Threat and Risk Modelling

What is threat modelling

The process where threats are identified, explored and prioritised — taking a hypothetical attacker's perspective and using models to find security problems.

What does threat modelling allow us to do

• Enables defenders to analyse attacker profile (goals), attack vectors (steps they follow), and the assets desired by the attacker.

• Identify high-value assets.

• Identify vulnerabilities.

• Identify most relevant threats (e.g. finance industry, healthcare).

• Identify any attack vectors that could go unnoticed (e.g. supply chain attack) / indirect attacks

Who is involved in understanding the complexity of threats to be understood

Impossible for a single expert to exist, so roles are broken up.

• Red team: trying to break a system, but they still work for the organisation.

• Blue team: defending the system against the red team and mitigating problems.

• Specialised security experts for different domains (e.g. physical infrastructure, human security, building architecture, network experts).

When building a threat model, what needs to be considered

• What are you building or analysing — network, system, application architecture

• What can go wrong — identify threats (e.g. DDoS).

• What can be done about it — risk analysis (quantitative + qualitative), countermeasures, controls.

How does threat modelling relate to the risk register

• Threat modelling needs to occur first to identify the threats and assets.

• Prioritisation is required from most to least important asset-threat.

• Once prioritised, the full risk register can be developed.

What are the different threat modelling approaches

• Model the system being attacked.

• Model the attacker.

• Model the threats and attack vectors.

How can the system being attacked be modelled

• network diagram,

• data flow diagram (context level),

• software diagram of architecture or code

How can the attacker be modelled

Persona-non-Grata (PnG).

How can the threats be modelled

• STRIDE model.

• MITRE ATT&CK and mapping to the attack vectors.

• Attack Trees.

How do we choose a threat modelling approach

Choose one based on the system type, approach, and context.

• Threat models can also be combined for better coverage.

What are the basic steps of threat modelling

1. Produce a visual representation of the current situation of the organisation (e.g. network diagram).

2. Review intelligence that may highlight threats to the network diagram.

3. Identify possible techniques (e.g. via MITRE ATT&CK matrix).

4. Carry out risk analysis using CIA Triad and create a Risk Register with mitgations.

5. Select controls (e.g. from MITRE ATT&CK, SANS) to minimise impact and ensure business continuity.

Can the threat modelling process be automated

Difficult to do.

What happens after threat modelling has identified all the threats

The gained cyber threat intelligence needs to be shared.

Why does cyber threat intelligence need to be shared

Cybercrime in one location can quickly spread to other organisations worldwide.

How can cyber threat intelligence be shared

Must be described in a standardised way so businesses can understand, analyse, and prepare responses.

What standards are there to describe threats

• STIX.

• MISP.

How can a threat model be validated and assessed once it is described

By testing and simulation of controls and countermeasures (e.g. simulating an attack with computational simulation).

What can threats include

Fire, flood, hurricane, cyberattack, sabotage; not independent—one threat can lead to another.

How can threats vary

Based on the CIA Triad and which area they aim to compromise.

How does a threat occur

Materialised when one or more attacks take place.

What needs to be considered when a threat is found or taking place

• How to apply controls or countermeasures that address the vulnerabilities or mitigate the effects of the threat.

• Understanding the impact of the threat and whether it is severe enough to call for further security measures.

What are the different types of threats

• External threats.

• Internal threats.

• Structured threats.

• Unstructured threats.

Who are the threat agents in external threats

• hackers - programming experts

• phisher - email attempt to fish for / trick users to give sensitive information

• white hat - find and report vulnerabilities to owners

• black hat - find and break systems in an unauthorised method

Who are the threat agents in internal threats

• System admins.

• Employees.

Who are the threat agents in structured threats

Highly motivated and technically competent individuals running as a business unit and planning to maximise profit.

Who are the threat agents in unstructured threats

Inexperienced individuals who make use of existing tools.

How can threats be identified and understood

Through threat modelling.

Why is there complexity between threats and risk

Due to the threat landscape.

What is a Persona-non-Grata (PnG)

Archetypes of possible attackers—represents an aggregate of target users (attackers) who share common behavioural characteristics and skills, a dummy persona with

• name

• attributes/skills

• goals

• misuse activities from the system perspective

How can PnGs be used

• Put controls specifically against these archetypes.

• Used when mapping social engineering threats.

What data can be used to produce a PnG

• Employee data.

• Databases and threat intelligence reports.

• News on emerging threat types.

What are the pros of PnG

Ideal for early analysis and building a common team understanding of potential attackers.

What are the cons of PnG

Can overly focus on a subset of threat types—may lead to missing other potential threats.

What is the STRIDE model

Threat modelling approach comprising of 6 key threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.

What are the cons of STRIDE

• Relies on staff expertise and accurate data flow diagrams—errors lead to inaccurate modelling.

• Requires more training effort.

What is Spoofing (S)

A rogue person or program impersonating another legitimate user or program.

• Affects integrity.

What is Tampering (T)

Illegitimate modification of application resources, such as in-memory data.

• Affects integrity.

What is Repudiation (R)

A user denying execution of an action within the system.

• Affects integrity.

What is Information Disclosure (I)

Access to private information by an unauthorised agent.

• Affects confidentiality.

What is Denial of Service (D)

Making a system resource unavailable to intended users.

• Affects availability.

What is Elevation of Privilege (E)

Gaining privileged access to protected resources.

• Affects confidentiality.

How to use the STRIDE model

1. Identify and visualise the system (e.g. Digital Publishing System).

2. Assess (DFD) elements or directly list assets (e.g. server, WiFi point).

3. Fill STRIDE table with a column for each STRIDE point and a row for each element and tick the risks.

4. Assumptions must be written and justified.

what are attack trees

oldest and most widely used threat model technique - visual representation of how an attacker might comprise a system or asset

how are attack trees structured

what are the pros of attack trees

easy to understand

what are the cons of attack trees

• relies on expertise of staff

• more effort required to train the staff on the hardware and software of system

What is STIX

Structured Threat Information Expression

• a language and JSON-based format to exchange cyber threat intelligence, used with the TAXII protocol.

What can be done with a STIX file

Visual models of threats can be generated from the STIX JSON file.

• ‘object’ = [] - contains list of all mappable objects JSONs, including a separate value for the relationship

https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile

What is TAXII

Trusted Automated eXchange of Intelligence Information

• an application protocol for exchanging CTI over the web (HTTPS).

How does TAXII work

1. Organisations publish new threats to a TAXII server.

2. Other organisations subscribe to the server to receive the STIX file.

3. Accessible via API or compatible software.

what is MISP

malware information sharing platform

• powerful open source threat intelligence platform organisations can use to store, share and receive information about malware, threats, and vulnerabilities in a structured way.

how does MISP work

MISP organizes threat data into Events with Attributes (e.g., IPs, URLs), enriched by Tags, Galaxies (like MITRE ATT&CK), and Objects. Data is ingested manually or via automation (APIs, parsers), shared securely across platforms, and integrates with security tools via APIs and scripts (e.g., PyMISP).

what are computational simulations in risk modelling

turn our threat and risk models into computational models, transferring our knowledge about the threat and risk into an active simulation that can be observed

what is an approach of Computational Simulation

Agent Based Simulation (ABS)

What is Agent-Based Simulation (ABS)

Simulations where agents are programmed to behave and interact with each other and their environment using predefined rules.

What does ABS consist of

• Agents

• environments

• behaviour

• baselining.

What is an agent in ABS

Autonomous entities capable of independent action.

What is the agent's role in ABS

Multiple interacting agents form a system with emergent properties; agents act based on if-else rules, and their properties and actions can be defined and changed.

• e.g. agents might cluster together in some way or multiply in some way

• e.g. should delete files when agent enters the system

What can agents model in ABS

• Specific attacks (e.g. virus, malware)

• attackers and defenders

• phishing emails

• hardware and software elements.

What can environments model in ABS

• Geography

• networks

• buildings

• office layouts.

What is behaviour in ABS

Dynamic actions of agents based on changing network conditions, e.g. rules for infection spread.

• different agent rules (either simple or complex) result in different system behaviour

What is baselining in ABS

Setting a default simulation as a reference point.

How is baselining used in ABS

• To test hypotheses e.g. the effectiveness of a control or tool in reducing of solving the issue

• compare against simulated scenarios for effectiveness evaluation, e.g. compare the baseline of the simulated network infection to the actual spread

How many simulations should be run in ABS

Multiple times with averages taken to measure KPIs.

How can ABS be implemented

• with software like Netlogo which runs in the web browser

• in code with python