The ever-increasing number of breaches and hacks of small and medium-sized businesses (SMBs) make cybersecurity a top concern in today’s IT world. As organizations evolve as software consumers, push to work remotely, and operate predominantly in the cloud, the likelihood and impact of security breaches increase exponentially. While there is an abundance of defense and countermeasures available to defend against these attacks, finding the right formula is often complicated and burdensome. In this post we’ll discuss cybersecurity threat modeling as part of an effective risk management activity for small business.
What is Cybersecurity Threat Modeling?
The National Institutes of Standards and Technology (NIST) defines “threat” as “Any circumstance or event with the potential to adversely impact organizational operations, assets, or individuals”. In other words, a threat is a scenario that may result in harm to something the organization values. The likelihood and magnitude of that harm equate to risk.
Threat modeling is a way that organizations can better understand the threats that contribute to cybersecurity risk, whether they come from external bad actors, malicious insiders, or by accident. Cybersecurity threat modeling involves small businesses establishing a structured process through which cybersecurity and IT professionals can identify potential threat vectors and attack paths, quantify the impact of those threats, and prioritize techniques to mitigate or eliminate possible attacks. When conducting threat modeling, organizations thoroughly analyze the network architecture, system baselines, and company policy (e.g., Acceptable Use Policy).
The purpose of threat modeling is to identify various threat agents that can harm an application, computer system, and network infrastructure from a holistic perspective. Traditionally the threat modeling process is conducted during the system design stage; however, it can be integrated at any point where a network baseline or policy is modified so that system administrators can be mindful of the security implications of their actions. Some formal threat modeling methods include VAST, STRIDE, PASTA, and attack mapping. The method employed depends on the system being protected, but all these methods share a common phased approach. Generally, small business cybersecurity threat modeling has four phases:
- Set objectives: What are the small business’s confidentiality needs, operational requirements, and compliance constraints?
- Inventory and prioritization: What are the critical assets, and how is the network structured?
- Identify threats: What are possible ways to attack the assets?
- Threat countermeasure design: What strategies are selected to mitigate or eliminate the attacks?
First: Set Business Objectives
First we must ascertain the business objectives of the organization’s network, define the criticality of the assets that need to be protected, and identify any government or business cybersecurity compliance requirements. Furthermore, having a sense of fiscal controls and timeline objectives will help frame a comprehensive action plan in the following steps. Establishing these objectives and needs before the threat assessment phase will help us evaluate the impact of any threat we find during the risk analysis process. Clear objectives help streamline the overall threat modeling activity and determine how much effort to spend on the subsequent steps. Following are a few questions that can be answered to set threat modeling objectives:
- What level of confidentiality is required, and is there a compliance standard that needs to be met?
- For example, is it imperative that certain proprietary information never be shared with anyone outside the organization?
- What are the overall expectations of network or system availability during and after a threat detection?
- For example, if a malware threat is detected, can the organization handle shutting the network down temporarily to ensure the malware doesn’t spread?
- What resources (e.g., manpower, budget) can be reasonably allocated to mitigating a threat?
- Does the organization handle cybersecurity internally, or are cyber capabilities outsourced?
Second: Inventory Assets
An adversary’s main objectives are to shut our business down by preventing us from accessing our valuable or sensitive assets or stealing them outright. Valuable assets include information, operational equipment, security technology, confidential client information, user account credentials, etc. Anything that impacts our company’s ability to generate profit is considered an asset. In that sense, we will need to know exactly what devices reside inside our company’s environment, especially those that process valuable data. We believe inventorying our assets is such a high priority that it is listed as the number one safeguard in the Totem Top 10.
Third: Identify Threats
In this phase, we should do a little bit of research into the most significant threats for our specific industry. For example, in the healthcare industry, we need to worry about sensitive patient health information being disclosed without patient authorization. Different industries encounter various other threats; therefore, we must form a standard list of possible threat events facing our organization. This list should include at a minimum:
- Social Engineering
- Unauthorized access to data or system
- Unauthorized use of data or system
- Unauthorized disclosure of data
- Disruption of data or system availability
- Unauthorized modification of data or system
- Unauthorized destruction/loss of data or system
Ideally, we’ll want to spend more time and manpower securing the most valuable assets against the most impactful threats. Therefore, once we identify our organization’s assets and threat events, we recommend visualizing impact in a threat impact matrix. The following table shows a broad-stroke example of a threat impact matrix, which helps set the stage for a qualitative risk assessment. For a more in-depth discussion on risk assessments, including a copy of Totem’s “Assumed Risk”™ cybersecurity risk assessment template, see our blog An “Assumed Risk” Approach to Small Business Qualitative Cybersecurity Risk Assessment.
As our organization’s cyber risk management ability improves, however, we’ll want to get more sophisticated with our threat identification. Attack Trees provide a more mature threat identification technique.
Using Attack Trees for Cybersecurity Threat Modeling for Small Business
Attack Trees provide a formal and systematic way of illustrating the how a system could be threatened or attacked. The tree structure represents multiple avenues of attacks against a system. The root node represents the attacker’s goal, and different ways of achieving that goal are child nodes. Each child node represents a condition that makes the parent node a possibility. These child nodes can further branch into “AND” and “OR” states.
Let’s look at an Attack Tree example for an adversary attempting to access an email exchange server.
1) Identify the method (child node) that can be used to access the objective (root node). The tactics listed in the image below the four of the most prominent attack methods according to the 2021 Verizon Data Breach Investigations Report (DBIR) and the FBI Internet Crime Report (ICR). One thing to note, this is just a sample attack tree. There is most certainly a multitude of other ways to exploit an email server. (Another potential resource is the MITRE ATT&CK framework, which lists 400 different attack methods used by adversaries; while this resource is complicated, it is also comprehensive.)
2) As we analyze the threat, continue working through the tree and build out the tactics to develop specific paths to achieve the goal.
- Some methods to access the email server only require a single tactic to be successful. For example, any lower child nodes to social engineering can be leveraged to satisfy the method to access the email server.
- The example “AND” node indicates that access is required for both the server room and server cabinet (rack) to succeed. In other words, if an attacker has a key to the server cabinet yet can’t access the server room itself, they don’t have physical access to the server and vice versa.
3) Once the basic tree is created, you can assign Likely (L), and Unlikely (U) states to the various child nodes.
- Roughly assign the likelihoods based on resources like the Verizon DBIR, FBI ICR, Ponemon Institute, etc.
- Use a dotted line to show all “Unlikely” paths, therefore emphasizing the more probable methods.
- For example, most of us won’t have backdoors in our servers or have our specific server credentials shared on the dark web, so we can mark those threats with a “U”.
4) While adding the binary values of “Likely” and “Unlikely,” using industry resources like those mentioned above, try to add precise percentages to the attack methods to further pare down the tree. As a reminder, this is just a sample attack tree; therefore, these numbers are merely assumptions based on a cursory look at the previously mentioned sources.
We can see that by adding percentages, Credential Harvesting through Phishing is clearly the most likely threat event. We can now focus resources towards mitigating that threat and remediating the vulnerabilities that may be exploited during the attack. We mitigate by developing countermeasures. Countermeasures, in this case, would probably include implementing effective cybersecurity user training.
Last: Threat Countermeasure Design
After we have determined which aspects of your organization might be attacked, we should take steps to mitigate those threats—that is, to make them less damaging. Keep in mind no individual countermeasure can stop all threats to an organization.
Countermeasures can be identified and designed by mapping out threat scenarios, or “attack paths”, that could exploit vulnerabilities. We’ll wrap up by describing a method of countermeasure identification and design: use to misuse cases.
Use to Misuse Cases
In addition to Attack Trees, another way to map out an attack is through “Use to Misuse” Cases. Use to Misuse Case diagrams show how the system should be used, and also how the system might be misued by an adversary or threat actor. The added benefit of Use to Misuse mapping is that you can overlay countermeasures and visualize how the threat or attack could be thwarted.
The following image maps out how an adversary might use brute force techniques to attack user authentication, i.e. entering a username and password. The various “includes” or nodes of the brute force threat are mitigated when the application server leverages several mitigation tactics included in the authentication cycle, such as locking out an account after a predefined number of failed login attempts.
By the way, the NIST 800-171 standard that DoD contractors are required to implement to protect Controlled Unclassified Information (CUI) requires us to engage two of the mitigators identified in the image above:
- Password length and complexity, and,
- Account lockout
When viewed from the perspective of threat mitigation, you can see why NIST 800-171 and the DoD Cybersecurity Maturity Model Certification (CMMC) includes so many requirements: the DoD wants us to put up a multi-layered defense against various adversarial threat and attack techniques.
Wrapping up Cybersecurity Threat Modeling for Small Business
Threat modeling provides a formal methodology for analyzing the security of systems and subsystems. It offers a holistic way to think about cybersecurity and respond to changes in cybersecurity from a threat-based perspective. Cybersecurity is not a product — it’s a process. Small business cybersecurity threat modeling doesn’t have to be complicated, and it can help form the basis of understanding that process.
If you’d like some help kicking off a threat modeling program for your specific organization, drop us a line! If you’re a DoD contractor interested in how threat modeling can enhance your CMMC-compliant cybersecurity program, come attend one of our Workshops.
Keep moving forward with your head on a swivel!