accidents, and he wasn’t wrong. Much of how great threat pictures are made is through iterative processes that not only improve over time, but make the team developing them better.