Understanding Cyber Security Threat Models

December 13, 2012
Jason Hong

If you want to protect yourself from cyber security attacks, the first and most important thing you can do is to understand your threat model. The main goal to threat modeling is to help you think through two basic questions: what are you trying to protect, and who are you protecting it from?

For the first part, what are you trying to protect, answers might include specific resources you want to protect. These resources might include your emails, your laptops, sensitive documents (both digital and printed), or even physical access to your buildings.

For the second part, who are you protecting it from, the best layman’s explanation of threat models I’ve seen comes from Jesse Walker, a researcher in Intel’s Security Research Lab. Basically, are you trying to protect yourself from someone who is willing to spend $500 and a few hours? Or $5,000 and a few days? Or $50,000 and a few weeks? Or maybe $500,000+ and a few months or even years (and probably backed by a national government)? Similarly, what kinds of attack vectors might they use? Is it phishing attacks, malware, fake USB drives near your buildings, illicit access to your building, or even Dumpster diving for discarded documents?

This distinction is important because it helps you craft the strategy you want to take for cyber security. For example, there are a lot of hackers who target anyone with a computer. That is, they don’t care specifically about you, but are interested in your computer and your Internet connection. In this case, basic security software and simple security precautions are sufficient.

However, there are also dedicated hackers who may be interested in targeting your organization specifically. These kinds of hackers are an Advanced Persistent Threat (APT), as they are patient, methodical, and willing to try a number of approaches to steal information while hiding their tracks.

Given this, my best advice moving forward is to start by focusing on protecting yourself from basic attacks first, because these are the predominant kinds of attacks on the Internet today. The attackers here are also looking for easy prey, and will quickly turn their attention to others if they don’t see any easy opportunities. So, turn on the software firewalls on your computers and be sure to install the latest software updates. Also, have strong unique passwords for important accounts, don’t share passwords, and know how to identify the most common kinds of phishing and malware attacks.

As the old saying goes, when being chased by a bear, you don’t have to outrun the bear, you just have to outrun other people. As such, just applying these basic security practices would go a long way towards protecting yourself and your organization.