WHAT IS A THREAT? MODELED & EXPLAINED

Posted on by Henrik Parkkinen

Visiting the Amazon rainforest is the coveted dream of many nature lovers and wildlife enthusiasts from around the world. However, visiting the world’s largest tropical rainforest is not free of dangers as the forest houses some of the most deadly creatures known to us (and maybe deadlier ones yet to be discovered).

The Amazon is home to the mighty jaguar, the powerful green anaconda, the highly toxic poison dart frogs, the shocking electric eels, flesh-eating piranhas, and more.

Thus, visitors to the Amazon are advised to be cautious and well aware of their surroundings at all times during their visit to the rainforests. Here we describe some of the deadliest creatures of the Amazon and why we consider them so.

However, in the end, we must remember that most of these creatures mentioned below are facing threats to their survival due to human activities. Now, who is deadlier, them or us, is a question we have to think over.

source: www[.]worldatlas[.]com

Comparable to the Amazon jungle there are threats in the digital and cyber landscape we as individuals and our organizations need to be aware of. As our world becomes more digitalized and as the technology evolution increases, so do the threats targeted against us and our organizations. I have written more about the challenges and contemplations around the subject in this article, Creation of Resilience. Togehter!.

From a security perspective (Cyber Security, Information Security, and IT security) a Threat is part of a risk. Today they are real and become more and more advanced, nasty, and harmful each year.

This article will look into “Threat” from a micro perspective, in the same way as for risk in the article I mentioned below. The perspective I will provide for you around what a threat equals to the illustration below.

Threat explained from a micro perspective
A close look, from a micro perspective, of what a threat is. It is part of a risk and at the same time consists of unique elements, i.e. Actor, Action, Motivation, and Capability.

I will explain what a threat is. What it consists of. Different characters and types of threats. You will, after reading this article, have a broader and deeper understanding of what a threat is and what makes up one.

If you are interested in reading more about risk, in the context of security I recommend you to read this article “What is Risk. Explain & Modeled”.

WHAT IS A THREAT?

When it comes to Threats in the security universe, an important thing to keep in mind is:

Threats can not be controlled.

Think about a threat as something that is out of your control, like in a sports game between two teams where there are offensive and defensive tactics taking place back and forth. You, and your team, cannot control the offensive tactics and strategies of the other team or the other way around.

In this scenario, it does not matter how much you yell at the referee or at the other team’s players, coaches, leaders, or the audience. This is a total waste of energy. You are focusing your efforts on the wrong place. And the results will be slim. You will get to train your ra-ra capabilities…and yeah, that is about it. What you can control is your own team’s tactics and strategies against your opponent.

There is an obvious reason certain coaches in team sports do not focus on stuff they can not control. And likewise for winners. They focus on winning, not on the opponent or things out of their control.

Winners focus on winning.
Losers focus on winners.”

So why am I going with another sports analogy again or speaking about where to focus the energy and efforts when it comes to the Security-Ville. Yes, you are right –> Security is a team sport! The same principles apply. You can not control the actions of an opponent, i.e. external or internal adversarial. And, I do not know anyone who has the psychic powers to do so. I am not one of those people at least.

DESCRIPTION OF THREAT

To put some context and word around what a threat is, when it comes to the security realm, the following description gives an ok explanation:

Threat – A potential cause of an unwanted incident or anything capable of acting against an asset in a manner that can result in a negative impact or consequence. A threat is in general something that cannot be controlled. For example, a hurricane, geo-political events, or cyber-criminals. When there is a human behind a threat, they are in most cases driven by two factors: skill and motivation. Skill is the knowledge they possess. Motivation is in most cases related to financial and monetary aspects.

Now I will dissect the concept of a Threat into smaller pieces. Show you what a threat consists of.

THREAT MODELIZED

The components that a threat consists of, according to the model I have constructed and present below, are an Actor, Action, Motivation, and Capability. See Figure 1 and the explanation for each of them below, they are very much self-explanatory I would say but I give them a word or two.

Threat modeled and explained in a simple illustration
Figure 1

ACTOR

Each Threat consists of an actor. An actor can, in this model, be external or internal. External actors are for example cyber-criminals, nation-states, and terrorists. Internal actors are for example insiders and negligent employees.

action

Each Threat is conducted by an action. The action can be intentional or unintentional.

MOTIVATION

Each Threat is driven by a motivation. The motivation can for example be financial, political, ideology. A negligent employee’s motivation may be a human error resulting from an unintentional action.

CAPABILITY

Each Threat is dependent on its capabilities. A capability is the collected components building up the capability, such as resources, skills, knowledge, tools, tactics, procedures, economics, technologies, and capacity.

To explain the model, and the elements within it, I have constructed three examples. A threat from an external perspective and two threats from an internal perspective. There are some small differences but the concept still, more or less, remains the same. See Figure 2 below.

The Threat is carried out by an Actor (Cybercriminal, Insider, Negligent Employee). Each Threat, carried out by the Actor is conducted through an Action (Intentional or Unintentional). The Action is driven by Motivation (Financial, Disgruntled, Human error). In many cases, there might be more than one Motivation and a combination of for example Financial + Disgruntle. The Threat is actualizing the Action and Motivation through the Capabilities (resources, technologies, tools, tactics, procedures) or may be manifested through the lack of Capabilities (knowledge, awareness).

Threat modeled and explained from a micro perspective through three examples
Figure 2

In Figure 2 above there are two additional components, Target and Asset, that I did not explain above. These are not a direct component of a Threat, they are rather an indirect part of it.

Target is, as the name of the component says, what the Threat is directed towards. Asset is the actual component the Threat is attacking and targeting to compromise.

My goal here is to help you, to gain perspectives of how a Threat may manifest itself and what it consists of. To help you better understand and reflect on what a Threat is and those applicable to you and your organization.

The model is not and should not be thought of as a cyber attack kill chain or an actual attack path. An attack can and will most often contain several sequences. This model has the purpose of conceptualizing what a Threat consists of.

The model should not be confused with or seen as something comparable to for example MITRE ATT&CK or frameworks for Threat modeling. These frameworks do a much better job of detailing what TTPs (Tools, Tactics, and Procedures) in relation to an actual attack path is applicable. MITRE ATT&CK is also a good way to go when constructing and developing hunting queries, detection rules, or gaining more “in real life” knowledge of how a threat is actualized through an attack path.

REFLECTION

A Threat is driven by, mainly when there is a human behind it, motivation and capabilities. This statement is not applicable to environmental threats.

Environmental threats are still applicable to the security universe as they can for example cause outages and disruptions that can result in a negative impact on an organization. More than once, and if history is a predictor of future events, environmental threats have had significant negative impacts on for example leading cloud service providers.

These cases will keep taking place even for those with world-class data centers or security capabilities in place. These threats are those that are less likely and take place with a lower frequency but come with a high negative impact.

“Anything that can go wrong will go wrong.”

Murphy's law

Is there a need to have an understanding of a conceptual model to understand or think about what a threat is? In general, I would love to say –> No.

But the fact is that the security universe is kind of complex. But that does not mean that we need to speak or make it more complex than it actually is. And my models do not have as a purpose to make sh*t more complex than it already is. It is actually the opposite.

The fact is that many security professionals do not even know the difference between risk, threat, and vulnerability. Yes, this should not be the case but this is the reality still today (when this article was first written in 2024). And to shine some light on the subject and help people to better understand the composition of a threat, this is my attempt to do so. Keep in mind though, this conceptual model is just that. It is a conceptual model. It zooms in on the subject Threat from a closer perspective and exemplifies how the manifestation may take place and why.

I think that for a security professional, one should understand what and how a Threat is built up. A Threat is not the same as a Risk or a Vulnerability. Here there is still very much confusion in the industry. And I think that in many cases confusion is created around the subject due to standards, frameworks, and similar models as my own look at a Threat from a different viewpoint. There is not a the-one-and-only definition out there that we as security people are unified around. And to be clear, this is not the intent of this article. The purpose is to illustrate and exemplify what a Threat is from a conceptual perspective.

EPILOGUE

Threats that are not understood or identified by your organization are potentially more harmful to the organization. This is due to that you and your organization lack the understanding of how it may impact you and/or where it is coming from.

If you are facing a new opponent, that you have never played a game against before, I think that one way to close a bit of the gap is to gather some intel of the opponent. Intel about your opponent will not necessarily make you win the game but it will increase your awareness, of for example their offensive tactics, and general preparedness.

The same ideas can be applied when it comes to Cyber Threat Intelligence (CTI). It can be snake oil but it can also be value-adding if it is translated into actionable information that can be applied. But for now, I will leave the subject of CTI hanging here. I think that almost every organization can increase its security awareness if it starts to analyze its threat landscape more systematically. And this can be done without CTI.

Threats come in different forms.

To better understand the effects, of a negative impact of a threat being actualized, I recommend conducting asset valuation. I know that asset management is a pain for almost every organization but at least conducting asset valuation of the crown jewels in your organization will put you in a better position compared to not doing so.

Keep this in mind, without asset valuation the asset that a threat is targeting in your organization is going to make it hard to:

  • understand the negative impact from a business and organizational perspective
  • evaluation and implementation of adequate security controls in relation to the asset value

Conducting an asset valuation may take one or more of the following factors into consideration:

  • Monetary or financial loss
  • Loss of productivity
  • Loss of competitive edge
  • Loss of intellectual proprieties
  • Loss of operational capability
  • Loss of business continuity
  • Penalties related to contractual breach
  • Penalties related to regulatory violations
  • Damage to the organization’s brand
  • Negative effects from an internal or external compliance perspective

In short, it will be much harder for you to protect your organization’s assets in relevance to their value because you do not know how to do it or against whom. If you want to know more about how to protect your crown jewels, take a look at this article.

Henrik Parkkinen