This blog is part of a 10-part series that dives into the RSAC 2023 Submissions Trends pulled from our record number of Call for Speakers submissions in 2023. In this blog, we focus on intelligence and threat modeling.
One goal every cybersecurity team aspires to is making the move from being reactive to proactive, being prepared to respond when an incident occurs and not just playing cleanup after an attack. Of course, this is easier said than done, but it has led to a renewed interest in intelligence and threat modeling as a way to help organizations improve how they prioritize threats to their business.
Several sessions at RSAC 2023 covered different approaches to threat modeling and one sentiment was shared among presenters. Making this work starts with having the right team. Meghan Jacquot, Security Engineer at Inspectiv, noted in the session, You Are Not an Island: Threat Models as a Team, “With threat modeling, you need feedback from a variety of team members, not just security, to get different perspectives.” A security incident impacts all parts of the business so including people from areas such as HR, legal, fraud, marketing and product is important. For example, the legal team might be needed to advise on legal obligations or the marketing team will need a plan to communicate with customers.
Another important consideration is choosing the right threat model based on your business goals, according to Jacquot. Two of the most common threat models used today are STRIDE and DREAD. The STRIDE model categorizes different threats under six different attack types and is based off the attacker’s goals whereas the DREAD model takes a more quantitative approach by assigning a numerical rating based off risk.
Mark Bristow and Sarah Freeman of MITRE’s Cyber Infrastructure Protection Innovation Center discussed the importance of threat modeling to uncover vulnerability and risk to critical infrastructure in their session, When Everything is Critical, Nothing Is: ISA and Mitigation Prioritization. Highlighting the sensitive geopolitical climate and threats to critical infrastructure, Bristow stated, “The geopolitical context is getting us to a place where this is something we need to be really worried about and soon.”
Mark Bristow explained threat intelligence is important to have but added, “At the end of the day, nobody else is going to fix your stuff.” Using the Infrastructure Susceptibility Analysis (ISA) approach, organizations can position their environment so it’s more defendable by bringing into focus what matters most. Security teams today often become mired in the details of regulations and patch management, leaving them forever lagging behind their attackers.
The ISA model looks to understand what attacks are possible and probable. This starts with understanding the existing capabilities of an attacker and their objectives and if there is any correlation between the two. In other words, is the attacker even capable of pulling off what they intend to do? Freeman explained this involves looking at the attacker and “whether or not their existing capabilities are sufficient to meet their goals or if there is a growth area that has to occur in order for them to be successful.”
Threat modeling using the ISA approach looks at what attack paths and outcomes are most likely and not just the most damaging. This is important as even if an attacker is successful in breaching the environment, the damage they have the potential to inflict might be inconsequential. Freeman stated, “If the effect is insignificant to your operations, then it’s not something that should be prioritized in terms of calculating where we spend our resources.”
And this is where intelligence and threat modeling gets to the heart of the matter (and is perfectly summed up in the title of Bristow and Freeman’s session). If everything is critical, nothing is. Security teams don’t have enough resources to close every gap or patch every vulnerability, but they can come up with prioritized mitigation strategies to make the best use of the resources they do have.