Almost every organization holds some valuable data that cybercriminals would love to get their hands on, and MSPs are no exception.
In order to keep that data safe, it’s important to have a clear and complete view of everything there is to protect and be aware of all the different directions an attacker might attempt to strike from. This is what a threat model is for.
Threat modeling is the process of creating a record of all the assets within your system that need to be protected and identifying who might try to get to them, through what means, and how they can be prevented.
Here are 5 steps you’ll need to follow in order to successfully create a threat model for your organization.
1- Take inventory of your assetsThe first step is pinpointing everything you’ve got that’s worth protecting. You’ll need to make a comprehensive list of all your most valuable assets, which could include things like cryptographic keys, encrypted data, private keys, System Management RAM, access to critical security features, and more.
2- Identify security objectivesAfter you’ve catalogued all that you’ve got to protect, map out what you’re protecting each asset from and prioritize your objectives. What’s the most at-risk asset you’ve got? What’s the least valuable asset you’ve got?
One of the best ways to do this is to use the “CIA triad”: Confidentiality. Integrity. Availability. Assess each of your assets individually and consider who has access to that asset (confidentiality), can that asset be modified (integrity), and is that asset protected against denial of service and other attacks (availability).
Keep in mind that each organization’s security objectives and non-objectives are unique and are determined by various factors such as the level of risk, the likelihood of an adversary successfully exploiting certain attack vectors, and the amount of resources required (on both your organization and the attackers’ part).
3- Create an adversary modelTo protect yourself from your enemies, you must know your enemies, and know them well. Do they have network access to one of your machines? Do they have physical access? Do they have software access?
Your adversary model should be a list of attacker personas you need to defend against, outlining who they are, what skills they could possess (are they your average non-tech savvy guy off the street or an expert hacker?), what level of privilege they might have, and their attack method of choice.
4- Pinpoint all relevant threat vectors and attacks
This is where you’ll have to do some intensive research to identify every possible attack vector, from the known (legacy) attacks, like brute-forcing passwords, to the more cutting edge threats, like SIM swapping to get around two factor authentication.
You’ll also need to have a clear idea of the data flows of your assets, like where they’re stored or whether they’re encrypted or not, and truly take on the perspective of an attacker looking at every possible vulnerability that could be exploited.
This section of your threat model should include a matrix of all threat vectors and every potential attack for each. One industry resource often used in this process is the CVSS calculator, which allows you to align assets with objectives, adversary models, attack vectors, and associated severity level.
5- Develop the necessary mitigationsHere, you’ll need to write a mitigation for each of those potential attacks. For example, you might enable two factor authentication for all employee email accounts, or prevent a bad actor from running a malicious driver by blacklisting it. This section of your threat model should take the form of a matrix that includes at least one mitigation for each possible attack against every asset you’re trying to defend.
One tool you should definitely have in your arsenal when implementing those mitigations against attacks is Myki for MSPs.
Myki for MSPs allows you to generate strong and complex passwords for all your organization's accounts, set up and manage company-wide two factor authentication, enforce time-based, IP address-based, and location-based security policies, and much more.
Sign up for Myki for MSPs today and take control of your digital identity.