Threat profiling and decomposition for red team operations
How to understand and mimic threats for effective red team engagements?
Building on the analogy mentioned in the penetration testing vs red team engagement post, I’ll explain the concepts of threat profiling and threat decomposition.
Concerned by increased break-ins, you try to identify who all would want to break into your house i.e. identify threat actors, what tools and methods they can use to break in i.e. understand their tactics, techniques and procedures (TTPs), and prioritise them based on their likelihood of breaking into your house. The process of identifying threat actors, understanding their TTPs and prioritising is called threat profiling.
Now, lets say that as part of profiling the threat actors, you identify a particular group that is most likely to break-in (maybe a gang of local thieves or another group specialized in stealing high value items). Next, you want to know whether that group can break into your house or not? You re-hire the counsultant and task them to study the group in detail and understand their TTPs and tools, and then use them to try and break in to your house. The process of understanding the TTPs and tools used by a particular threat group and creating its profile is called threat decomposition.
In the context of red team operations, the red team uses threat profiling to identify, assess and proritize adversary groups that are most likely to target the organization. The output of this process is a prioritized (rank-ordered) collection of relevant threats. These profiles are then leveraged to craft realistc scenarios for conducting red team engagements. Threat intelligence feeds play a key role during this process.
Similarly, if the red team wants to emulate or simulate a specific adversary group, they decompose the threat group to understand tools and specific TTPs used by this group and create their profile. This profile is then used to emulate or simulate this adeversary group. Again, threat intelligence feeds and resources like MITRE ATT&CK play a key role during this process.
Red Team Notes
- Threat Profiling - The process of identifying threat actors, understanding their TTPs and prioritizing.
- Threat Decomposition - The process of understanding the TTPs and tools used by a particular threat group and creating its profile.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
One question that I still don’t have a clear answer for is, what is the difference between threat profiling and threat modelling? Based on my understanding of the two, following differences seem logical:
Threat modelling is performed during the design phase whereas threat profiling is done as part of offensive security assessments.
The scope of threat modelling is usually a system, application or process whereas threat profiling is performed at the organizational level. This point is debatable, though.
If you can provide more concrete differences between the two, please feel free to leave a comment.