Profiling threat communities allows you to view your organization from an attacker's perspective. By combining Open Source Intelligence (OSINT) with a deep understanding of your business assets, you can create highly accurate threat models that reflect your actual risk landscape.
Documenting these threat models ensures that your final security reports provide relevant, organization-specific risk scores rather than generic technical ratings.
The Threat Modeling Process
To effectively profile the adversaries targeting your systems, you need to follow a structured approach that maps potential attackers to the assets they value most.
- 1
Gather relevant documentation
Collect internal policies, network diagrams, and system configurations. This provides the foundational knowledge needed to understand the organization's technical and business operations.
- 2
Identify and categorize assets
Catalog both your primary targets (systems directly exposed or in scope) and secondary assets (backend systems, shared databases, or internal networks).
- 3
Identify threat communities
Determine which specific groups of attackers (e.g., financially motivated syndicates, corporate spies, or hacktivists) have a vested interest in your organization.
- 4
Map communities against assets
Connect the identified threat communities to the specific primary and secondary assets they are most likely to target.
Even in a complete "black-box" scenario where you have no prior internal knowledge, you should still build a preliminary threat model using OSINT before beginning active testing.
The Importance of Secondary Assets
When mapping threat communities, it is crucial to look beyond the immediate application in scope. Attackers frequently use primary assets as stepping stones to reach higher-value secondary assets.
Consider a scenario where an internal Customer Relationship Management (CRM) application is your primary asset. A specific threat community might have no interest in your customer data, making them seem irrelevant. However, if that CRM shares a backend database server with the company's Human Resources (HR) database, the threat landscape shifts entirely.
flowchart TD
A["Threat Community"] -->|Initial Access| B["CRM Application (Primary Asset)"]
B -->|Pivots via Shared Server| C["HR Database (Secondary Asset)"]
C -->|Exfiltrates| D["Employee Information"]Never dismiss a threat community just because they don't care about the primary asset. Always evaluate the secondary assets connected to the target environment.
Business Asset Analysis
During the business asset analysis phase, you will take an asset-centric view of the organization. By interviewing relevant personnel and analyzing documentation, you can identify what attackers want, what the assets are worth, and the impact of their loss.
Here are the primary categories of organizational data you should profile:
| Asset Category | Description | Examples |
|---|---|---|
| Organizational Policies | Documents defining how the business operates and identifying key roles. | Internal procedures, disaster recovery plans, organizational charts. |
| Product Information | Core intellectual property that drives the company's market value. | Trade secrets, source code, R&D data, proprietary algorithms. |
| Marketing Information | Strategies and communications regarding public relations and market positioning. | Product roadmaps, partner details, PR correspondence, launch plans. |
| Financial Information | Highly guarded monetary data that is a primary target for financially motivated attackers. | Bank account details, credit card data, equity accounts. |
Deep Dive: Technical Information
Technical information is uniquely valuable during a security assessment. While it might not be the final goal of an attacker, it facilitates the discovery of vulnerabilities and attack vectors.
Infrastructure Design Information
This pertains to the core technologies and facilities used to run the organization. Examples include building blueprints, technical wiring and connectivity diagrams, computing equipment designs, and application-level data processing flows. This data is critical for the intelligence-gathering process.
System Configuration Information
This includes the specific setups of individual machines and networks. Examples include configuration baseline documentation, hardening procedures, group policy information, operating system images, and software inventories. Attackers use this to find misconfigurations and bypass security controls.
