Full Report
Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle behind the tool, first released in 2007 at CSI NetSec, was to throw out existing threat modeling techniques (it’s really attack-focused risk) and start from scratch. It’s a good idea and the SensePost approach fits nicely between the heavily formalised models like Octave and the quick-n-dirty’s like attack trees. It allows fairly simple modeling of the organisation/system to quickly produce an exponentially larger list of possible risks and rank them.
Analysis Summary
# Tool/Technique: SensePost Corporate Threat(Risk) Modeler (CTM)
## Overview
The SensePost Corporate Threat(Risk) Modeler (CTM) is an attack-focused risk modeling tool designed to offer an alternative to heavily formalized threat modeling techniques (like OCTAVE) and quick-and-dirty methods (like attack trees). Its purpose is to allow for simple modeling of an organization or system to quickly generate an exponentially larger list of possible risks and rank them. Version 2.1 was announced, featuring enhancements primarily to its risk calculation equation.
## Technical Details
- **Type:** Tool (Threat Modeling / Risk Assessment)
- **Platform:** Not explicitly stated, but context implies application for software/system risk modeling (likely Windows/Desktop application or web-based/custom software environment given the era and context of SensePost tools).
- **Capabilities:** Allows simple system modeling to enumerate and prioritize risks; supports customization of the risk calculation equation; focuses on attack-driven risk assessment.
- **First Seen:** Original principle released in 2007 at CSI NetSec. Version 2.1 announced June 2010.
## MITRE ATT&CK Mapping
This tool supports the *process* of threat modeling and risk assessment, rather than executing adversary techniques directly. It aligns conceptually with the planning and preparation phases of the kill chain:
- **TA0001 - Reconnaissance** (Conceptual alignment, as it enumerates potential attacks/risks)
- T1590 - Computer Industry Research
- T1595 - Active Scanning
- **TA0005 - Defense Evasion** (Conceptual alignment, related to anticipating and mitigating evasion)
- T1027 - Obfuscated Files or Information (Modeling the potential impact of such techniques)
*(Note: Direct mapping is not possible as CTM is a risk analysis tool, not an offensive/malware tool. The mappings are conceptual based on the process it aids.)*
## Functionality
### Core Capabilities
The tool revolves around calculating a **Risk** score based on five primary configurable variables associated with an asset, an attack, a user, and a location:
1. **imp (Impact):** The severity of a risk being realized.
2. **lik (Likelihood):** The probability of the risk occurring.
3. **int (Asset Value/Interface Value):** The inherent value of the asset being exposed via an interface.
4. **usr (User Trust):** A measurable trust level assigned to the attacker/user.
5. **loc (Location Trust):** A measurable trust level assigned to the attacker's location.
### Advanced Features
The primary advanced feature involves the flexibility to modify the risk calculation equation, fundamentally changing how risk is assessed. Two equations are discussed:
**Default (Older) Equation Translation:**
Risk is equal to the average of (Impact and Likelihood), combined with the Asset Value (interface), and reduced by the trust factors (User and Location).
**New (Version 2.1) Equation Translation:**
Risk = [ (Likelihood reduced by the average of User Trust and Location Trust) ] **COMBINED WITH** [ Asset Value reduced by the potential Impact (Value at Risk) ].
*Key Change:* Impact is now a moderator on Asset Value, determining how much of the asset's value is exposed by a specific attack (threat).
## Indicators of Compromise
- **File Hashes:** N/A (Software distribution details not provided).
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:** N/A
- **Behavioral Indicators:** N/A
## Associated Threat Actors
- SensePost personnel (authors, developers). No external threat actor usage is mentioned; this is an enterprise risk management tool.
## Detection Methods
- **Signature-based detection:** N/A
- **Behavioral detection:** N/A
- **YARA rules if available:** N/A
## Mitigation Strategies
The tool itself is a mitigation/assessment aid. Mitigation strategies derived from its use depend on the prioritized risks identified:
- **Prioritize Defenses:** Use the ranked list of risks to determine where to focus defensive efforts.
- **Tune Trust/Likelihood:** Adjust modeled trust scores (usr/loc) in response to incidents or control changes.
- **Assess Interface Value:** Reassess the value (int) assigned to system interfaces based on observed attack potential.
## Related Tools/Techniques
- OCTAVE (Heavily formalized threat modeling)
- Attack Trees (Quick-n-dirty threat modeling)
- Risk, Threat & Vulnerability analysis frameworks (Referenced via Mr. Bejtlich's work)