Threat Modeling Fundamentals Classifying Threat Actors

To build an effective defense, you need to understand who might attack your systems and why. Classifying threat actors involves looking closely at your organization's assets to determine the motivations, capabilities, and goals of potential attackers.

By understanding what you have and who might want it, you can accurately map threat communities to your business and prioritize your security efforts.

The Threat Modeling Process

A successful threat model looks at your organization from the attacker's perspective. Whether you have full access to internal documentation or are starting from the outside using publicly available information (OSINT), the core process remains the same.

  1. 1

    Gather documentation

    Collect relevant internal policies, architecture diagrams, and system configurations to understand how the business operates.

  2. 2

    Categorize your assets

    Identify both your primary targets (e.g., a customer database) and secondary targets (e.g., an internal HR system on the same server).

  3. 3

    Classify threat communities

    Identify potential attackers based on their capabilities, resources, and motivations (often tied to your organization's business SWOT analysis).

  4. 4

    Map threats to assets

    Connect the identified threat actors to the specific assets they are most likely to target, factoring in the cost and effort required for them to succeed.

Always perform impact modeling alongside your threat modeling. Ask yourself: "What is the worst-case scenario if this specific asset is lost, exposed, or compromised?" This helps determine the true risk score for your organization.

Understanding Attacker Motivations

Classifying a threat actor requires understanding their motivation. Attackers weigh the value of an asset against the cost of acquiring it.

To classify who might attack you, you must first analyze what you have. This is known as Business Asset Analysis. During this phase, you evaluate the assets that are most likely to be targeted and the impact of their loss.

Mapping Assets to Threat Motivations

Different types of data attract different types of attackers. Here is how common business assets align with attacker motivations:

Asset CategoryExamplesLikely Attacker Motivation
Product & R&DTrade secrets, source code, algorithms, patentsCorporate espionage, competitive advantage, intellectual property theft.
FinancialBank accounts, credit card numbers, equity accountsDirect financial payout, wire fraud, extortion.
Personal DataCustomer PII, Employee PHI, SSNsIdentity theft, selling data on the dark web, regulatory extortion.
TechnicalPrivileged credentials, system configs, blueprintsAcquiring "stepping stones" to gain deeper, undetected network access.
Deep Dive: Types of Technical Information Attackers Target

Technical information might not seem valuable to the general public, but it is highly prized by advanced threat actors looking to map your network:

  • Infrastructure Design: Building blueprints, wiring diagrams, and application data flows.

  • System Configurations: Baseline documentation, OS images, and software inventories that reveal outdated software or misconfigurations.

  • User Credentials: Standard and privileged account access (via VPNs or web portals) that allow attackers to bypass external defenses entirely.

Deep Dive: Employee and Customer Data

Both employee and customer data are critical assets. Loss of this data often incurs direct financial loss through regulatory fines, compliance penalties, or lawsuits related to fraud. This includes Personally Identifiable Information (PII), Protected Health Information (PHI), and National Identification Numbers.

Primary vs. Secondary Targets

When classifying threat actors and their attack paths, it is crucial to look beyond the obvious targets. Attackers often use a less secure primary asset as a bridge to a highly restricted secondary asset.

Real-World Example: The Stepping Stone

Imagine you are securing an internal CRM application. The customer data inside the CRM is your primary asset. However, during your analysis, you discover that the company's HR database shares the same back-end server.

The HR database is a secondary asset. An attacker who doesn't care about your CRM data might still attack the CRM application solely to use it as a stepping stone to steal employee information from the HR database.

The Attack Flow

flowchart TD
    A["Threat Actor"] -->|Motivated by| B["Asset Value"]
    A -->|Restricted by| C["Acquisition Cost"]
    
    B --> D["Primary Asset"]
    D -->|Example: CRM App| F["Customer Data"]
    
    B --> E["Secondary Asset"]
    E -->|Example: Shared Server| G["HR Database"]
    
    D -.->|Used as a stepping stone| E

Failing to identify secondary assets can lead to a dangerous blind spot. A threat community might seem irrelevant if you only look at your primary application, but their threat level skyrockets once you realize what else they can access from that starting point.