Threat modeling is the bridge between a generic technical assessment and a highly relevant, risk-focused penetration test. By aligning your assessment with the organization's actual business risks, you ensure that you are testing the controls and assets that matter most to the business.
This phase provides clarity on the organization’s risk appetite and helps you emulate the tools, techniques, and profile of a realistic attacker.
The Threat Modeling Process
To build a consistent and repeatable threat model, follow these core steps before launching your technical exploitation phase.
- 1
Gather relevant documentation
Collect internal policies, network diagrams, business processes, and any available open-source intelligence (OSINT) about the target organization.
- 2
Identify and categorize assets
Determine the primary and secondary assets. This includes business data, technical infrastructure, and the human assets that support critical business processes.
- 3
Identify threat communities
Define who would want to attack the organization. Categorize these threats based on their location (internal vs. external), capabilities, and motivations.
- 4
Map threats against assets
Connect the dots. Determine which threat communities are most likely to target specific assets, and use this mapping to prioritize your penetration testing scenarios.
flowchart TD
A["Gather Documentation"] --> B["Identify Assets"]
A --> C["Identify Threat Communities"]
B --> D["Map Threats to Assets"]
C --> D
D --> E["Prioritize Test Scenarios"]Whenever possible, build the threat model in coordination with the organization being tested. If you are performing a strict "black-box" test with no insider knowledge, build your model using the attacker’s perspective combined with OSINT.
Asset Analysis
Asset analysis requires you to look beyond IP addresses and servers. You need to understand how the business makes money, what processes support that revenue, and what data or people are critical to those processes.
Primary vs. Secondary Assets
It is crucial to identify both the direct targets (primary assets) and the stepping stones (secondary assets) an attacker might use.
Example: An internally hosted CRM application is a primary asset because it holds valuable customer data. However, if the database server hosting the CRM also hosts an HR database, that HR database becomes a secondary asset. An attacker might compromise the CRM solely as a stepping stone to steal employee information.
Types of Business Assets
Organizational & Financial Data
This includes trade secrets, marketing roadmaps, source code, and financial accounts. Loss or exposure of this data directly impacts the company's market value and competitive advantage.
Customer & Employee Data
Personally Identifiable Information (PII), Protected Health Information (PHI), and national identification numbers. Compromise of this data often leads to regulatory fines, loss of trust, and fraud liability.
Technical Information
Infrastructure designs, system configuration baselines, and user account credentials. While not usually the end goal for an attacker, technical data facilitates access to the primary business assets.
Human Assets
People are often the most accessible entry point into an organization. Human assets aren't always top-level executives; they are anyone positioned to grant access, divulge information, or be manipulated. This includes:
Executive and Middle Management
Administrative Assistants
Engineers and Technicians
Human Resources personnel
Threat Analysis
Once you know what needs protecting, you must define who is trying to compromise it. Threat communities should be clearly identified by their location, capabilities, and motivations.
Threat Communities
Threats can originate from outside the organization or from within.
| Internal Threats | External Threats |
|---|---|
| Employees & Management | Competitors & Business Partners |
| System Administrators | Nation States |
| Developers & Engineers | Organized Crime |
| Contractors | Hacktivists & Script Kiddies |
Do not underestimate internal threats. While most employees want to protect the company, they are frequently involved in accidental data loss incidents or, in rare cases, motivated by outsiders to assist in intrusions.
Capabilities and Motivation
To accurately emulate an attacker, you must understand what they are capable of and why they are attacking.
Tools and Exploits: Does this threat community rely on freely available scripts, or do they have the resources to develop custom zero-day exploits?
Communication Mechanisms: How sophisticated are their command and control (C2) channels? Are they using simple open channels, or complex, obfuscated drop-sites and botnets?
Motivations: Attackers are driven by different goals. Common motivations include direct or indirect financial profit, hacktivism, personal grudges, or simply seeking reputation and fun.
Testing Exfiltration: Penetration testers are uniquely situated to test an organization's ability to detect modern malware C2 channels. Try creating malware specimens with increasing levels of obfuscation to find the exact point where the organization's detection capabilities fail.
