The threat model is one of the most basic tools IT professionals use to analyze security incidents and scenarios. It is the first stop along the security path where potential hazards can be identified and quantified.

Threat models involve judgments about which threats are important to a particular situation. An automated tool that simply lists any potential problem without assigning a probability to it is useless to the overall process. It’s like having to read through a log file in its entirety to find one anomalous event that indicates a breach.

Security analysts need a way to focus on what is relevant to the problem at hand. A threat model can point out all possible scenarios, but it also needs to focus attention on the most important factors in a security context. That focus arises from a judgment call regarding the entire security fabric.

The Threat Model Is a Judgment Call

The environment plays a significant role in the threat modeling process. If the threat model is based on the understanding that a system will be operating with certain parameters, changing those parameters usually causes unintended consequences. Second-order effects come along with any change in an assumed environment.

Threat modeling will always involve judgment. It’s how we create the needed focus, allow for the atypical situation and plan for it. But judgment calls need to be evaluated against data from the field to ensure that they are both correct and relevant.

Looking at the assumed environment of a deployed project versus current realities can help IT managers decide what needs to be reviewed and how soon the items need to be changed. Reviews also help sniff out any second-order effects from environmental change, or perhaps even stop them in their tracks.

That’s what happened in 2016 — the environment changed. Today, cybercriminals primarily use ransomware and Trojans instead of poisoned email attachments to advance their malicious goals. There are more internet-connected devices than ever controlling mundane but necessary industrial things. Cybercriminals can hijack something as simple as your home thermostat or security camera to take down an entire country’s internet service. These days, things are working together in funny ways.

A Game of Phone Tag

An edition of “60 Minutes” described how German researchers were able to connect to a U.S. congressman’s phone by hijacking the telephone switching system. Although he vowed to hold congressional hearings on the matter, he eventually realized that security standards had changed since the telephone system was installed. The threat model at the time assumed that if you could connect, you were cleared from a security standpoint. The connections to the switching network were deemed outside the sphere of influence.

In threat model parlance, the switching network had a dashed trust boundary around its perimeter. Things functioned at the same privilege level within that dashed line box, but anything outside it was beyond the ken.

Obviously, the designers had totally different assumptions about networks and how they functioned at that time. What the congressman experienced was not a vulnerability in the telephone network, but a design decision made for that network that affected security.

Blowing the Whistle on SS7

Signaling System 7 (SS7) was designed to keep the control frequencies of the telephone switch from being carried along with the data. Computer programmer John Draper figured out that he could take control of a telephone line by blowing a whistle that he found in a cereal box at 2600 Hz because the existing switching system worked that way.

Once the line was commandeered, the voice data could be redirected to a new destination without tripping any billing notifications. The billing mechanism came when the “local” call was initially placed. This meant that a local call could be turned into a long-distance call while still being billed as local.

The threat model used for SS7 ensured that the switching control channels were not present along with the voice data. That model became obsolete as time went on and network connection methods changed. This obsolescence can be the fate of any extant threat model, which eventually may not reflect the realities of a current situation and who the threat actors truly are.

2017: The Year of Metadata

The threat models of 2017 will bring metadata into sharper focus. Many routine computer connections can generate a lot of metadata that is then sent in the clear and easily harvestable by those who can listen.

Let’s say that, for some reason, you’re utilizing clientside certificates. It may even aim to enhance security, but client certificates are exchanged before the Transport Layer Security (TLS) connection becomes encrypted. If it’s a server-to-server connection, it may be acceptable. But it won’t work for normal clients because the metadata is so easily traceable, and only recently has its full potential entered into security decisions. That changed the threat model for these environments.

The new threat models of 2017 will need to be flexible. Otherwise, they run the risk of not representing the right threats.