Threat and Attack Modeling Can Fast Track and Evolve Your Security Program
Have you ever heard the cliché that “Things will get better in time?” Well, they generally do. Once we know how to do something better, we will most likely do it better and build upon it. For example, consider the transformation and evolution of flight.
We started with a bike-like apparatus, moved on to a single-engine automobile, to a jet and eventually rocketed to the moon and back. Similarly, there have been a number of amazing security technologies and strategies that have developed over the last 20 years. While we don’t see remnants of the Wright Brothers flying apparatus on runways, many security professionals still use the same outdated security frameworks in today’s businesses. Far too many security leaders still make their security decisions based on old frameworks, risk models and compliance objectives instead of security.
As we continue the security journey, we should ask ourselves, what’s next? How should we evolve our thoughts, practices and execution to elevate our security programs and improve the performance of our apparatus, just like the pioneers of aviation? If I am thinking like a security pioneer, I know it is time to boldly go where few security professionals have gone. I will improve my program effectiveness, while adding some new items that make my efforts actionable and sustainable.
One of the best things an organization can do is to add threat and attack modeling to its framework. Modeling is nothing new, but unfortunately it is not used in most security organizations. Yet, it can be one of the secrets to success. In many cases it’s the key differentiator between the top security organizations regularly catching cybercriminals, versus the organizations struggling with ongoing data loss and programmatic challenges from bad actors.
The Security Journey
Threat and attack modeling is truly one of the most underused tools in information security today. Many organizations haven’t begun the journey from an ad-hoc, infrastructure and compliance-based security program to the threat-focused, risk-based, data-centric security program that is needed to cope with today’s threats.
Today’s most prevalent security programs are infrastructure-based. Infrastructure programs tend to focus most of their protections in the network or on the endpoint. These programs will also spend 80 percent of the security budget on firewalls, antivirus/endpoint security and intrusion prevention systems (IPS).
When you are in the infrastructure stage of a security program’s maturity, the old, “people, process and technology” decisions have historically been good enough, because back then we were pioneering. But with today’s changes in the advanced threat landscape, this type of program is going to fail. We need to innovate and evolve our programs. No amount of next generation firewalls or next-generation IPS is going to save you.
Let’s talk about the road to business risk-based security and how threat and attack modeling will help you get there while increasing security effectiveness. Threat and attack modeling is a critical step to understanding:
- What assets are most likely to be targeted
- What the threats are to those assets
- Who the enemies are
- How attackers would infiltrate your organization
- If the attackers gained access to your assets, how they would exfiltrate the data
Each attack has phases with various decision points for infiltration and exfiltration. The advanced attack stagesinclude criminal recon, luring the victim to click, redirecting the traffic to a malicious site, executing an exploit kit, deploying a dropper file, attempting to call home and ultimately data theft.
Once the bad guy breaks in and has your data, he has some decisions to make about how he will get the data out. His options will depend on your security program’s sophistication and his level of expertise and persistence. He could send the data out via: email, http, FTP, USB, print or secure copy (SCP). Another common technique of the cybercriminal is to apply custom encryption to the data before sending it out. This will usually evade 95 percent of most companies’ controls and is being used every day to steal data from the Fortune 1,000.
Modeling often helps demonstrate the inadequacies of your current defenses. I frequently see an overinvestment in perimeter security, whether it be products, testing, or strategy. A good mix of perimeter combined with internal controls is a winning strategy. This is especially true when compared to the benefits of investments closer to your data, the crown jewels of your organization. Remember this is a chess match and we need to protect the king.
The second biggest mistake I see is the purchase and deployment of point solutions to prevent the advanced threat. Those point solutions place all emphasis on just one or two of the advanced attack stages without understanding the threat lifecycle.
After identifying the top threats, you can logically begin breaking down what the specific steps of each attack will look like. If you interrupt any of the stages, you interrupt the whole attack. Understanding the threat is also an optimal approach to take when deciding what areas you want to assess. Stay tuned, as I’ll detail the six steps of success threat modeling in my next article.