Towards Realistic Threat Modeling: Attack Commodification, Irrelevant Vulnerabilities, and Unrealistic Assumptions

TL;DR

This paper critiques current threat modeling approaches for their unrealistic assumptions and proposes a more realistic perspective focusing on attack characteristics and attacker environment, demonstrated through a toy ICS attack model.

Contribution

It introduces a new approach to threat modeling that emphasizes attack realism by analyzing attack phases and attacker limitations, moving beyond traditional probabilistic models.

Findings

Current models often consider all attack paths, leading to unrealistic threat assessments.

A toy ICS attack model illustrates how realistic threat scenarios can be derived from attack phases.

Focusing on attack characteristics improves the relevance of threat models.

Abstract

Current threat models typically consider all possible ways an attacker can penetrate a system and assign probabilities to each path according to some metric (e.g. time-to-compromise). In this paper we discuss how this view hinders the realness of both technical (e.g. attack graphs) and strategic (e.g. game theory) approaches of current threat modeling, and propose to steer away by looking more carefully at attack characteristics and attacker environment. We use a toy threat model for ICS attacks to show how a realistic view of attack instances can emerge from a simple analysis of attack phases and attacker limitations.