To improve your (threat) modeling career, you need a better (threat) agent (library)! Threat modeling is a process for capturing, organizing, and analyzing the security of a system based on the perspective of a threat agent. Threat modeling enables informed decision-making about application security risk. In addition to producing a model, typical threat modeling efforts also produce a prioritized list of security improvements to the concept, requirements, design, or implementation. In 2009, OWASP posted wiki pages on threat modeling. Although there was the start of a section on threat agents, it has yet to be completed. Intel developed a unique standardized threat agent library (TAL) that provides a consistent, up-to-date reference describing the human agents (AKA; threat actors) that pose threats to IT systems and other information assets. Instead of picking threat agents based on vendor recommendations and space requirements in Powerpoint, the TAL produces a repeatable, yet flexible enough for a range of risk assessment uses. We will cover both the TAL, the Threat Agent Risk Assessment (TARA), how they can be used to improve threat modeling. Speaker Eric Jernigan Information Security Architect, Umpqua Bank

1. Portland OWASP Chapter Meet
Add TAL, improve a threat model!
Welcome:

2. …Or as we used to
be called, simply:
Our mission was different back then.

3. A little more about me…
• Served as the NCOIC for Counter Intelligence, Psychological
Operations, and Operation Security and network warfare for an
Air Force Information Warfare Flight
Information Security Architect Umpqua Bank
• Risk Assessments
• Project Engagement Security Support
• Security Awareness
Previous:
• Information Security Manager: Portland Community College
• Network Warfare Operations / Influence Operations NCOIC:
Air Force
• Intelligence Detachment Section Leader: Army National
Guard
Eric Jernigan MSIA, CISSP, CISM, CRISC
Actual me

4. TONIGHT LETS GET BETTER AT…

5. Modeling!

6. Umm, Threat Modeling

7. Questions
• Do you do application risk assessments?
• Do you use threat modeling?
• Are you familiar with OWASP’s Threat
Agent content?
• Do you use a taxonomy of threat actors?
• Why? Why Not?

8. Look familiar
OWASP Threat Modeling

9. Threat Agent
Threat Agent = Capabilities + Intentions + Past Activities

10. Intel Threat Agent Library
Timothy Casey, Intel Corporation
• Threat Agent Library Helps Identify Information Security Risks
• Prioritizing Information Security Risks with Threat Agent Risk Assessment

11. What the TAL?
• TAL identifies 22 threat agent archetypes, such
as disgruntled employee, competitor, and
organized crime
• Provides consistent, reference describing the
human threat actors that pose threats to IT
systems and other information assets
• Use it as a stand-alone tool or as part of other
standard risk assessment methodologies

12. Threat Agent Archetypes

13. • Build upon OWASP’s threat agent materials
• Increase the accuracy of your threat models
• Use alone or in conjunction with other
methodologies
• Build threat based risk assessments
• Use the output to feed into risk assessments
• Integrate into Threat Intelligence
Why the Threat Agent Library?

14. Vulnerability Part of the information security infrastructure that could represent a
weakness to attack in the absence of a control.
Threat Agent Person who originates attacks, either with malice or by accident,
taking advantage of vulnerabilities to create loss.
Threat Actor An individual or group that can manifest a threat.
Motivation Internal reason a threat agent wants to attack. Objective What the
threat agent hopes to accomplish by the attack.
Method Process by which a threat agent attempts to exploit a vulnerability to
achieve an objective.
Attack Action of a threat agent to exploit a vulnerability.
Control Tools, processes, and measures put in place to reduce the risk of loss
due to a vulnerability.
Exposure Vulnerability without a control.
Operating Terms

15. TAL Agent Attributes
Pronounced: “Tal”
not “Towel…”

16. Internal Agent has internal access.
External Agent has only external access.
Access
Access This defines the extent of the agent’s access to the company’s
assets.

17. Acquisition/
Theft
Illicit acquisition of valuable assets for resale or extortion in a way
that preserves the assets’ integrity but may incidentally damage
other items in the process
Business
Advantage
Increased ability to compete in a market with a given set of products.
The goal is to acquire business processes or assets.
Damage Injury to Intel personnel, physical or electronic assets, or intellectual
property
Embarrassment Public portrayal of Intel in an unflattering light, causing Intel to lose
influence, credibility, competitiveness, or stock value
Technical
Advantage
Illicit improvement of a specific product or production capability. The
primary target is to acquire production processes or assets rather
than a business process
Outcome (Objective)
The agent’s primary goal— what the agent hopes to accomplish with a typical
attack. Also consider: Information Operations Effects

18. Code of
Conduct
Agents typically follow both the law and a code of
conduct accepted within a profession. Example: an
auditor
Legal Agents act within the limits of applicable laws. Example:
Legal Adversary
Extra-legal,
minor
Agents may break the law in relatively minor, non-
violent ways, such as minor vandalism or trespass.
Example: Activist
Extra-legal,
major
Agents take no account of the law and may engage in
felonious behavior resulting in significant impact or
extreme violence. Example: organized crime
Limits
The legal and ethical limits to which the agent may be prepared to
break the law.

19. Individual Resources limited to the average individual; agent acts independently.
Minimum skill level: None
Club Members interact on a social and volunteer basis, often with little personal
interest in the specific target. Group persists long term. Minimum skill
level: Minimal
Contest A short-lived and perhaps anonymous interaction that concludes when the
participants have achieved a single goal. Minimum skill level: Minimal
Operational Team: A formally organized group with a leader, typically motivated by a
specific goal and organized around that goal. Group persists long term and
typically operates within a single region. Minimum skill level: Operational.
Organization Larger and better resourced than a Team. Usually operates in multiple
geographies and persists long term. Minimum skill level: Adept.
Government Controls public assets and functions within a jurisdiction; very well
resourced and persists long term. Minimum skill level: Adept.
Resource Level
The organizational level at which determines the resources available
to that agent for use in an attack. Linked to the Skill Level attribute

20. None Has average intelligence and ability and can easily carry
out random acts of disruption or destruction, but has no
expertise or training in the specific methods necessary
for a targeted attack.
Minimal Can copy and use existing techniques. Example:
Untrained Employee.
Operational Understands underlying technology or methods and can
create new attacks within a narrow domain.
Adept Expert in technology and attack methods, and can both
apply existing attacks and create new ones to greatest
advantage
Skill Level
The special training or expertise an agent typically possesses.

21. Copy Make a replica of the asset so the agent has
simultaneous access to it.
Destroy Destroy the asset, which becomes worthless to either
Intel or the agent.
Injure Damage the asset, which remains in Intel’s possession
but has only limited functionality or value.
Take Gain possession of the asset so that Intel has no
access to it.
Don’t Care: The agent does not have a rational plan, or may make
a choice opportunistically at the time of attack.
Obective (Intended Action)
The action that the agent intends to take in order to achieve a desired
outcome.

22. Overt The agent deliberately makes the attack and the
agent’s identity is known before or at the time of
execution
Covert The victim knows about the attack at the time it
occurs, or soon after. However, the agent of the
attack intends to remain unidentified
Clandestine The agent intends to keep both the attack and his or
her identity secret
Visibility
The extent to which the agent intends to conceal or reveal his or
her identity.

23. Intel’s TAL matrix. Next, lets look at TARA.

24. TARA!
Sorry, wrong
TARA…

25. Intel’s TARA
• Build’s upon the TAL
• Identifies the most
likely attack vectors to
support secure
development
• Pinpoint the
information security
areas of greatest
concern
• Stand alone threat
centric methodology

26. 1. Measure current threat agent risks
2. Distinguish threat agents that exceed baseline
acceptable risks.
3. Derive primary intent of those threat agents.
4. Assess capabilities likely to manifest.
5. Assess Operational Constraints.
6. Align strategy to target the most significant
exposures.
TARA Process

28. Call to action
• OWASP Threat Agent Page out of date
• Updates needed to both home page and
template
• Most sub categories are empty
Proposal:
• Nix Force Majeure (Natural: Flood, fire, etc.
unless secure code is affected by it…)
• Implement TAL into OWASP Threat Actor
Page/articles

29. While you napped… (summary)
• Don’t let vendors and news broadcasters
determine who is your top threat actors are
• Build upon OWASP’s threat agent materials
• Increase the accuracy of your threat models
• Pinpoint the information security areas of
greatest concern
• Use the output to feed into risk assessments
• Proposal: Implement TAL into OWASP Threat
Actor Page/articles

30. You Need the
Right Agent to
Improve Your
Modeling
Career…

31. Resources
OWASP –Threat Agents
• Category: Threat Agent
https://www.owasp.org/index.php/Category:Threat_Agent
• Application Threat Modeling
https://www.owasp.org/index.php/Application_Threat_Modeling
Intel TAL and TARA
• Threat Agent Library Helps Identify Information Security Risks
https://communities.intel.com/servlet/JiveServlet/downloadBody/1151-102-1-
1111/Threat%20Agent%20Library_07-2202w.pdf
• Prioritizing Information Security Risks with Threat Agent Risk Assessment
http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessme
nt.pdf

32. Questions?

33. Image Credits
All images in this presentation were found on public facing websites.
The presenter believes such use constitutes a 'fair use' of copyrighted
material as provided in Section 107 of the US Copyright Law. In
accordance with Title 17 U.S.C. Section 107, the material in the
presentation is provided without profit to those who have expressed a
prior interest in receiving the included information for research and
educational purposes. For further information on fair use, go
to: http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_0
0000107----000-.html.
Please do not reprint any photos. If you wish to use copyrighted
material from the presentation for purposes of your own that go
beyond fair use, you must obtain permission from the copyright owner.