Proactive cybersecurity: unlocking the potential of threat modelling

The term “cyber threat modelling” is applied to the techniques and processes used to model and analyse technology systems and services to better understand how they might be attacked or fail, and the measures or controls needed to manage that risk. Threat modelling aims to put an organisation’s cyber protection strategy on the front foot, to identify vulnerabilities and anticipate threats before they occur.

Sam Husari, Executive Manager of Cyber Threat Intelligence at CommBank, defines it as identifying, assessing and prioritising potential threats against the organisation.

“We use threat modelling to shape our priorities and use our intelligence to predict how an adversary or threat actor might attempt to attack or exploit our environment.” - Sam Husari, Executive Manager of Cyber Threat Intelligence at CommBank

“It identifies threats, helps with risk mitigation and prioritises controls and efforts to help enable a proactive cyber defence", he says.

Jayden Cooke, a Technical Director at the Australian Signals Directorate’s Australian Cyber Security Centre, says cyber threat modelling ideally begins when an IT system is being designed and built, but can also be effectively used on existing systems.

The cyber threat modelling process has four stages, expressed as questions:

1. What assets and systems do we have and what is most important to us? How are we prioritising their protection?
2. Where are the vulnerabilities in our systems and processes that expose us to the greatest risk?
3. What decisive actions must we take to strengthen our defences and mitigate these risks?
4. How confident are we that our current security measures are effectively safeguarding our most vital assets from evolving threats?
   
   

Stage 1: What assets and systems do we have and what is most important?

The first question — what assets and systems do we have and what is most important to us? How are we prioritising their protection? — is about looking at the context of the system in the business, how it is meant to operate and who will be using it. It also considers the technical components and different elements working together, as well as how it will be operated — for example, will it be put in a data centre and forgotten about, or is it a system that will continue to be developed throughout its lifecycle?

Cooke says it’s important that cyber threat modelling looks beyond the technical aspects of cybersecurity, such as protection and detection tools, and takes account of the human element — how people will interact with the system.

“Understanding the types of people who are using it will help us understand how certain weaknesses could be taken advantage of where people have certain patterns of behaviour.” - Jayden Cooke, Technical Director at the Australian Signals Directorate’s Australian Cyber Security Centre

The modelling should incorporate how the system relates to the organisation’s business plan, because this determines how it will be used, where the data will flow through the system and the sorts of people who will be using it.

“A good example is something like a human resources system,” says Cooke. “Understanding the types of people who are using it will help us understand how certain weaknesses could be taken advantage of where people have certain patterns of behaviour.”

Stage 2: What are the vulnerabilities in our systems and processes?

During the second step — identifying where the vulnerabilities in systems and processes that expose the organisation to the greatest risk are — it is important to assess the criticality of our assets from various viewpoints and stakeholders.

“This is where business analysts and others who understand how the system operates are really useful,” says Cooke. “It’s where we identify potential weaknesses in the system and the types of actors who are expected to target the system. Do we exist in a certain type of business that is more prone to attacks from certain types of threat actors over others?”

Stage 3: What actions must we take to mitigate risks?

Once identified, the threats and vulnerabilities are prioritised before moving on to the next step — what decisive actions must we take to strengthen our defences and mitigate these risks?

Organisations can draw on several recognised security frameworks to help mitigate the steps with technical solutions, but as Cooke points out, all mitigation efforts should include the human element and the processes for using an IT system.

“If we don't define a process well enough to help mitigate a potential weakness, then a human might still do the wrong thing or be forced to take the wrong path down a system interaction, which can also introduce weaknesses,” he says. “The controls we put in place to mitigate that could be technical or they could be process-driven. It could be improving that process itself.”

Stage 4: How confident are we in our current security measures?

The final step is about ensuring confidence that an organisation’s current security measures are effectively safeguarding its most vital assets from evolving threats. For instance, are risk mitigation controls performing in the way the business needs, or have new vulnerabilities been introduced?

How CommBank uses cyber threat modelling

Cyber threat modelling at CommBank plays a significant role in understanding the vulnerability and threat landscape that assists the Group in addressing cyber risk. It also involves collecting intelligence on threats that have occurred outside the bank. Husari’s team assesses those security threats and incidents, then works to ensure the same attacks don’t occur within CommBank.

“Our priority intelligence requirements (PIRs) refer to the crucial information necessary for our stakeholders to make intelligence-led decisions, meeting primary goals and evaluating possible risks to the Group,” says Husari.

“When we've assessed an event, our team will gather the technical, tactical and strategic data, and process it in various ways to ensure our stakeholders receive our intel in a relevant and timely manner to action the intelligence we’ve provided.

“Once our tactical intel is utilised, it will automatically be sent to our detection mechanisms — so each asset is then protected against what has occurred externally that may affect the Group.”

The team also forecasts specific types of threats — for instance, an increase in ransomware threats — and examines why they are occurring. This helps with prioritising controls, highlighting risks and supporting executive decisions by allowing them to factor in trends in the cyber threat landscape.

Husari works closely with stakeholders in other parts of the bank to evaluate their key IT assets and priorities, and assess what sort of intelligence they require. His team also monitors the dark web to see if there is any concerning information or data for sale that could introduce a security vulnerability or indicate a breach, such as customer or staff credentials, NetBank credentials or credit card numbers.

Incorporating cyber threat modelling into your business strategy is crucial for proactively addressing vulnerabilities, mitigating risks, and enhancing resilience against evolving cyber threats. To learn more about strengthening your business's cyber resilience and the role of threat modelling, visit commbank.com.au/business/security.