Threat Modeling Fundamentals Aligning Assessments with Organizational Risk

Threat modeling is the bridge between a generic technical assessment and a highly relevant, risk-focused penetration test. By aligning your assessment with the organization's actual business risks, you ensure that you are testing the controls and assets that matter most to the business.

This phase provides clarity on the organization’s risk appetite and helps you emulate the tools, techniques, and profile of a realistic attacker.

The Two Pillars of Threat Modeling

Every effective threat model focuses on two key elements: the Assets (what you are protecting) and the Attacker (who wants it and how they might get it).

The Threat Modeling Process

To build a consistent and repeatable threat model, follow these core steps before launching your technical exploitation phase.

  1. 1

    Gather relevant documentation

    Collect internal policies, network diagrams, business processes, and any available open-source intelligence (OSINT) about the target organization.

  2. 2

    Identify and categorize assets

    Determine the primary and secondary assets. This includes business data, technical infrastructure, and the human assets that support critical business processes.

  3. 3

    Identify threat communities

    Define who would want to attack the organization. Categorize these threats based on their location (internal vs. external), capabilities, and motivations.

  4. 4

    Map threats against assets

    Connect the dots. Determine which threat communities are most likely to target specific assets, and use this mapping to prioritize your penetration testing scenarios.

flowchart TD
    A["Gather Documentation"] --> B["Identify Assets"]
    A --> C["Identify Threat Communities"]
    B --> D["Map Threats to Assets"]
    C --> D
    D --> E["Prioritize Test Scenarios"]

Whenever possible, build the threat model in coordination with the organization being tested. If you are performing a strict "black-box" test with no insider knowledge, build your model using the attacker’s perspective combined with OSINT.

Asset Analysis

Asset analysis requires you to look beyond IP addresses and servers. You need to understand how the business makes money, what processes support that revenue, and what data or people are critical to those processes.

Primary vs. Secondary Assets

It is crucial to identify both the direct targets (primary assets) and the stepping stones (secondary assets) an attacker might use.

Example: An internally hosted CRM application is a primary asset because it holds valuable customer data. However, if the database server hosting the CRM also hosts an HR database, that HR database becomes a secondary asset. An attacker might compromise the CRM solely as a stepping stone to steal employee information.

Types of Business Assets

Organizational & Financial Data

This includes trade secrets, marketing roadmaps, source code, and financial accounts. Loss or exposure of this data directly impacts the company's market value and competitive advantage.

Customer & Employee Data

Personally Identifiable Information (PII), Protected Health Information (PHI), and national identification numbers. Compromise of this data often leads to regulatory fines, loss of trust, and fraud liability.

Technical Information

Infrastructure designs, system configuration baselines, and user account credentials. While not usually the end goal for an attacker, technical data facilitates access to the primary business assets.

Human Assets

People are often the most accessible entry point into an organization. Human assets aren't always top-level executives; they are anyone positioned to grant access, divulge information, or be manipulated. This includes:

  • Executive and Middle Management

  • Administrative Assistants

  • Engineers and Technicians

  • Human Resources personnel

Threat Analysis

Once you know what needs protecting, you must define who is trying to compromise it. Threat communities should be clearly identified by their location, capabilities, and motivations.

Threat Communities

Threats can originate from outside the organization or from within.

Internal ThreatsExternal Threats
Employees & ManagementCompetitors & Business Partners
System AdministratorsNation States
Developers & EngineersOrganized Crime
ContractorsHacktivists & Script Kiddies

Do not underestimate internal threats. While most employees want to protect the company, they are frequently involved in accidental data loss incidents or, in rare cases, motivated by outsiders to assist in intrusions.

Capabilities and Motivation

To accurately emulate an attacker, you must understand what they are capable of and why they are attacking.

  • Tools and Exploits: Does this threat community rely on freely available scripts, or do they have the resources to develop custom zero-day exploits?

  • Communication Mechanisms: How sophisticated are their command and control (C2) channels? Are they using simple open channels, or complex, obfuscated drop-sites and botnets?

  • Motivations: Attackers are driven by different goals. Common motivations include direct or indirect financial profit, hacktivism, personal grudges, or simply seeking reputation and fun.

Testing Exfiltration: Penetration testers are uniquely situated to test an organization's ability to detect modern malware C2 channels. Try creating malware specimens with increasing levels of obfuscation to find the exact point where the organization's detection capabilities fail.