To build an effective defense, you need to understand who might attack your systems and why. Classifying threat actors involves looking closely at your organization's assets to determine the motivations, capabilities, and goals of potential attackers.
By understanding what you have and who might want it, you can accurately map threat communities to your business and prioritize your security efforts.
The Threat Modeling Process
A successful threat model looks at your organization from the attacker's perspective. Whether you have full access to internal documentation or are starting from the outside using publicly available information (OSINT), the core process remains the same.
- 1
Gather documentation
Collect relevant internal policies, architecture diagrams, and system configurations to understand how the business operates.
- 2
Categorize your assets
Identify both your primary targets (e.g., a customer database) and secondary targets (e.g., an internal HR system on the same server).
- 3
Classify threat communities
Identify potential attackers based on their capabilities, resources, and motivations (often tied to your organization's business SWOT analysis).
- 4
Map threats to assets
Connect the identified threat actors to the specific assets they are most likely to target, factoring in the cost and effort required for them to succeed.
Always perform impact modeling alongside your threat modeling. Ask yourself: "What is the worst-case scenario if this specific asset is lost, exposed, or compromised?" This helps determine the true risk score for your organization.
Understanding Attacker Motivations
Classifying a threat actor requires understanding their motivation. Attackers weigh the value of an asset against the cost of acquiring it.
To classify who might attack you, you must first analyze what you have. This is known as Business Asset Analysis. During this phase, you evaluate the assets that are most likely to be targeted and the impact of their loss.
Mapping Assets to Threat Motivations
Different types of data attract different types of attackers. Here is how common business assets align with attacker motivations:
| Asset Category | Examples | Likely Attacker Motivation |
|---|---|---|
| Product & R&D | Trade secrets, source code, algorithms, patents | Corporate espionage, competitive advantage, intellectual property theft. |
| Financial | Bank accounts, credit card numbers, equity accounts | Direct financial payout, wire fraud, extortion. |
| Personal Data | Customer PII, Employee PHI, SSNs | Identity theft, selling data on the dark web, regulatory extortion. |
| Technical | Privileged credentials, system configs, blueprints | Acquiring "stepping stones" to gain deeper, undetected network access. |
Deep Dive: Types of Technical Information Attackers Target
Technical information might not seem valuable to the general public, but it is highly prized by advanced threat actors looking to map your network:
Infrastructure Design: Building blueprints, wiring diagrams, and application data flows.
System Configurations: Baseline documentation, OS images, and software inventories that reveal outdated software or misconfigurations.
User Credentials: Standard and privileged account access (via VPNs or web portals) that allow attackers to bypass external defenses entirely.
Deep Dive: Employee and Customer Data
Both employee and customer data are critical assets. Loss of this data often incurs direct financial loss through regulatory fines, compliance penalties, or lawsuits related to fraud. This includes Personally Identifiable Information (PII), Protected Health Information (PHI), and National Identification Numbers.
Primary vs. Secondary Targets
When classifying threat actors and their attack paths, it is crucial to look beyond the obvious targets. Attackers often use a less secure primary asset as a bridge to a highly restricted secondary asset.
The Attack Flow
flowchart TD
A["Threat Actor"] -->|Motivated by| B["Asset Value"]
A -->|Restricted by| C["Acquisition Cost"]
B --> D["Primary Asset"]
D -->|Example: CRM App| F["Customer Data"]
B --> E["Secondary Asset"]
E -->|Example: Shared Server| G["HR Database"]
D -.->|Used as a stepping stone| EFailing to identify secondary assets can lead to a dangerous blind spot. A threat community might seem irrelevant if you only look at your primary application, but their threat level skyrockets once you realize what else they can access from that starting point.
