Now that you’ve identified what you have to protect, the next step is to figure out who you are protecting it from. This concept is much easier to understand. Almost all actors fall into two broad categories: internal and external actors.
Internal actors are employees, contractors, and third parties with access to your assets. Third parties could be employees of your cloud provider or the company that processes benefits and payroll.
Internal threats can result from actors inadvertently using their privilege improperly, such as creating a misconfiguration or clicking a link in a phishing email. Internal actors can also purposefully act malicious and knowingly create threats in the environment such as stealing data or installing malicious software.
- Internal Actors
- Third Parties with access to assets
- Internal Malicious Actors
- Disgruntled Employees
- Internal System Controlled by External Actor
Due to the inherent trust given to internal actors, the potential impact from these actors is higher than from external actors. While external actors make for better news stories and TV shows, it is imperative to review and mitigate threats from internal actors.
There are a number of different types of external actors, each with different motivations and goals.
- External Malicious Actors
- Criminal Elements
- Industrial Espionage
While the term Hacker has become synonymous with any individual with nefarious motives, the term is usually used for a curious, technically savvy individual who gains unauthorized privileges to a system without malicious intent.
On the other hand, Crackers are individuals with malicious intent who intentionally try to bypass security controls.
With the movement of activities online, normal protesters morphed into Hacktivists. Hacktivists target an organization with a political or social motive. While hackers or crackers choose targets of opportunity or with a financial motive, Hacktivists target a sector or organization for ideological reasons. Due to that ideological focus, it is possible that hacktivists will expend more time and effort on a target.
Criminal elements are attempting to monetize the assets of an organization. This is a fancy way of saying they will sell credit card numbers, personal information, or run bitcoin miners on computers. Ransomware, which encrypts user data and requires a ransom to access the encrypted files, is a common way to extort organizations for money.
Nation-States are highly funded and operate on extended time frames, usually in the terms of years. Nation-states are incredibly difficult to defend against due to the additional levels expertise they can bring to bear. If you are in an industry commonly targeted by a nation-state (such as Defense or Aerospace), focusing on breach detection and having a close relationship with law enforcement is paramount.
Industrial espionage is a catch-all term for any of the above individuals focusing on stealing trade secrets or sensitive organization data. Nation-states may engage in industrial espionage to give their companies a competitive edge. Criminal elements may target an organization to sell any information obtained during a breach or sell information found during an untargeted breach. Hacktivists will expose data found to further their ideological cause.
Now that you’ve determined who are the most likely actors in your threat model and also determined which would cause the largest potential impact, you can create a list of threats to focus on.
A quick example would be a coal company operating a mine.
Asset Actor Threat Mitigation
External Website Hacktivists/Hackers/Crackers Defacement Quarterly Web Application Scans
Personnel HR Data Employees/Third Party Data Theft Access Control Policies
Internal Network Criminal Elements Phishing Phishing Awareness Training
Obviously, this list would be very long for any organization, but at some point, many of the mitigation elements will overlap. This means that in the previous example, the Access Control Policies that protect HR Personnel Data from Data Theft also protect it from access if a criminal element gains unauthorized access to the network. The best mitigation items will protect multiple assets from a variety of actors and eliminate most risk.