Threat Modeling and Threat Emulation

By Bryson Bort, Founder and CEO, SCYTHE

Security is defined by the threat, not by what you think it is based on the tools you’ve bought, the team you have, or the vendors that support you. So the only way to have an idea of the level of risk to your organization is to model that threat and emulate it. All the while recognizing that the threat is continually evolving with new tradecraft and tools to circumvent the new controls you’ve put in place. Their model is turning your defense into their text matrix.

Threat Modeling. Threat modeling develops an actionable model of adversarial threats (sources, scenarios, tradecraft). These threats are potential risks to different business functions based on systems, geography, etc. The most popular framework for breaking down the components of a threat is the MITRE ATT&CK Matrix– it is like a periodic table, instead of describing physical elements, it describes the categories and specific techniques that can be ordered to describe a threat’s attack logic like you would a chemical equation with those elements. Threat modeling can be very complex and in-depth with detail and based on proprietary intelligence or if you’re starting out, an easy way is to search for your industry under threat groups on the MITRE ATT&CK webpage to correlate known campaigns (with their attack logic).

Threat Emulation. Cyber threat emulation operationalizes the threat model, ie- makes code/activity that follows the model driving a “functional signal” realistic enough to measure the people, process, and technology of your defense. It gives SOCs a way to create attack paths to understand contextual business risk in their processes and controls. Attackers may not use the same attack path, but there is a lot of commonality between campaigns which allows a defender over time to catch new attacks because of this overlap.

With a proper threat emulation process, Red and Blue Teams use modular tactics, techniques, and procedures (TTPs) so that they can recreate the latest or most relevant attack logic as needed. Similar to a cyber range, emulation gives defenders a way to get hands-on experience and insight with real-world attacks. Good threat emulation helps SOC mature their processes in a data-driven manner.

Purple Team. Security takes a team. Red Teams analyze intelligence or use their creativity to understand what might come next. Blue Teams provide the assurance 24×7 that your business will be able to do what needs to be done. When Red and Blue Teams work together, that’s a Purple Team. The Threat Modeling and Emulation processes are done collaboratively to train insights aligned to business and specific security needs.

Hot Topics

Related Articles