Advanced Threat Analysis Building Comprehensive Threat Models

Threat modeling is a critical phase in any penetration testing engagement. By assembling a clear picture of an organization's assets, business processes, and potential attackers, you can ensure your testing emulates real-world threats rather than just running down a generic checklist of IT vulnerabilities.

A well-constructed threat model provides clarity on the organization's risk appetite and helps you prioritize which controls, processes, and infrastructure to test first.

flowchart LR
    subgraph Target Environment
    A[Business Assets]
    B[Business Processes]
    end
    
    subgraph Threat Landscape
    C[Threat Communities]
    D[Attacker Capabilities]
    end

    A --> E[Comprehensive Threat Model]
    B --> E
    C --> E
    D --> E
    
    E --> F[Targeted Penetration Test]

The Threat Modeling Process

Building a threat model requires mapping out what needs protecting and who might want to attack it. Follow these core steps for every engagement:

  1. 1

    Gather relevant documentation

    Collect internal policies, infrastructure designs, network diagrams, and any available Open Source Intelligence (OSINT) about the target organization.

  2. 2

    Identify and categorize assets

    Determine the primary targets (e.g., a customer database) and secondary targets (e.g., an HR database sitting on the same server).

  3. 3

    Identify and categorize threats

    Define the threat communities (internal and external) that are most likely to target the organization.

  4. 4

    Map threats against assets

    Connect the dots. Determine which threat communities are likely to target which assets, considering their capabilities and motivations.

Don't ignore secondary assets.
If an internally hosted CRM application is your primary target, the customer data it holds is an obvious asset. However, if an HR database shares the same back-end server, it becomes a critical secondary asset. An attacker might use the CRM application merely as a stepping stone to steal employee information.

Analyzing Assets and Processes

To understand what an attacker might target, you first need to understand how the business operates and what generates value.

Business Assets

Take an asset-centric view of the organization. What data and people are critical to the company's success? Interview stakeholders to determine the value of these assets and the impact of their potential loss.

Types of Organizational Data Assets
  • Financial Information: Bank accounts, credit card data, and equity accounts.

  • Product & Technical Data: Trade secrets, source code, R&D data, infrastructure designs, and system configurations.

  • Customer & Employee Data: Personally Identifiable Information (PII), Protected Health Information (PHI), and national identification numbers.

  • Strategic Information: Marketing plans, internal policies, and supplier/partner agreements.

  • Credentials: User and privileged account credentials, as well as cloud service keys.

Human Assets

Human assets are key personnel who can be leveraged to divulge information or grant access. This isn't just executive management; it includes executive assistants, IT administrators, engineers, HR personnel, and anyone in a position to facilitate a breach.

Business Processes

A business generates revenue by running raw goods or knowledge through processes to create value. By mapping these processes, you can identify how specific threat communities might cause financial loss.

When mapping a process, identify the elements that support it:

  • Technical Infrastructure: Networks, servers, and workstations.

  • Information Assets: Knowledge bases, legal references, and decision-making support materials.

  • Human Assets: Personnel involved in approvals, verification, or execution.

  • 3rd Party Integrations: SaaS providers, external contractors, or partner APIs.

Identifying Threat Communities

Once you know what you are protecting, you must define who you are protecting it from. Threat agents should be clearly identified by location (internal vs. external) and their specific community.

Internal ThreatsExternal Threats
Employees & ContractorsCompetitors & Business Partners
Executive & Middle ManagementNation States
Network & System AdministratorsOrganized Crime
Developers & EngineersHacktivists
Remote Support TeamsScript Kiddies (Recreational hackers)

Even in a complete black-box scenario where you have no prior internal information, you should still create a baseline threat model using an attacker’s perspective combined with OSINT.

Evaluating Capabilities and Motivations

A threat community is only relevant if they have the means and the drive to execute an attack.

Threat Capabilities

Analyze the actual probability of a threat agent successfully compromising the organization by evaluating:

  1. Tools in use: What tools are available to them, and what skill level is required to use them?

  2. Exploit availability: Can they develop custom exploits, or do they rely on freely available payloads and underground communities?

  3. Communication mechanisms: How sophisticated is their Command and Control (C2)? Do they use simple encryption, bulletproof hosting, or advanced obfuscated malware?

  4. Accessibility: How easily can they physically or digitally reach the target assets?

Motivation Modeling

Attacker motivations constantly evolve based on the industry vertical and current events. Common motivations include:

  • Direct or indirect financial profit

  • Hacktivism (political or social statements)

  • Direct grudges (disgruntled employees or customers)

  • Reputation and "fun"

  • Using the organization as a stepping stone to access a connected partner system

Validating Your Model

To ensure your threat model is comprehensive and grounded in reality, compare the target organization to its industry peers.

Research recent news and breach reports of comparable organizations. This validates your assumptions, highlights industry-specific challenges, and provides a baseline to present to stakeholders, proving that the scenarios you plan to test are actively occurring in the wild.