Cyber Threat Modelling and Cyber Threat Hunting - Think like an attacker!
by Svenja Koch
The so-called Advanced Persistant Threats (ATP) are creating an increasingly complex threat situation. This massively aggravates the risk situation in companies and makes the defence against threats for cyber security more and more challenging. Successful defence against such cyber threats begins with prevention. For this, it is necessary to understand the attack patterns of the hackers. This is precisely where cyber threat modelling or hunting comes in.
What exactly is Cyber Threat Modelling?
Cyber threat modelling is the conceptual analysis of cyber threats, which initially involves putting oneself in the position of an attacker. The aim here is to systematically identify potential vulnerabilities or security risks in applications and systems in a structured manner at an early stage and to derive the necessary IT security measures accordingly.
Threat modelling begins with the definition of all possible cyber threats for an organisation. For this, it is of elementary importance to analyse and define which data and infrastructure areas are to be protected in the company. Threat modelling is therefore an individual process. It is correspondingly time-consuming and requires in-depth technical competence. If it is not possible to identify all cyber threats or if cyber security makes incorrect assessments, cyber threat modelling will already develop in the wrong direction at this early stage.
In the next step, each individual cyber threat identified is examined within the framework of the threat analysis. This now involves a change of perspective. The cyber threats are simulated from the perspective of the attackers. In this way, the IT vulnerabilities of one's own infrastructure can be found as well as the attack patterns of the hackers can be understood. It is important to understand that cyber threat modelling is an ongoing process. Since the IT security situation is constantly changing, especially due to new forms of advanced persistent threats and changes in one's own IT infrastructure, new simulations and models must be prepared on an ongoing basis.
Why is Cyber Threat Modelling becoming more and more important?
In recent years, cyber threats have become an ever greater risk for companies. There are two main reasons for this: Firstly, the number of cyber attacks worldwide is increasing more and more. In addition, hackers are acting in a more targeted manner and with a clear plan. Ransomware and advanced persistent threats aim to infiltrate or even completely block the IT infrastructure of an organisation in its entirety. On the other hand, increasing digitalisation is also contributing to the fact that companies are becoming more and more dependent on IT systems. In many cases, all areas of a company are affected when an IT failure occurs. This makes it all the more important for cyber security to build up a defence that is as perfect as possible and takes all possible scenarios into account.
Last but not least, the European General Data Protection Regulation (GDPR) also exacerbates the situation. Companies are now liable when it comes to protecting private data. The consequences for violations are hefty fines and a public loss of image. This is another reason why companies have increasingly invested in cyber security in recent years and are looking for new methods to prevent cyber attacks.
Example of the cyber threat modelling process
Examples are a good way to show how threat modelling works in practice. A good example is a typical cloud application that is now used in many companies, such as an app for communication within an organisation.
Cyber threat modelling starts with an analysis of the use of this app. This is simply an examination of the interactions with the app and the information required. The use of the app requires a login. This is done via email address and a self-generated password. There are different user levels within the app. The administrator of the organisation has full access rights and thus also the possibility to change the rights of other users. Via created groups, which also receive rights, a mapping of the company structures takes place within the application. A data flow diagram is then used to record what information the app manages. In the example, the company uses the app for internal communication between employees. The app stores the messages and data in the provider's cloud. This concludes the analysis of the processes within the app.
The second step deals with the potential threats. The focus here is on the user data, as these grant access to the app. Anyone who has a login and password has access to internal communication. Particular danger is posed if an access is compromised that has extended access rights.
The next step involves a detailed recording of the concrete threats. Here, the STRIDE method is used for the analysis. STRIDE is an acronym and includes the six points:
- Spoofing Identity
- Tampering with Data
- Information Disclosure
- Denial of Service
- Elevation of Privilege
These are the different classes of cyber threats that represent potential sources of danger. A concrete check is then carried out to see in which form these six points represent a threat in the case at hand. Elevation of Privilege, for example, simulates a situation in which an unauthorised person gains access to an account that has elevated or maximum privileges. In this context, it is recorded what damage is then caused or what actions are available to this attacker via such an account. In the context of Spoofing Identity, Cyber Security checks whether it is possible to penetrate the system by faking an identity and which data is endangered by such an attack. Information Disclosure includes an analysis of what information is stored in the app and what the consequences are if it falls into unauthorised hands.
Based on the information obtained, the actual cyber threat modelling process takes place. This can be visualised with an attack tree. At the various levels, the primary attack targets, intermediate targets and cyber threats are defined as part of the analysis. A classic threat to such a system is, for example, a brute force attack. This type of attack has the intermediate goal of guessing login data by testing out random combinations. The actual goal is to gain control of an account and thus gain access to internal communications. A man-in-the-middle attack has the same end goal. However, this technique uses completely different attack methods. A man-in-the-middle attack reads the communication between the cloud application and the user. In this case, the attackers try to intercept the input of the password and user ID. There are various techniques for this, such as the recording of keystrokes by means of malware that attackers have deliberately placed on the user's system.
A completed threat analysis thus illuminates the vulnerabilities of a specific application or system and finds a multitude of such concrete attack paths and potential threats. Threat analysis is always done with the ulterior motive of "what if?". This simulates the impact of a successful attack via a specific path. This can take on very extensive proportions, for example when a successful attack with ransomware on the entire IT infrastructure is simulated.
Thinking like an attacker - the goals of Cyber Threat Hunting
Threat modelling primarily aims to improve the level of cyber security within an organisation. It uses a completely different approach than, for example, antivirus software. While the latter looks for known threats and malware such as ransomware, threat analysis follows a different strategy: its approach is to identify theoretical attack patterns and vulnerabilities that attackers use in a real scenario. This is particularly aimed at advanced persistent threats, where classic and passive security measures often fail because the attackers precisely do not use standard methods. To achieve this, it is important to be one step ahead of the attacker. This is achieved through an active approach to cyber security - cyber threat hunting. Instead of being passive, which is the case with firewalls and antivirus software, for example, which only react when an incident occurs in the network, threat analysis acts before anything happens. By preventing rather than mitigating damage, threat analysis prevents successful attacks by hackers from occurring in the first place. In essence, such an approach is very logical. If the possible attack paths that hackers use are identified and closed, the threat from Advanced Persistant Threats and other attacks is significantly reduced.
Technical solutions for cyber threat hunting
Threat analysis requires intensive manual work, costs a lot of time and requires in-depth technical knowledge. There are also software solutions from IT service providers that cover this area of cyber security, such as the Active Cyber Defense (ACD) service from secion. ACD is a proactive technique to immediately detect activities of hackers in one's own network. With the 24/7 Active Cyber Defense Service, it is possible to replace or sensibly supplement an in-house Security Operations Centre and threat analysis.
The ACD service is based on scans and evaluations of log data in real time. An on-site installation is not necessary, as the analyses are carried out via the network. The ACD service continuously searches for conspicuous activities that are outside the norm. This includes, for example, the communication of malware with a command & control server. In such a case, the ACD service alerts the responsible persons in the cyber security of the affected company so that immediate countermeasures can be taken. In this way, the ACD service prevents attackers from exploiting undiscovered security gaps in the network and causing far-reaching damage.
Due to the increasing threat of ransomware, advanced persistent threats and other activities by cyber criminals, corporate cyber security is under increasing pressure. Added to this is the advancing digitalisation, so that corporate networks are constantly growing. The consequences of a successful cyberattack, for example with ransomware, are devastating. The complete loss of all digital data and a work stoppage for an indefinite period of time are imminent. Therefore, threat analysis has become an indispensable part of cyber security in order to actively protect oneself in this direction.
It makes sense to transfer this task to an external service provider. The ACD service adds an additional level of security to cyber security that covers exactly the area that the threat analysis also tries to close.