2

When doing Risk Assessment of a threat, how can I find the best threat agent for the risk assessment?

For example, the asset which has the vulnerability related to the threat may be in an internal network behind a DMZ.

In this case, some of the possible threat agents I can think of for analyzing the risk of this threat are:

  1. Criminal hackers (External)
  2. Criminal Organizations (External)
  3. Insider Employee
  4. Insider Operational Employee (Sysadmin/Developer)
  5. etc...

If the vulnerability of my asset can be accessed only by local network, I have to assume that the first two threat agents have somehow broken the security of the internal networks to gain the access to the local network.

But for the Insider Employee and Insider Operational Employee, I do not have to assume that they have to exploit another vulnerability/ies to gain the access to the local network to gain the access to the vulnerability of my asset. They do not need to have any prerequisites to do the attack, like external attackers.

So on the one hand, it seems to me that it is better to consider the threat agent which does not need to do any prerequisite step for assessing the risk of this threat.

But this is the first time I am trying to a risk assessment. Therefore I am not sure what is correct. So, I would appreciate any guidance on the right direction.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
Manjula
  • 176
  • 6

2 Answers2

2

First and foremost you must consider the business goal of the application. Only after you have determined the business goal you are able to define your threat agents. Discuss the motives for the threat agent, i.e., is it likely that a state or nation is going to attack your application? is it likely that a script kid would attack your application? Why and why?

For a first threat modeling exercise I suggest you start easily with 1-2 likely threat agent(s) just to get going. However, for a complete threat modeling you should consider each likely threat agent and iterate through the full application for each threat agent.

Just a side-note to your example list, do not forget about unintentional human attacks, just Google and you'd easily get your hands of a list with possible threat agents.

I personally like this video for threat modeling: https://www.youtube.com/watch?v=We2cy8JwVqc

Anders Nordin
  • 169
  • 7
1

You want to avoid doing this. It is a source of mistakes, and you can avoid it.

For example, if your system can only be accessed from the local network, and the fix is to apply a patch from the vendor, then the first part probably doesn't matter; you want to apply the patch because it's cheap.

Secondly, odds are excellent that attackers will bypass your firewall, for example, by sending documents with exploits in them. If you've ever had a virus incident behind the firewall, then you've seen that it's somewhat porous. Companies are moving away from trusting a firewall to a model usually labeled "zero trust."

I've written a few blog posts on why thinking about threat agents is often a distraction: http://emergentchaos.com/archives/2016/04/think-like-an-attacker-is-an-opt-in-mistake.html, http://newschoolsecurity.com/2014/11/modeling-attackers-and-their-motives/

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12