Before you can effectively protect your organization or test its defenses, you need to know exactly what you are protecting. This guide walks you through discovering your critical business assets, mapping the processes that rely on them, and identifying the potential threats targeting your organization.
By completing this discovery phase, you build a solid foundation for accurate threat modeling and targeted penetration testing.
- 1
Identify Core Assets
Assets generally fall into two categories: the data you hold and the people who have access to it.
Data and Information Assets
Catalog the sensitive information that keeps your business running or is legally protected. Common examples include:Personally Identifiable Information (PII): National ID numbers, Social Security Numbers, addresses.
Protected Health Information (PHI): Medical records and health data.
Financial Data: Bank, credit, and equity accounts.
Supplier & Partner Data: Trade secrets, critical component costs, or partner agreements.
Cloud Services: Credentials and account information for your cloud infrastructure.
Human Assets
When attackers target an organization, they often go through its people. Human assets are individuals who can be manipulated to divulge information, make detrimental decisions, or grant physical/digital access.Human assets aren't just top-level executives. Attackers frequently target administrative assistants, human resources, or technicians because they often hold the keys to restricted areas or sensitive systems.
- 2
Map Business Processes
Assets don't exist in a vacuum—they support business processes that generate revenue or value. By mapping these processes, you can identify what is critical to your business and how an attacker might disrupt it.
flowchart TD A[Technical Infrastructure] --> E B[Information Assets] --> E C[Human Assets] --> E D["3rd-Party Integrations"] --> E E{Business Process} --> F[Revenue & Value] style E fill:#f9f,stroke:#333,stroke-width:2pxFor every critical business process, identify its supporting pillars:
Technical Infrastructure: The networks, servers, and devices powering the process.
Information Assets: The databases, reference materials, and knowledge bases used for decision-making.
Human Assets: The personnel involved in approvals, verification, or management of the process.
3rd-Party Integrations: External vendors, SaaS providers, or contractors that interact with the workflow.
Don't ignore non-critical processes. Sometimes, an attacker can chain together vulnerabilities in several non-critical processes to create a critical threat scenario.
- 3
Profile Threat Communities
Once you know what you are protecting, you need to define who might want to compromise it. Group potential attackers into communities based on their location relative to your organization.
Internal Threats External Threats Employees & Contractors Business Partners & Suppliers Management (Executive & Middle) Competitors System & Network Administrators Nation States Developers & Engineers Organized Crime Remote Support Teams Hacktivists & Script Kiddies Employees: Generally low-to-medium skill level. Most incidents are accidental data loss, though malicious insider threats (e.g., rogue employees) do occur.
Management: Often possess highly privileged access to sensitive information, making their accounts highly lucrative targets for external attackers.
- 4
Analyze Capabilities and Motivations
Finally, evaluate the actual capabilities and motivations of the threat communities you identified. This ensures your threat model reflects real-world probabilities.
Assess their capabilities:
Tools & Exploits: What tools do they use? Do they have the skills to develop custom zero-day exploits, or do they rely on freely available scripts?
Communication Mechanisms: How sophisticated are their command-and-control (C2) channels? Do they use simple encryption, or advanced obfuscation and bulletproof hosting?
Accessibility: How easily can this threat actor reach your network or physical premises?
Understand their motivations:
Attackers are driven by different goals. Knowing why they attack helps you predict how they will attack. Common motivations include:Direct or indirect financial profit
Hacktivism (political or social causes)
Direct grudge (disgruntled former employees)
Fun and reputation building
Using your network as a stepping stone to attack your connected partners
Look at the news. To validate your threat model, research recent breaches of comparable organizations in your industry. This provides a realistic baseline of the threats and incidents your peers are actively facing.
