Threat Modeling for Penetration Testers

Threat modeling is a term thrown around in a lot of different contexts, but it can sound daunting if your unfamiliar with it in practice. It really just refers to identifying what threats an organization, a target network, or an in-scope application should be worried about. For penetration testers, you are modeling (mapping out) the threats (things that can attack/harm) in such a way that informs the types of activities conducted during a penetration test and informs the risk rankings given to discovered vulnerabilities. Organizations and blue teams then need to take this a step further by applying countermeasures and mitigating controls to address the dangers that are in their threat model. Wikipedia actually sums it up in three possible questions that make a lot of sense:

  • Where am I most vulnerable to attack?
  • What are the most relevant threats?
  • What do I need to do to safeguard against these threats?

This process can be a mental check done by a penetration testing team during the initial stages of an assessment or it can be a very formal, documented process that is updated and used by an organization to help make risk-informed decisions. But regardless of the maturity of the process, it is extremely important that it’s done. It provides context to the vulnerabilities and exploits performed as part of a penetration test, and helps when communicating results to stakeholders in order to provide realism.

Penetration testing in general should be a goal-oriented activity. This is not to say a penetration test has a single goal of gaining access to an organization’s network or their sensitive data and then stopping the test. Rather penetration testing should seek to meet a client’s goals for the test. One of these goals for any assessment is usually, “To improve target’s organizational security posture and identify any risks associated with the in-scope targets.” This means identifying all possible vulnerabilities during a time-limited engagement and exploiting these vulnerabilities to contextualize their associated risk, rather than just finding a single path of entry similar to a “capture-the-flag” exercise. Before risk can be accurately evaluated, however, the threats to the target network/application/organization have to be understood, which is where threat modeling comes in.

The goal of a penetration tester is to emulate an attacker in order to gauge the realistic risk for a target, so identifying and understanding the threats a target application faces should inform the rest of the testing process. Hopefully with this in mind, you have a better idea about threat modeling and what it entails at a high-level. It is a process that is baked into every one of our assessments and it’s probably something most organizations are doing internally, but they don’t even realize it. If you have more questions about the threat modeling process or how it fits into a penetration test, please reach out and we’d love to discuss!