Threat modeling is a critical phase in any penetration testing engagement. By assembling a clear picture of an organization's assets, business processes, and potential attackers, you can ensure your testing emulates real-world threats rather than just running down a generic checklist of IT vulnerabilities.
A well-constructed threat model provides clarity on the organization's risk appetite and helps you prioritize which controls, processes, and infrastructure to test first.
flowchart LR
subgraph Target Environment
A[Business Assets]
B[Business Processes]
end
subgraph Threat Landscape
C[Threat Communities]
D[Attacker Capabilities]
end
A --> E[Comprehensive Threat Model]
B --> E
C --> E
D --> E
E --> F[Targeted Penetration Test]The Threat Modeling Process
Building a threat model requires mapping out what needs protecting and who might want to attack it. Follow these core steps for every engagement:
- 1
Gather relevant documentation
Collect internal policies, infrastructure designs, network diagrams, and any available Open Source Intelligence (OSINT) about the target organization.
- 2
Identify and categorize assets
Determine the primary targets (e.g., a customer database) and secondary targets (e.g., an HR database sitting on the same server).
- 3
Identify and categorize threats
Define the threat communities (internal and external) that are most likely to target the organization.
- 4
Map threats against assets
Connect the dots. Determine which threat communities are likely to target which assets, considering their capabilities and motivations.
Don't ignore secondary assets.
If an internally hosted CRM application is your primary target, the customer data it holds is an obvious asset. However, if an HR database shares the same back-end server, it becomes a critical secondary asset. An attacker might use the CRM application merely as a stepping stone to steal employee information.
Analyzing Assets and Processes
To understand what an attacker might target, you first need to understand how the business operates and what generates value.
Business Assets
Take an asset-centric view of the organization. What data and people are critical to the company's success? Interview stakeholders to determine the value of these assets and the impact of their potential loss.
Types of Organizational Data Assets
Financial Information: Bank accounts, credit card data, and equity accounts.
Product & Technical Data: Trade secrets, source code, R&D data, infrastructure designs, and system configurations.
Customer & Employee Data: Personally Identifiable Information (PII), Protected Health Information (PHI), and national identification numbers.
Strategic Information: Marketing plans, internal policies, and supplier/partner agreements.
Credentials: User and privileged account credentials, as well as cloud service keys.
Human Assets
Human assets are key personnel who can be leveraged to divulge information or grant access. This isn't just executive management; it includes executive assistants, IT administrators, engineers, HR personnel, and anyone in a position to facilitate a breach.
Business Processes
A business generates revenue by running raw goods or knowledge through processes to create value. By mapping these processes, you can identify how specific threat communities might cause financial loss.
When mapping a process, identify the elements that support it:
Technical Infrastructure: Networks, servers, and workstations.
Information Assets: Knowledge bases, legal references, and decision-making support materials.
Human Assets: Personnel involved in approvals, verification, or execution.
3rd Party Integrations: SaaS providers, external contractors, or partner APIs.
Identifying Threat Communities
Once you know what you are protecting, you must define who you are protecting it from. Threat agents should be clearly identified by location (internal vs. external) and their specific community.
| Internal Threats | External Threats |
|---|---|
| Employees & Contractors | Competitors & Business Partners |
| Executive & Middle Management | Nation States |
| Network & System Administrators | Organized Crime |
| Developers & Engineers | Hacktivists |
| Remote Support Teams | Script Kiddies (Recreational hackers) |
Even in a complete black-box scenario where you have no prior internal information, you should still create a baseline threat model using an attacker’s perspective combined with OSINT.
Evaluating Capabilities and Motivations
A threat community is only relevant if they have the means and the drive to execute an attack.
Threat Capabilities
Analyze the actual probability of a threat agent successfully compromising the organization by evaluating:
Tools in use: What tools are available to them, and what skill level is required to use them?
Exploit availability: Can they develop custom exploits, or do they rely on freely available payloads and underground communities?
Communication mechanisms: How sophisticated is their Command and Control (C2)? Do they use simple encryption, bulletproof hosting, or advanced obfuscated malware?
Accessibility: How easily can they physically or digitally reach the target assets?
Motivation Modeling
Attacker motivations constantly evolve based on the industry vertical and current events. Common motivations include:
Direct or indirect financial profit
Hacktivism (political or social statements)
Direct grudges (disgruntled employees or customers)
Reputation and "fun"
Using the organization as a stepping stone to access a connected partner system
Validating Your Model
To ensure your threat model is comprehensive and grounded in reality, compare the target organization to its industry peers.
Research recent news and breach reports of comparable organizations. This validates your assumptions, highlights industry-specific challenges, and provides a baseline to present to stakeholders, proving that the scenarios you plan to test are actively occurring in the wild.
