Cyber Threat Modelling

1st October 2023

Do you model Cyber Threats, depict likely attack scenarios via Attack Trees and provide those findings back in a succinct manner to those responsible for the risk(s)? Surely that’s for the proviso of large companies, with big budgets and oodles of staff? I hear you say…

Perhaps, but any organisation large or small can start to model their Cyber Threats. Why?

1. The process of modelling cyber threats to an organisation and/or specific system(s) provides a true overview of that organisation or system, the ability to identify risks and vulnerabilities that may not have been previously considered.
2. Threat modelling looks across the myriad of controls in place (and missing), from a technical, human, supplier and process perspective.
3. Threat modelling can identify the most likely risks and vulnerabilities and their method of exploitation to assist in prioritisation of remediations, in a manner that non technical system owners can likely understand

An example, high level*;

1. You have a 3rd party supplier who supports a critical application utilised by your organisation;
2. You’ve requested and said supplier has supplied evidence of penetration testing, regular vulnerability assessments, NDA’s, contracts and SLA’s are in place. You have provisions for cyber security that the supplier must meet etc
3. All is good right? Of course, the above (and more) are all good steps
4. So when said supplier is breached via their own VPN(s), own 3rd parties, or interconnected systems, when, where and how are those attack vectors going to be identified and flagged effectively in YOUR own organisation?

*Agreed there’s all sorts of other scenarios and points to consider, but we wanted to provide a simple scenario!

Cyber Threat Modelling (CTM), Attack Surface Mapping and our Inimical.io Reconnaissance service(s) provide the opportunity to work through these different types of “wider” scenarios and identify where you may currently have blindspots.