One Thing To Do Today: Threat Model Part 2, Who is the threat anyway?
In the early 2000’s I marked some time as a Usability and Human Factors Professional, drawing on neglected novelist within to create User Personas. For those who haven’t had to go through the process of usability testing, it’s essentially D&D for MarCom types. Images from movies, stock photos or even basic news media don’t even come close to helping create an accurate personas for threat actors. Indulging in a bad mental image leads to bad policies. Again a 10-15 minute free write on who’s scary will be useful, but before creating full profiles temper the negative fantasies with a touch of realism.
UPDATE 2016/12/12: Excellent article on Threat Actors by from a real infosec pro, Lesley Carhart
Follow the money
Keep in mind that the “hackers” presenting the biggest threat to average computer users largely want the money. They may live in a world with very few opportunities for advancement areas with corruption and inequality. They might work in a call center, a cog in a bigger machine. They may be surprised or even annoyed by the fact it was so easy. The good news, this type of hacker casts a large net and won’t spend a lot of energy on the ones that get away.
For the money hackers will target companies with information about individual as well. In this case the persona shouldn’t be for the hacker but a for the business owners who just doesn’t give a sh*t about your data security. If it doesn’t show up on the balance sheet it doesn’t matter. Companies that don’t fix security flaws represent a major threat.
Don’t tread on me
Bureaucrats with a bad commute exist in every country now. This threat is much harder to unpack. Government actors can fall into so many categories. The casuals just dragnet-ing whatever they can. Those on a misguided mission. An official on a lunch break spying on a lover or a wife beater looking for their spouse. Targeted surveillance creates a nightmare, but, good news, it’s expensive. The point of creating government agent personas will be to model where the assets you care about really fall compared to budget concerns. I have Cybersecurity and Cyberwar: What Everyone Needs to Know on my wishlist to help clarify my thinking on this process myself.
My right to vote, and have that vote actually count, lives pretty damn high on my “asset” list. Election tampering of many types presents an existential threat to values I hold dear. Understanding who in the world might want what will inform my participation in conversations with my elected officials and what policies I advocate for online.
Whose pawn are you?
I’m unclear on where to file the botnet creators. Some botnets are for hire. Some seem to part of cyberware plans. I’m going to create a persona for someone who just wants to take over as much of my computing power as possible without me noticing. So while they aren’t attacking me, per se, I give a damn because they use my stuff to attack the infrastructure of the internet which I hold dear. I’ll admit I’m tempted to make that persona the botnet itself, since the whole World Cyberwar I will be the clash of the AI’s.
Mind the trolls.
There exist people on the internet who would simply prefer that reasonable people stay silent. Make a profile for someone who’d rather you didn’t have a voice.
Clever monkeys with a Pringles can.
Whose not high on my list to make a persona for? Some clever monkey with a Pringles can. I love that stuff. It’s great to be aware of. Security researchers who engage in public exploits are the opposite of a problem. It’s a wonderful thing to want to understand the world. Giant retailer Target presents a bigger threat. Put security fears in context (PDF).
Finally, a glass of wine with friends.
Creating full on personas takes more than one day and can be helped along by a bottle of wine and a group of friends. Build the backstories for the Nigerian teenager who just doesn’t want to die, a middle aged career bureaucrat who just wants to make it to pension day, a Silicon Valley VC who just doesn’t understand why protecting user data should be part of the exit strategy. While means of an exploit might be technological, the motivations remain human. In the process you might just come to terms with the idea that a donating to an international human rights organization might go 1000x further to protecting your online security than downloading Signal ever will.