Threat Modeling 101
How to identify, assess, and reduce risk to yourself, your community, or... anything, really, by establishing a threat model as the basis for your security efforts.
So You Want Better Security
That's great! Let's go through some resources and key concepts to help you along the way.
First, some terminology you'll probably hear a lot: OPSEC is the abbreviation for “operational security” - that is, keeping the things you do (your “operations” - yes, this makes more sense for militaries) secure and safe from adversaries knowing about them or meddling with them. Along similar lines, you'll hear about PERSEC, or “personal security” - this is the same idea, but for you personally rather than the things you do. For example, OPSEC could be keeping an event secret except for the attendees, thereby protecting the event (or “operation," if you want to look at it like that) from potential adversaries. On the other hand, using a pseudonym online is a form of PERSEC - that is, keeping yourself, personally, secure from people finding out more information about you.
The second set of terminology is about risk. The short version is that risk is probability times impact. The table below illustrates this, and gives you some priorities. This means that you can reduce risk by reducing probability OR by reducing impact (or both). The risk of an event can be reduced by making the event less likely, or by making it less bad if it does occur. Keep both of these options in mind as you examine risks.
Low Impact | High Impact | |
---|---|---|
Likely | Probably worth doing something, but not much | Definitely do something |
Unlikely | Who cares | Consider doing something |
Security is a HUGE topic, and it's almost all based on your specific situation. Below, we'll dive into threat modeling, which is the best all-around way to take stock of your security situation and figure out how to improve it.
Where to Start Going Deep: Threat Modeling
The foundation for every security effort should be a threat model. This is a term you'll hear thrown around a lot, and it can be confusing because it's an extremely flexible tool and can mean different things to a lot of different people. For a deep dive into threat modeling from a cybersecurity perspective, you can take a look at this article - but be warned that it's a lot more detailed than you really need! That, in turn, is a condensed version of a 624-page book on the topic. This can go DEEP - but today we're keeping it to just what you need.
The core of threat modeling consists of answering the following questions:
- What am I protecting? (assets)
- Who wants to cause harm? (adversaries)
- What are they potentially able to do? (capabilities)
- How can we prevent or reduce the chance of them doing bad things? (countermeasures)
Answering those four questions, in whatever depth you want, is a threat model. Sometimes it's worth thinking about for a couple of minutes, and sometimes it's worth spending a day on with a group and plenty of writing materials. Let's step through the questions in a little more detail.
Something to keep in mind while threat modeling is that ultimately, you have to do the thing. You can get bogged down in security forever, trying to make the most robust plan you're able to, but overall what you need to be keeping in mind is whether or not the thing you're trying to do is worth it given the risk. There will always be risk. The best way to be safe is to stay home, turn off all your electronics, and sit in the dark eating only soft foods… but there are things worth doing in the world, so it's always a matter of reducing risk until it's acceptable, not eliminating it entirely. Match your security measures to the risk of your activities, but don't forget that security is hard, and it's a lot of work and discipline. What you want is the minimum amount of security effort to bring down the risk to something you can accept, not maximum security all the time.
With that, let's get started threat modeling.
Assets
The first step in your threat model is to figure out what you're protecting. This can range from one fairly simple item to long, nuanced lists. For example:
- hosting an event: we want to protect attendees' safety, the organizers' safety, and the enjoyment of the attendees
- daily life: I want to protect my physical safety, my online safety, and my job
- moderating a forum or chat room: I want to protect the online safety of the members of the forum, my own safety as a semi-public figure in it, and the community itself as a place that people can come and interact
These are obviously high-level statements - what exactly “physical safety” means can be interpreted a million and one ways - but we'll get to that soon. There's nothing wrong with starting out broad and then getting specific later, but getting too specific right away can quickly turn into a time sink you never emerge from. There can also be different values to these assets - in the event example, protecting safety is far more important than making sure the attendees have a good time, but that doesn't mean both aren't valuable. You'll also notice that there's likely overlap in some of the things you list. In the daily life example, protecting your job (e.g. not being fired due to a harassment campaign) is somewhat part of online safety, but also somewhat not - and that's OK. Write down what you come up with, and sort it out later.
Adversaries
Once you know what you're protecting, the next step is figuring out what/who you're protecting it from. These can be actual human adversaries, or things like random chance or passive events like the weather. For example:
- hosting an event: people showing up to protest/threaten attendees, online harassment/doxxing campaigns, bad weather on the day of the event, attendees themselves causing problems
- daily life: fash, police, my boss
- moderator: external trolls, internal trolls
Similar to assets, this can be as vague or as specific as you'd like - the key is to get everything out there without spending an infinite amount of time on details.
Capabilities
This is where assets and adversaries meet. For each combination of an asset and an adversary, think about what that adversary can (try) to do. Again, this can include accidental things - an “adversary” isn't necessarily trying to be malicious.
Example Capabilities List: Hosting an Event
- hostile people showing up:
- attendee safety: physical threats/harm, gathering information (photos of attendees, license plates, etc.) to inform online harassment
- organizer safety: same as attendees
- enjoyment of attendees: disrupting the event, threatening/scaring attendees
- online harassment/doxxing:
- attendee safety: doxxing people using any information we disclose/fail to protect, harassment via whatever channels/groups we have set up
- organizer safety: same as attendees but probably heightened a bit due to higher profile
- enjoyment of attendees: same as safety, plus trolling that doesn't threaten safety can still be un-fun and make the event less enjoyable
- bad weather:
- attendee safety: lightning, I guess? probably fine
- organizer safety: same as attendees
- enjoyment of attendees: being outside in the rain would make the event less enjoyable
- attendees:
- attendee safety: accidents (slips and falls, etc.), medical emergencies
- organizer safety: same as attendees
- enjoyment of attendees: same as safety
As you can see, this is where things really start to pick up. The purpose of the threat modeling process is to help you think through all the things that might happen - so keep in mind here that it's up to you to decide how concerned you are about each thing. On the one hand, you want to think through all the things to worry about, but on the other hand you could spend all week writing in things like “an asteroid strike happens during the event” - so you have to decide as you go to strike the balance between a comprehensive list of concerns and a fantasy scenario. Realistically assess the capabilities of each adversary - what have they done in the past? What do you know about them that lets you estimate how likely each capability is? Remember that risk is probability multiplied by impact, and keep both factors in mind for each capability.
Countermeasures
Lastly, for each of the capabilities you listed above, consider what you can (and should) do about it. Realistically assess your own abilities - at the end of the day, you still need to get things done and there's only so much time and energy that can be invested in security. For each capability, as yourself:
- What's the risk of this? (probability of it happening multiplied by the impact of it happening)
- Is the risk high enough for us to do something about it?
- If yes, what can we do about it to reduce the likelihood of it happening or the impact if it does happen?
At this point, you have a comprehensive overview of the things that might impact your security and what you can do about them. It also helps give you a guide to look for specific countermeasures - if your list of “things I can do about this” is shorter than you'd like, you can now go out and look for specific security tools and concepts to help you. Next up: head to https://ssd.eff.org/ and dive in further!