After spending some time working with the ATT&CK threat model, which is primarily aimed at modeling threats from a systems perspective, I have been wondering what other frameworks are available to model threats from an organisational or business unit perspective and that can also support the integration with ATT&CK.
The following document:
describes the practical application of a threat model for an organization in the financial services sector. The threat model used to describe the practical application is defined in the following document.
While this second document defines the threat model to apply, the first document provides a practical example of the applicability of the model defined. Both documents are of particular interest if you are looking to understand how threat modeling happens over the system level. Additionally, the model supports the following use cases,
- Cybersecurity technology foraging
- Cybersecurity test case development for technology validation
- Cyber wargaming scenario development
Last but not least, it is also of particular interest for the Cyber Threat Intelligence community especially for those in a strategic or risk role as it demonstrates the interconnection between the Cyber Risk Management and Cyber Threat Intelligence disciplines.
From a practical standpoint of view the technical reports follow the following steps to apply the Enterprise Threat model:
- Create a Business enclave view to map relationships between business applications and network architecture
- Create the inherent risk profile ( using FFIEC CAT )
- Map Cybersecurity controls and defense capabilities in place across the organization
- Apply the Enterprise Threat Model (mapping the threat events to business networks and enclaves)
- Build an attack scenario for a particular business network or enclave against a threat model and technology and operations construct of the identified business unit. In this section, it is where we use ATT & CK to model an APT as a potential scenario. The results of this section provide an assessment of the cyber defensive technology and process in places and support informed choices in acquisitions of new solutions or existing gaps in the control posture.
This model allows mapping the defensive suite of an enterprise against its high-level network topology and business lines. At the same time, the defensive suit can be mapped against the threats events to identify how and if they are mitigated by the current defensive mechanisms. Threat events that are not mitigated or partially mitigated are residual risks and they represent an opportunity for the adversary. The identification of this residual risk can guide decisions such as updates on the control posture of the organization, technology foraging, cyber wargaming, and risk analysis.
The model supports the 3 levels of the cyber threat modeling however it has its limitations as it does not contemplate cloud computing. It is just a matter of time until the cyber community starts gaining more experience with the patterns of attacks and techniques against the cloud thus the community repositories of attack information will grow in this area and it can be incorporated into this framework to model scenarios that include the use of cloud environments.