Threat Modeling for Optimal Enterprise Protections Against Known Cybersecurity Threats

Abstract To prioritize limited resources available to protect against, detect, and respond to cybersecurity attacks, organizations must follow a risk management approach to select commensurate protections (cybersecurity capabilities). Risk management practice necessitates a proper framing of risk, which requires a 'set of triplets' to exist – a scenario (in which a threat exploits a vulnerability), the likelihood (or uncertainty to be more precise) of the scenario taking place, and the impact of the scenario taking place. While the other elements of risk triplets are relatively easy to assess, the threat factor remains the most elusive. The traditional threat modeling methodologies work well on a small scale (e.g., when evaluating targets such as a single data field, a software application, or an information system component)—but they do not allow for comprehensive evaluation of an entire enterprise architecture to identify gaps (blind spots) where cybersecurity protections do not exist and where future investments are needed. They also do not enumerate and consider all threats that are actually observed in the wild. This paper proposes a decision-making framework for selecting cybersecurity architectural capability portfolios that maximize protections against known cybersecurity threats using a new threat modeling approach - a cybersecurity architecture review. This new threat modeling methodology allows organizations to look at their cybersecurity protections from the standpoint of an adversary and allows them evaluate entire cybersecurity architectures. It uses a cyber threat framework such as MITRE ATT b) protect against; and c) help in recovery from adversarial tactics, techniques, and procedures (TTPs). The results form a matrix called capability coverage map – a visual representation of protections coverage, gaps, and overlaps against TTPs. To allow for prioritization, TTPs can be organized in a threat heat map – a visual representation of threat technique's prevalence and maneuverability that can be overlaid on top of a coverage map. The paper will provide a proof of concept for proposed future research to determine how commonly used cybersecurity capabilities protect against known TTPs, whether organizations use the most efficient portfolio of capabilities, whether these portfolios are selected based on the actual threat landscape or vendor pressure, how different demographics perceive their protection coverage, and to what extent those common protections overlap.