Practical Threat Modeling: Think Like a Criminal

Level: Intermediate

Stop Using STRIDE for Red Teaming

If I see one more "Red Team Threat Model" that lists "Spoofing, Tampering, Repudiation..." I'm going to scream.

STRIDE is a fantastic model for software developers building a feature. It is terrible for Red Teamers planning a campaign. A real adversary doesn't wake up and say, "Today I feel like performing a Repudiation attack."

They say, "I want to steal the credit card database," or "I want to encrypt their file servers and demand 50 BTC."

Practical Red Team threat modeling is Objective-Based and Asset-Centric. It tells a story. If your threat model doesn't look like a heist movie plot, you're doing it wrong.

Step 1: Identify the "Crown Jewels"

We start at the end. What would kill the company? What matters most?

Too often, security teams focus on "protecting endpoints." Endpoints are disposable. Data is not.

Examples of Crown Jewels: * The SWIFT Terminal: For a bank, this is the endgame. Direct money transfer. * The Build Pipeline: For a SaaS company (like SolarWinds). If I control your build server, I control your customers. * The "God Mode" Dashboard: That internal admin panel your support team uses to reset user 2FA. * The CEO's Email Archive: High value for blackmail or espionage.

Action: Go to the business leaders (not just IT). Ask them: "What is the one thing that, if it appeared on the news tomorrow, would make you resign?" That's your target.

Step 2: Choose Your Adversary (Persona)

Not all attackers are created equal. You need to model a specific threat profile, because their TTPs (Tactics, Techniques, and Procedures) differ wildly.

The "Smash and Grab" (Ransomware Gang)

  • Goal: Disruption and Extortion.
  • Techniques: Phishing, buying access from Initial Access Brokers (IABs), loud scanning, using "Cobalt Strike" or "Sliver", deploying mass encryption.
  • Stealth Level: Low. They want you to know they are there (eventually).

The "Silent Professional" (APT / State Actor)

  • Goal: Espionage / IP Theft.
  • Techniques: Zero-days (rarely, but possible), Living off the Land (LotL), modifying firmware, stealing tokens.
  • Stealth Level: Extreme. They will sit in your network for 200 days before you notice.

The "Insider Threat" (Disgruntled Steve from HR)

  • Goal: Sabotage or Data Leak.
  • Techniques: Abuse of legitimate access, copying files to USB/Google Drive.
  • Stealth Level: High (because they belong there).

Why this matters: If you model a Ransomware actor but you act like an APT (never making noise), you aren't testing the SOC's ability to respond to a ransomware outbreak. You must emulate the persona.

Step 3: Map the Attack Path (Graph Thinking)

Attackers think in graphs. Defenders think in lists.

A defender looks at a list of servers: Server A (Patched), Server B (Unpatched). An attacker looks at the relationships: Server A has a scheduled task running as svc_backup. svc_backup is a Domain Admin. I can compromise Server A (even if patched) via a weak folder permission, escalate to svc_backup, and own the domain.

Use tools like BloodHound. It is the single most accurate representation of an Active Directory attack surface.

The Narrative Path: 1. Recon: Attacker finds LinkedIn profile of a Junior DevOps Engineer. 2. Initial Access: Phishing email with a malicious .html attachment (HTML Smuggling). 3. Execution: Engineer opens file, browser runs JS, drops ISO, mounts, user clicks LNK. Beacon connected. 4. Local PrivEsc: Engineer has local admin (of course they do). Dump LSASS. 5. Discovery: Find unattend.xml with local admin password reused on other servers. 6. Lateral Movement: Pivot to the Jenkins Build Server. 7. Action on Objectives: Inject malicious code into the next release.

Step 4: Define Success Criteria (The "Go/No-Go")

A threat model must define the rules of the game.

  • Boundary: Are we allowed to touch the production DB, or just prove valid access? (Usually the latter).
  • White Cards: If phishing fails after 3 days, do we "assume breach" and get a laptop to continue the test? (Yes, otherwise the test ends and you learn nothing about the internal network).
  • Safety: What happens if we crash a server? Who do we call?

Putting It Into Practice: The Tabletop Exercise (TTX)

Before you launch a single packet, sit down with the senior engineers and walk through the model.

"If I land on the VPN concentrator and dump memory, would you see it?"

If they say "No," you just found a gap without writing an exploit. If they say "Yes," ask "How? Show me the alert logic."

This is Threat Modeling. It's not drawing data flow diagrams. It's simulating the chess game before the first pawn moves. It turns security from a "compliance checkbox" into a strategic defense architecture.