Risk and threat modeling

From DevSummit
Jump to navigation Jump to search

Risk and threat modeling Notes

The conventional way of doing threat modeling is:

  • Think about your organization or system or community. What are the vulnerable assets?
  • Think about all the threats to your organization – what are actors that could harm and what are their motivations?
  • Think about all the bad outcomes – what are the possible harms?
  • Then think about all the ways we can mitigate these identified risks of bad actors doing bad things that result in bad outcomes.

This can be overwhelming. Puts you in the bad headspace, feels paranoid… these things can block people from doing threat modeling. It’s very reactive, responding to bad things.

What are our questions about this process?

  • What’s the difference between threat modeling and risk assessment?
  • What if I don’t know what the risks are?
  • What if I’m overinflating the threat? Maybe I’m paranoid, but am I paranoid enough????
  • How to move from threat model to actually implementing? How to right-size and prioritize rather than spiral?
  • How to balance threat tolerance with mitigation? How do we prioritize?
  • How do we get buy-in within the organization?
  • Top-level people tend to not take it seriously. Leaders consider security to be a cost-center, not a profit-center, so they don’t want to do it. Lack of willingness to develop or maybe uphold a security standard.

Actor-based threat-modeling: Who wants to hurt you and how to mitigate the risk of that happening? This leads to paranoia, uncertainty; if you do it after something bad happens, that’s reactive and increases the uncertainty. It does make it hard to get buy-in, you get attention from people who are overwhelmed and like this is overwhelming so we shouldn’t bother.

Alternative approach to actor-based threat modeling:

Outcome-based threat-modeling

  • Borrowed from risk assessment process.
  • What are the bad things I want to avoid? This is where you start your analysis.
  • This helps you avoid the overwhelm – you can’t mitigate the risk of every hypothetical bad actor. You just worry about *the specific situation that you can anticipate.

Actor-based approach is an individualistic framework. Imagines that there are specific individual bad actors.

Outcome-based approach enables thinking in terms of systems, in which there might not be a specific threat-actor, but still can result in bad outcomes.

Criteria for outcome evaluation:

  • How bad is it?
  • How likely is it? –
  • if it’s a small probability of happening but it’s catastrophic, you should model for mitigation. If it’s a large probability but a tolerable impact, you might accept it.
  • How much control do we have over this? Do we have the power to mitigate this risk?

These could be quantified – assigned a numeric qualifier.

  • (how bad is it) x (how likely is it) x (can I do something: 0/1) = score

But numbers can lead you astray. Gut feelings can be wrong. >> You can assign a number representing the likelihood that these numbers might be wrong (??) which can help you loosen the grip that these potentially unreliable numbers have on you. >> Different people might assign different scores, which could add to overwhelm but also could generate valuable insights.

Target-based threat modeling: people

  • start from the people / assets who are most vulnerable to focus your lens.

Asset-based threat modeling: stuff (money, etc)

  • The stuff you want to protect, start there.

Process-based threat modeling: interactions

  • What processes are the most messed up? What kind of behavior can you correct that might lower your risk profile across many different specific risks?

These ultimately blend together, it’s a question of prioritizing. You can choose where to start in your threat modeling analysis, it’s not a linear process.

  • Different prioritization approaches will lead to different areas of focus, different processes.


Modeling the approach in advance of attempting the change: What will get them to actually change their behavior? Our thinking might be different from theirs, so you have to communicate in terms that they will understand. Stories about the bad outcomes can help change behavior.

Outcome:

  • Union busting
  • Personnel infiltration
  • External auditing / oversight
  • Exploiting aggregated community resources / support groups
  • Laptop / phone
  • PII leak

Stuff:

  • Large data (offsite replication vs physical security)
  • Personal data

Targets:

  • Mom

Processes:

  • Automated testing
  • Using messenger app to coordinate with journalists/activists in repressive environments
  • Social media participation / mapping
  • Data/server security
  • Forum security – private conversations / PII

Modeling:

Protecting my mother:

  • Asset-based:
  • Finances
  • Political support + energy / votes – could be manipulated
  • Attention


  • Outcome-based:
    • Getting COVID
  • Humiliation / embarrassment / paranoia (might not emerge in actor-based modeling)


  • Process-based: things that mom does that might cause problems in their life
  • Bad password management
  • Shopping without a mask
  • Getting regular vaccinations
  • Phone call / email – screening / engagement
  • Actor-based:
  • Former spouse – might want revenge / disruption, or might want access to assets, will exploit vulnerabilities. Forge signatures on loan docs.
  • Phishers
  • Scammers on the phone – want money, call and pretend to be grandson
  • COVID virus
  • Good process might also help reduce fear of low-likelihood outcome. Work through the process of de-prioritizing overblown risks that lead to maladaptive risk mitigation.
  • Asset: List of organizations that are pro-Palestine. Great in theory to have this information to promote support, but it's also a vulnerability.
  • Process: Let's say this list of organizations / donors is not public, it's shared among a network of organizations. it's an excel sheet. Hosted on one org's Google Drive. anyone who has the link can access it, and it's free to copy.
  • Can be leaked.
  • Mitigation: turn off public access. Carefully vet who has access to it. Clearly specify who can change who can see it.
  • Question: Are you able to specify particular people at an organization who can access it, or is it accessble to everyone at an organization? In the latter case, it's a broader surface of risk.
  • If we know if it is likely to be leaked, and harassment is likely to come in, what can we do?
    • rethink the question of whether to make the list in a potentially-shareable format the first place.
    • Prepare people for how to respond to harassment
  • What organizations might help provide this analysis and guidance as a consulting service?
  • EFF break down asset-based approach really well with a starting point resource.
Retrieved from "https://devsummit.aspirationtech.org/index.php?title=Risk_and_threat_modeling&oldid=3270"