Over the years, many friends and prospect clients have approached me with a problem: One privacy violation or other has taken it too far and they have to eradicate that one thing from their life. Ironically, the violator is usually a consideration in the latter phases of a privacy consulting project, meaning that it is impossible without many other changes to their lives. I will tell them this, then ask “who specifically are you trying to conceal yourself from, and what are their capabilities?” If they cannot answer this and do have any examples which lead them to suspect malicious intent, I’ll either try to talk them down, or recommend a Vulnerability Assessment with a follow up Threat Assessment tailored to their specific profile.
After all, there are many steps that can be taken to mitigate your threat profile, but that spectrum starts to narrow significantly if you can decide who your threats are. If you are thinking that you need to take a more general approach without a specific threat in mind, think about a vulnerability assessment instead. This is usually the first step to a threat assessment anyways, and will generally include steps to mitigate your exposure in a fairly detailed way.
What is a Threat Assessment
A threat assessment is often defined as the evaluation and assessment of the interactions of people or groups which could pose a threat to you, your family, organization, assets or infrastructure; how they might cause harm as well as their ability and motivation to carry out the task. Understanding the nature of a threat requires that you develop intimate knowledge of the source of threat as well.
Listed below are some of the categories that I’ve seen in the past, in order from most to least common. While reading through some of these, keep in mind that it is pretty rare for someone to be high enough profile to be viewed as the end goal by the threat actor. With this, many people may fit into the one of more the following categories as one of many steps on the road to accomplishing their end objectives – which is most often the case in my experience:
- Criminal: This is a pretty broad category, but it could involve both planned and opportunistic type attacks from a wide range of attack vectors; from purse or smash and grabbing and car jacking, to organized home invasion & computer hacking.
- Issue-Motivated Group: These could cover a wide range of issues and usually drag in a lot of collateral. I’ve recently seen a surge of politically and racially motivated violence cases in the US which has subsided a little bit, but the religiously motivated violence has remained at 2019 highs through to this current writing; typically in east coast and large Midwest cities.
- Internal Threat: Finding these and the latter were the basis of much of my corporate compliance role. 9 times out of 10, its someone selling competitive bid information for profit or a future position. Lately (last 3 – 5 years) some of the larger business units and entities have seen insiders selling “access” to hacking groups, who intend to deploy ransomware.
- Foreign Intelligence: The casual onlooker would assume that this involved only secrets of state and that no one would care about them because they are a nobody, but this category has involved commercial interests since at least WW1. It’s also no secret that China puts a large amount of effort into this – which almost makes me inclined to move this one up the list. If you find yourself at the helm (or near it) of a company being targeted, or if you have access to a system being targeted, this could be your threat category.
- Commercial: Corporate or industrial espionage, subversion, extortion – all the good stuff sponsored by your competition or a foreign government.
- Media: Lately, we’re seeing left of center media ‘doxx’ people or grassroots candidates whom they do not agree with. Since the violent left are in no shortage of nutjobs, this can turn ugly very quickly. You best bet here is to proactively remove the information that the ‘journalists’ may use to attempt to find you.
- Terrorist Group: At the time of this writing and I’m sure this will change before long: terrorism is defined as the use of violence and fear to achieve an political ideological aim. If groups of people are trying to scare you into acting, speaking or voting a certain way, they are terrorists, – plain and simple.
To put on the adversarial hat for a second: If you think that what ever it is that you are doing could be considered by some to fit into one of the above categories, your adversary might be a contracted or staff OSINT Analyst like myself, law enforcement, intelligence agency, a compliance department, etc; but your questions are essentially the same: “who is my adversary and what are their capabilities”?
A Recent Analysis
I would guess that largely due to my background and network (as well as their resources) the projects that I see most frequently within this category of work are corporate or private security. I’ll go over security cases in a another post, but to focus on the former: a recent case involved involved a west-coast based private security team, charged with guarding both facilities and key personnel of a major privately held company. After numerous ‘attempts’ on the end-client’s person, personal property and company assets, the team lead was seeking to take a more proactive approach in their defense.
To pause for a moment, recognition in the need for threat intelligence is key to mitigating the burn rate of your security team and assembling scenarios to train with. A pure reactionary approach to your clients defense will almost certainly lead to fatigue, higher employee turnover rate, and worse: misinterpreting situations as they arise. I use this as the worst case scenario as security teams are often equipped with the means to deploy deadly force.
Back to the project and with a vulnerability assessment in hand, we sought to identify groups and individuals whom sought to harm the end-client and their assets. We were successful in this effort and able to establish some pretty blatant evidence (sometimes bragging online) of the intent of key individuals, which was cataloged, placed in an intelligence briefing for the security teams and ultimately used to request restraining orders and advance other legal objectives. Further, we were able to equip the security teams with an intimate understanding of the threat actors’ capabilities and tactics, thus focusing the teams efforts.
This specifics of the case was pretty interesting, so I may request permission to produce a more detailed post in the future.
What to Expect
As with the vulnerability assessment, a threat assessment can take many hours to complete, but this will depend on the scope defined by the client. In many of my recent cases, the end client was seeking to mitigate their attack surface against a specific threat, or to produce enough evidence to file for a restraining order against the threat actor.
This said and as far as deliverables are concerned, the following are generally expected variables from a threat analysis:
- Executive summary for the analysis as a whole
- Ranked score card of threat actors and their capabilities as pertains to your vulnerabilities
- A short overview for each threat examined
- Ranked exposure, from highest to lowest
- Recommendations steps for remediation
- Recommendations for outside resources, if needed
- Appendix files, such as compiled findings, the analysts notes, images, et.
Remember also that the analysts is somewhat detached from the equation which can serve to make them more stoic on one hand, but also isolated on the other. Because of this, I usually recommend that the analyst be allowed to perform extensive interviews with the security teams and client where possible, to gain a more detailed understanding of their concerns.