Threat Scenario Development

** Summary **

This module gives students the requisite framework to create threat scenarios to communicate risks facing their partner organizations. Threat scenarios help illuminate elements of organizations’ context that put them at risk, and provide more tangible description of threats we seek to prevent (as opposed to a more generic description that often appears in a threat map or model).

** Learning Objectives **

  • Understand how to use scenarios to develop and communicate threats.

  • Understand and demonstrate what makes a “good” threat scenario.

  • Learn the limitations of threat scenarios.

** Pre-Readings **

  • See Course Readings for "Threat Scenario Development"

** Activities **

Combining risks and context.

Describe the following scenario to your students:

Your partner works with an at-risk population providing a sensitive service. They want to conduct a survey of their community of interest to determine how to improve the service they provide. Where do you start in your assessment? (For example, do you want to know the operating system of all of their phones? Do you need to know what email client they’re using?)

Next, describe the following two contexts:

What if...

  • The partner provides reproductive health services to women in rural Texas?

  • The partner provides information about troop/militant movements to journalists in Myanmar?

How are these situations different? How are they the same? What are the most urgent things you need to know?

** Discussion **

Remember that risk is not just a factor of likelihood and impact. A holistic approach also includes consideration of urgency (availability, dependencies), requirements (legal, contractual), and incentives (funding, opportunities) of the context.

Comparing our answers from the activity, how can we check whether we are focused on “the right risks?”

How can we communicate to others that the threats considered are impactful and feasible?

** Input **

Without an understanding of the details of how and when a threat may be realized, it can be difficult to determine and communicate why various threats matter to an organization.

While personas help describe:

  • The Who (description),

  • The Why (motivation/goals), and

  • The What (resources/capabilities) for an adversary,

Threat Scenarios help describe:

  • The How (tactics/playbook),

  • The When (conditions) of an attack against your partner organization, and

  • The Why it matters.

Scenarios help illuminate elements of organizations’ context that put them at risk, and provide more tangible description of threats we seek to prevent (as opposed to a more generic description that often appears in a threat map or model).

Good scenarios have a few key characteristics:

  • They are simple - involving a limited number of actors and devices

  • They are likely - the attack involved is not particularly exotic or well outside the expected attack vectors of an organization

  • They are meaningful - the results of the scenario have significant impact on the organization or individuals affiliated with it

A good scenario describes a few consistent elements - threat actors, threat vectors, and the potential impact of an exploited system or vulnerability. The scenario should be described in a narrative format, and be no longer than a paragraph. A few examples are below:

Border Security

Government orders border security agents to confiscate [ORGANIZATION] employees’ devices when they cross border security. [ORGANIZATION] called for investigations into [GOVERNMENT ENTITY]’s allegations that it had never used malware against activists. The [GOVERNMENT ENTITY] is concerned about [ORGANIZATION]’s litigation and public calls for action and want to disrupt [ORGANIZATION]’s operations and silence its employees. These government bodies have ordered border security agents to look out for [ORGANIZATION] employees when they leave or return to [COUNTRY OF ORIGIN] and search or confiscate their devices on the pretext that they pose a threat. [RECOMMENDED MITIGATION].

Account Compromise

Elizabeth is a well-known activist in [COUNTRY] who uses Facebook and Facebook Messenger to communicate with others and defend their community against oil exploitation. They often use Facebook to create public posts and organize community meetings and protests. One day, Elizabeth tries to log into their Facebook account and receives a notification that their password is incorrect. They try to change their password but discover that their recovery email address has been changed as well. Elizabeth’s family and friends are sent offensive messages from their hijacked account, and public posts defaming their character are created by their impersonator. After this incident, Elizabeth is no longer able to continue their activism work and loses the trust they have built through their online presence. [RECOMMENDED MITIGATION].

These scenarios tell a story and allow us to explore the potential actions of a threat actor, and examine how different controls might (or might not) make a meaningful difference.

** Deepening **

Each student or student team should create two to three threat scenarios (no more than a paragraph each) that help us imagine a specific incident that could take place in an organization's systems, or in systems closely affiliated to the organization or its staff, partners, or community.

Each group will share the “highest priority” threat scenario they have developed for class discussion.

** Synthesis **

Revisit the purpose for threat scenarios:

What do scenarios and personas demonstrate to our client? How are we advocating here?

Why can’t we just use scenarios then? Why not just skip threat modeling/mapping, etc.?

** Assignments **

Threat Scenarios. Continue to refine and develop the partner threat scenarios.

Last updated