Quantifying Threat Actors with Threat Box

Why Not an Existing Threat Model

There are a lot of great risk models available on the internet. There are some decent threat models too. Most notable is the threat modeling approach covered in the SANS CTI course (FOR578) and discussed in Katie Nickels’ webcast “The Cycle of Cyber Threat Intelligence”, which looks at an organization through the lens of the data they hold and the actors that traditionally target those data types. I love this model and I think it is a critical part of CTI analysis. However, it does not present well for an executive board for a large organization and it doesn’t address ranking the actors. It does serve as an awesome feeder model to identify which groups to process and present on the Threat Box.

Threat Box Categories and Scoring

Starting out, the intent of the model was to assess threat actor intentions and capabilities. But the intentions and capabilities to do what? To conduct cyber attacks against our organization. Okay. But what kind of attacks? Threat Box addresses four categories of attack:

  • Espionage — attacks impacting the Confidentiality of data or systems
  • Destructive — attacks impacting the Integrity of data or systems
  • Disruptive — attacks impacting the Availability of data or systems
  • Cyber-Crime — attacks intended for near-term financial profit

Intent & Willingness

Threat actors are assessed for their intentions to carry out these attacks against the targeted organization to answer, “Why would this actor target this organization with this type of attack?” The Intent score is balanced by the Willingness Modifier, which attempts to answer, “What constraints may impact the actor’s intent?” This modifier considers existing legal, political, and economic dependencies that may lower the threat. For example, there is a pretty low likelihood that the UK will hack the NSA for intelligence they can likely get through their FVEY relationship.

Capabilities & Novelty

Each actor is assessed for their known capabilities for each attack category to answer, “what evidence is available that this actor is capable of this attack type?” The Capability score is balanced by the Novelty Modifier that adjusts the Capability score by trying to answer, “what indication of advanced skills are evident?” The reality is that threat actors don’t bring out the big guns (custom malware and zero days) when the front door is open. This is why the Capability score focuses on whether or not the actor has a demonstrated history with an attack type rather than trying to assess their skill level. The Novelty modifier was my attempt to give some credit to the Blue Teamers to be able to defend against common TTPs and malware families, while also giving some credit to the adversary that has demonstrated the ability to write custom toolsets and move quietly in an environment.

The Notional Targets and Threat Box Assessments

For my research, I wrote three mock profiles for fake organizations. The idea here is to demonstrate that the model works for any business sector. The scores presented below were calculated by myself using a few open-source repo’s of threat reports that I’ll include at the bottom of this page. As with all things in infosec, I suspect we’ll have some disagreement how these scores washed out. I look forward to that discussion.

American Oil (AmO)

American Oil is a Texas-based oil company operating ICS manufacturing and operations in the US and Saudi Arabia. A threat analyst at AmO reads a large body of reports on Iranian capabilities, including FireEye’s Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. The analyst translates the statement “Iran’s desire to expand its own petrochemical production and improve its competitiveness in the region” into an intention score of three (3) for “Sector Association.” The actor is motivated through their national strategy to compete in the business sector. The briefer’s threat assessment may sound something like:

AmO’s Threat Box

United States Government Financial Organization (USGFO)

A Washington, DC-based federal agency that processes financial payments for all USG services that are provided to the public.

USGFO’s Threat Box

Information Technology Company (ITCO)

A California-based tech company that offers multiple online services, such as cloud computing and storage, and sells proprietary IT hardware. ITCO conducts two separate Threat Box assessments: one for their core business network (Enterprise) and one for the Services segment of their network.

ITCO’s Enterprise Threat Box
ITCO’s Services Threat Box

Working with an Awesome Team

All intelligence products should be a team effort, but the Threat Box is 100% a team sport. From the initial ask from our CISO, I had the absolute pleasure of working with, arguing with, and collaborating with an awesome team of really, really smart analysts: Brandy Harris, Jay Kiser, Zack Plunkert, Mike “The 0Day” O’Dea, and Cam Kennedy. As a team, we worked through building the original model, setting up a framework to rate the actor groups, and conducting the research necessary to complete the assessments for our client. The team has gotten a bit smaller with time, but we are still producing a version of this product for our client each month and we get requests to add it to other briefings and supporting material. Without this team and our shared experience, I could not have built on the model to research and write my SANS paper.

Closing it Out

Hopefully this article isn’t a complete mess. If it is, give the full paper a read instead. But here’s the basic process as a recap:

  1. Read a LOT of reporting,
  2. Determine if the reports are discussing espionage, destructive, disruptive, or cyber-crime attacks,
  3. Determine the Intent score, consider the Willingness modifier,
  4. Determine the Capability score, adjust for the Novelty modifier,
  5. Map the actor’s scores on the model.
  6. Rinse, repeat, and get coffee with your awesome team.

References and Resources

I had the privilege of discussing my research on the SANS ISC podcast — which is still an absolutely insane honor to me.

Supporting References




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andy Piazza

Andy Piazza

I enjoy writing, mentoring, and sharing knowledge. I’m klrgrz (killer grizz) on Twitter. I do stuff n things with cyber threat intel.