In the realm of cybersecurity, threat modelling stands as an essential pillar of effective risk management. As Chief Information Security Officers (CISOs), we are inundated with frameworks, methodologies, and best practices that promise to fortify our organisations against an ever-evolving landscape of threats. Nevertheless, with over two decades of experience in cyber assurance, I am resolute in my belief that it is imperative to question the established norms of threat modelling. It is critical to rigorously assess whether traditional approaches to threat modelling truly align with our strategic objectives or if they have regressed into mere exercises in compliance and checkbox security.
The current threat modelling process focuses on identifying assets, enumerating threats, and mapping them to vulnerabilities. Popular frameworks such as STRIDE, PASTA, or OWASP are commonly used. However, these models often overlook real-life cyber-attacks that keep CISOs up at night, mainly focusing on easily defendable known threats. They assume a static threat landscape, neglecting adversaries’ constant innovation and the evolving cyber warfare landscape.
Traditional threat modelling is typically static and created during early system development or periodic security assessments. This doesn’t align with the dynamic nature of cyber threats. Attackers are adaptive and unpredictable, making static threat models obsolete. CISOs must use real-time threat intelligence to bridge the gap between assessments and real-time defences.
The idea that a threat model can cover all possible threats is a complete fallacy. No threat model can predict every potential threat, no matter how thorough it is. Believing in the completeness of these models can lead to a dangerous sense of complacency. To truly enhance security, we must acknowledge the limitations of threat modelling and be proactive in preparing for the unexpected, moving beyond the rigid frameworks dominating the field.
Conventional threat modelling often focuses too much on technical threats and overlooks other important types of risks. As CISOs, it’s crucial to consider a broader range of threats, including strategic, operational, and geopolitical risks. Ignoring insider threats, supply chain vulnerabilities, and state-sponsored attacks in traditional models will be futile. A strong threat model should encompass the broader ecosystem in which our organisations operate.
Threat modelling has become a compliance exercise rather than a genuine effort to understand and mitigate risk. This leads to shallow threat models that provide little value and create a false sense of security. As CISOs, we must view threat modelling as a critical component of our risk management strategy, requiring ongoing attention and refinement rather than treating it as a checkbox exercise to satisfy regulatory requirements.
If traditional threat modelling is flawed, what’s the alternative? The answer lies in embracing a more dynamic approach—one that is continuously updated and informed by real-time threat intelligence.
Dynamic threat modelling recognises that the threat landscape constantly changes and that our defences must evolve. It’s about moving away from static, one-time assessments and towards a more fluid and adaptive process. This requires integrating threat modelling into the organisation’s broader security operations rather than treating it as a separate exercise.
This means leveraging automation and machine learning to continuously monitor and update threat models based on the latest threat intelligence. It also means fostering a culture of continuous improvement, where threat models are regularly reviewed and revised, considering new information.
Dynamic threat modelling is not about creating perfect models—it’s about creating models as resilient and adaptable as the threats they are designed to mitigate.
Beyond becoming more dynamic, threat modelling needs to move beyond the technical weeds and engage with the organization’s broader strategic objectives. This requires a shift in mindset from focusing on individual vulnerabilities and attack vectors to considering the overall risk landscape in which the organisation operates.
As CISOs, we align cybersecurity with the business’s strategic goals. This means understanding the organisation’s risk tolerance, most critical assets, and position within the broader market and geopolitical environment. Strategic threat modelling should start with these high-level considerations and work downward rather than vice versa.
For instance, in industries like finance or healthcare, where data is a critical asset, the threat model should focus not just on how data breaches might occur but on the potential impacts of such breaches on the organisation’s reputation, regulatory compliance, and customer trust. Similarly, threat models should consider the risks posed by third-party vendors and geopolitical events that could disrupt operations in industries with significant supply chain dependencies.
This strategic approach requires collaboration across the organisation, bringing together stakeholders from different departments to ensure that all aspects of risk are considered. It also requires the CISO to sit in executive discussions, where cybersecurity is treated as a critical business issue rather than a technical one.
The cybersecurity industry is full of “best practices” enshrined in standards and frameworks, but they can stifle innovation and lead to a one-size-fits-all approach. In threat modelling, this emphasis can result in rigid adherence to established frameworks, even when they’re not the best fit for an organisation.
As CISOs, we need to be willing to challenge these norms, develop custom threat modelling approaches, reject elements of popular frameworks that don’t align with our goals, and foster a culture of continuous learning focused on outcomes.
As CISOs, we are uniquely positioned to drive the transformation of threat modelling within our organisations. It starts with recognising the limitations of traditional approaches and confidently challenging the status quo. We must advocate for a more dynamic, strategic, and business-aligned approach to threat modelling.
To do this effectively, we must build strong relationships with other leaders within the organisation and ensure that cybersecurity is seamlessly integrated into every aspect of the business. We must also invest decisively in the tools and technologies that enable real-time threat intelligence and dynamic threat modelling.
Most importantly, we must foster a culture of resilience and adaptability within our security teams. This means boldly encouraging creativity and unconventional thinking and rewarding those who confidently challenge established norms and push the boundaries of what is possible.
The future of threat modelling depends on our willingness to embrace change and think beyond traditional frameworks. As CISOs, we must push for a dynamic, strategic, and business-aligned approach to threat modelling. It’s not just about improving security posture; it’s about thriving in a world of evolving cyber threats. Threat modelling should be a dynamic, strategic process that evolves to meet organisational needs.
In today’s interconnected world, where industrial systems and critical infrastructure underpin the backbone of society, operational technology (OT) security has never been more crucial. As industries evolve, particularly within critical sectors such as energy, healthcare, and manufacturing, they increasingly rely on OT systems to control physical processes. However, these systems are also vulnerable to cyber threats, placing essential services and national security at risk. Operational Technology (OT) security architecture provides the blueprint for safeguarding these systems, ensuring that critical infrastructure remains resilient and functional despite sophisticated attacks.
With the introduction of the SOCI Act (Security of Critical Infrastructure Act) in Australia and similar legislative measures globally, a growing demand for robust security frameworks that protect against cyber threats is growing. The Australian market, in particular, has seen a heightened focus on OT security as organisations seek to comply with government mandates and protect vital infrastructure. In this blog, we’ll explore OT security architecture, its importance, and the key elements that ensure its effectiveness.
At its core, OT security architecture refers to the structured design and implementation of security measures to protect OT systems. These systems often include industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and other technologies for managing critical infrastructure such as power grids, water treatment plants, and transportation networks. Unlike traditional IT systems, which handle data and communications, OT systems directly impact physical processes. Any disruption to these systems can lead to catastrophic consequences, including power outages, water contamination, or worse—mass casualties.
The rise of digital transformation has introduced new challenges. As OT systems become more interconnected with IT systems via the Industrial Internet of Things (IIoT) and other advancements, the attack surface for cybercriminals expands. This integration has made it easier for hackers to infiltrate OT environments, putting vital assets at risk. As a result, a comprehensive security architecture is needed to address the legacy systems and the evolving technological landscape.
One of the fundamental aspects of OT security architecture is network segmentation and zoning. This involves dividing the OT environment into distinct zones based on function and security needs, ensuring that sensitive or critical zones are isolated from less secure areas.
For example, OT systems often include safety-critical processes, such as controlling power generation, and less critical systems, such as office networks. These should be segregated to prevent an attack on a lower-priority system from impacting core operations. A common approach is implementing a demilitarised zone (DMZ) that acts as a buffer between the OT and IT environments. Firewalls, intrusion detection systems (IDS), and other security measures should be deployed to monitor traffic and control access between zones.
According to a 2023 report by the Australian Cyber Security Centre (ACSC), 74% of attacks on OT systems could have been mitigated or prevented through proper network segmentation. This underscores the importance of maintaining strict controls over how different systems communicate with each other.
Real-time monitoring is essential in identifying threats before they have the chance to disrupt OT operations. Given the critical nature of OT environments, even minor disruptions can lead to significant downtime or damage. By implementing tools such as Security Information and Event Management (SIEM) systems and other monitoring solutions, organisations can detect anomalies and respond to threats in real-time.
In the Australian market, companies increasingly invest in Security Operations Centres (SOCs) that provide round-the-clock surveillance and incident response for OT environments. SOCs are vital in ensuring that security teams can swiftly respond to cyber incidents. Per the SOCI Act’s guidelines, organisations involved in critical infrastructure must maintain incident response capabilities and report any breaches to the government within a designated timeframe.
Moreover, incident response plans tailored to OT systems should be in place. These plans should account for the unique characteristics of OT environments, including the need to minimise disruption to physical processes during an attack. A coordinated response effort involving both IT and OT teams is essential for mitigating the impact of security incidents on critical infrastructure.
In recent years, governments worldwide have introduced regulations to protect critical infrastructure. In Australia, the SOCI Act mandates that organisations managing critical assets implement robust security measures and report any significant security incidents. The Act covers a broad range of sectors, including energy, healthcare, water, and telecommunications, all of which rely on OT systems for their core operations.
Compliance with the SOCI Act involves not only the implementation of technical safeguards but also ongoing risk management practices. Organisations must conduct regular security assessments, patch vulnerabilities, and ensure that security measures are current. Failure to comply with these mandates can result in significant penalties and reputational damage.
The global focus on securing critical infrastructure has led to a sharp increase in investment in OT security. The 2023 Global Critical Infrastructure Security Market Report indicates that the OT security market is projected to grow by 7.5% annually, driven largely by government regulations and the increasing complexity of cyber threats. In Australia, this trend is particularly pronounced, with organisations investing heavily in technology and personnel to meet the requirements of the SOCI Act.
To illustrate the importance of OT security architecture, let’s consider the case of the Australian energy sector. Energy companies rely heavily on OT systems to manage the generation, distribution, and transmission of power across the country. In recent years, several energy companies have faced sophisticated cyberattacks aimed at disrupting these processes. For instance, a 2021 report from ACSC revealed that a ransomware attack on an energy provider could have caused widespread blackouts if it hadn’t been for robust OT security measures.
The company in question had implemented a segmented network that isolated critical systems from less important ones. Additionally, real-time monitoring tools detected the threat early on, allowing security teams to neutralise the attack before any physical processes were impacted. This case underscores the value of investing in comprehensive OT security architecture.
The security architecture of OT forms the basis for ensuring the safety of our critical infrastructure. In today’s environment of increasingly sophisticated cyber threats, it is imperative for industries to implement comprehensive OT security measures to protect their operations and uphold national security. Crucial components such as network segmentation, real-time monitoring, and adherence to legislative frameworks like the SOCI Act are essential for safeguarding OT environments.
Given that Australia and the world at large rely heavily on OT systems to drive industries and deliver vital services, the significance of securing these systems cannot be overstated. For organisations operating in the Australian market, particularly those involved in critical infrastructure, the message is clear: invest in OT security architecture to prevent potential catastrophic disruptions in the future. If you want to learn more about how to protect your organisation’s OT environment and ensure compliance with the SOCI Act, contact our team of experts or subscribe to our newsletter for the latest updates on OT security trends.
Most modern applications are assembled from open-source components, with developers typically writing less than 15% of the code for their applications. As the demand for open-source software grows, there’s also an increase in the number of available open-source software. However, not all open-source components are created equally or maintained properly. As a result, we are seeing an increase in software supply chain attacks. According to the 8th annual software supply chain report, the average growth rate of software supply chain attacks is 742% per year. There’s also been an increase in protestware with developers intentionally sabotaging their own open-source components, such as the case of the Colors and Fakers components, which resulted in a denial of service attack. We’ve also seen developers themselves being the target of these attacks, where malicious programs are installed on their machines when they download open-source components such as Python libraries.
Below are five important steps that you can take to secure your organisation’s software supply chain.
The first, is to have a software bill of materials (SBOM). This is a list of all the open-source components, including their versions, that makes up your applications. Having an SBOM allows you to quickly understand your organisation’s exposure when vulnerabilities are discovered. There should also be an owner for each application to allow for easy determination of who’s responsible for maintaining the code.
The next step is to perform due diligence on all open-source components that your organisation uses. We already do that for commercial software & suppliers, and the same needs to be done for open-source components. We need to make sure that the components we use are free from any known defects (vulnerabilities). There are Software Composition Analysis (SCA) tools that can scan your applications for vulnerabilities. As more effort is required to remediate vulnerabilities that are already in production, these SCA tools are often deployed in the build pipeline to ensure that there are no known vulnerabilities before the application is released. However, given the trend where developer machines are sometimes the target of software supply chain attacks, these scans should also be done before the components are downloaded onto the developer’s machine. Regular scanning of production applications is also required to detect any newly discovered vulnerabilities. Other due diligence that should be done includes only using components from reputable sources and staying clear of unpopular components or components that have a single developer. Popular components get more public scrutiny, with any vulnerabilities more likely to be detected, and using components developed by a single person represents a key person risk.
Your organisation should only be using approval components that have already been scanned for malware and vulnerabilities, and having a centralised artifact repository helps with that. Having a centralised artifact repository provides the assurance that you are downloading the component from its official source. This helps address typo-squatting and dependency confusion attacks, which are popular software supply chain attack approaches. It is recommended to use an SCA tool with rules or policies in place to determine when a component is approved for use automatically. Some organisations also use a centralised artifact repository to reduce the number of open-source suppliers. Rather than having 15 different components that provide the same functionality, they would limit the use to only the highest quality component.
When using an open-source component, you should always use the latest version. This would mean you have the latest bug fixes and security fixes. You should also be proactive and patch the components in your production application regularly whenever newer versions become available. Patch management is crucial in managing your software supply chain, and it can very quickly get out of control. If you let your components get stale, it can be quite hard to remediate should a security issue be discovered, as there might be many breaking changes in the newer fixed version that will also need to be addressed. Successful approaches that I’ve seen for this include having a policy where teams should update all stale components when making new changes, having dedicated time set aside each month and automating the upgrades using tools like Dependabot by GitHub.
There are times when fixed versions of open-source components are not yet available after a security vulnerability has been disclosed or when a proof of concept or exploit kit is released. There are also times when your development teams require additional time to remediate. Having a Web Application Firewall (WAF) allows you to secure the organisation while the fix is being applied.
Modern applications are mostly made up of open-source components. Unlike the code that your developers write, you have little visibility into the secure development practices of open-source developers. Our dependency on open-source components is going to increase over time, and implementing these five steps will help secure your organisation’s software supply chain.
OpenAI said its ChatGPT tool was used to create comments in English and Spanish, which were then posted on a dozen accounts on X and one on Instagram. Some of these comments were generated by asking its AI models to rewrite comments posted by other social media users.OpenAI Takes Action Against Iranian Influence Operation Using ChatGPT for U.S. Election PropagandaOpenAI made a significant move on Friday by shutting down a network of accounts tied to an alleged Iranian covert influence operation.
This operation reportedly utilised ChatGPT to generate content for the upcoming U.S. presidential election.”Using ChatGPT, the operation created content that focused on various topics, including commentary on candidates from both political parties in the U.S. presidential election. The content was then disseminated through social media accounts and websites,” OpenAI disclosed.
OpenAI noted that the generated content failed to garner substantial engagement, with most social media posts receiving minimal likes, shares, and comments. Additionally, little evidence supported the claim that the long-form articles created using ChatGPT were shared on social media platforms.
The articles, encompassing U.S. politics and global events, were published on five websites masquerading as progressive and conservative news outlets, indicating an attempt to target individuals from diverse political perspectives.
According to OpenAI, its ChatGPT tool was instrumental in producing comments in both English and Spanish, which were subsequently posted on a dozen X accounts and one Instagram account. Moreover, some of these comments were generated by instructing AI models to rewrite comments originally posted by other social media users.
Stunning new revelations have emerged about a shocking breach at National Public Data (NPD), a consumer data broker, exposing the sensitive information of hundreds of millions of Americans, including their Social Security Numbers, addresses, and phone numbers. It has come to light that another NPD data broker, with access to the same consumer records, mistakenly divulged the passwords to its back-end database in a file that was openly available from its website until today. This is becoming so common in all parts of the world, and this alarming development underscores the urgent need for enhanced security measures to protect consumers’ data.
In a recent cyber incident, Toyota disclosed that a malicious actor unlawfully accessed and leaked 240 GB of data. This data breach included sensitive information belonging to both customers and employees. Notably, the breach did not stem from Toyota Motor North America’s own systems but rather from a misrepresented third-party entity. The threat actor claimed to have utilized the ADRecon tool to gain access to confidential data.
Toyota actively assists those impacted by the breach; however, additional specifics have not been divulged.
Since late July 2024, threat actors sponsored by the Iranian state have been actively engaged in spear-phishing campaigns. Their primary target is a prominent Jewish figure, and their main objective is to distribute a sophisticated intelligence-gathering tool called AnvilEcho. This coordinated effort has garnered attention from multiple cybersecurity firms, each tracking the campaign under different aliases. These actions have been attributed to the Islamic Revolutionary Guard Corps (IRGC) of Iran and are believed to be aligned with the country’s political and military objectives.
Researchers at Palo Alto Networks’ Unit 42 discovered a large-scale extortion campaign targeting AWS environments. Attackers exploited insecurely stored environment variables on web servers to steal AWS access keys and credentials for various cloud services. They scanned over 110,000 domains, exposing over 90,000 unique environment variables, including sensitive credentials. The attackers used stolen credentials to move laterally within compromised environments, escalating privileges and deploying malicious scripts to exfiltrate data from S3 buckets.
The researchers emphasised the importance of secure configuration practices and recommended implementing logging, monitoring solutions, and temporary IAM roles to minimise the damage caused by compromised credentials. Businesses are urged to review and enhance their cloud security practices to prevent similar attacks.
A security vulnerability in GitHub Actions has exposed authentication tokens for high-profile open-source projects. It allows unauthorised access to private repositories, source code theft, and malicious code injection. Researchers discovered the vulnerability, named “ArtiPACKED,” and identified three contributing factors: default settings, misconfiguration, and lack of security checks. GitHub has not addressed the vulnerability, and developers are urged to secure their workflows. 14 large open-source projects are affected, and attackers could exploit the leaks to gain unauthorised access. Developers should avoid uploading sensitive directories, sanitize logs, review CI/CD workflows, and use the least privilege for access tokens. This incident emphasizes the importance of security best practices within CI/CD pipelines.