The Threat Modeling Podcast

Dr. Michael Loadenthal -- Intersectional, Harm Reduction Approach to Threat Modeling

Chris Romeo Season 1 Episode 6

Dr. Michael Loadenthal specializes in threat modeling beyond the conventional realm of technology. Companies today face multifaceted challenges, including political, legal, and technical threats. Solutions to these problems can also be varied. A comprehensive threat model should consider many dimensions, such as political, legal, ethical, and social. Whether advising activist groups or high-profile individuals, Dr. Loadenthal emphasizes a comprehensive understanding of the threat landscape and the development of context-specific solutions.

Dr. Loadenthal's unique approach to threat modeling is rooted in his early involvement in social movements and activism. He noticed that groups often faced many non-technical threats, such as legal, social, and political challenges. This realization led him to develop "intersectional threat modeling," which considers a broader spectrum of threats beyond just the technical.

Based on his diverse training and experience, Dr. Loadenthal emphasizes the importance of a multidisciplinary approach. He collaborates with a diverse team of specialists, including advisors and the clients themselves, to address complex challenges. Threat modeling works best with a team, and he discusses ways this works for him.

One of the tools in Dr. Loadenthal's multidisciplinary toolbox is the mind map. A mind map can show relationships between threats and lead to integrated solutions that address multiple problems together. A tool he likes to use from outside the tech industry is the harm reduction framework, a concept borrowed from public health. This approach acknowledges the inherent risks in various activities or systems but seeks to minimize the potential harm. Dr. Loadenthal explains how he applies the harm reduction framework to threat modeling. He shares practical examples of companies, non-profits, and high-profile individuals who all benefit from the broader perspective of his intersectional threat modeling.

Welcome to Smart Threat Modeling. Devici makes threat modeling simple, actionable, and scalable. Identify and deal with threats faster than ever. Build three free models and collaborate with up to ten people in our Free Forever plan. Get started at devici.com and threat model for free! Smart threat modeling for development teams.

Introduction 

I’ve got news for all of us as threat modeling people – threat modeling is more significant than the world of technology. Living within the walls of vast tech empires makes us think everything looks like a tech empire. 

Part of this journey is to experience threat modeling outside the box of tech. Dr. Michael Loadenthal does some tech-focused threat modeling, which isn’t why I contacted him. He also creates threat models that consider the threats against the lives of very important people. 

Brief Bio 

My name is Dr. Michael Loadenthal, and I'm based as a postdoctoral researcher at the University of Cincinnati in the School of Public and International Affairs in the Center for Cyber Strategy and Policy. I have a bachelor’s degree in international Peace and Conflict Resolution and Gender Studies from American University. I completed a master’s degree in Terrorism Studies at the Center for the Study of Terrorism and Political Violence at the University of St Andrews and a Ph.D. in Conflict Analysis from what then was called The School for Conflict Analysis and Resolution at George Mason University just outside Washington. I'm a Philadelphia native and now reside in the Midwest. 

I should say, to give an important shout-out to my employer, I work with the Center for Cyber Strategy and Policy at the University of Cincinnati. Our niche area is that we are social scientists who inform technical, computing, and cyber-related areas. That's explicitly our job. Our job is to use social science research methods and the expertise of social sciences to apply to non-social science technical matters, be that privacy law, be that, again, threat modeling of supply chains, et cetera. 

That is the area in which we're trying to grow how social scientists can help because social scientists can help to determine industry-wide best practices through reviewing and interrogating secondary literature and then using these ideas of structured analytic techniques. 

From Social Activism to Threat Modeling 

To start, we must understand how Dr. Loadenthal got to threat modeling. This will help to gain perspective on his threat models and why he approaches them the way he does. He has a unique history of applying threat modeling outside normal roads. 

Going back to the late 1990s, I was involved in social movement and organizing, both on our research side and the activism organizing side. And one of the things that became apparent to me in doing all sorts of social movement work, starting with reproductive justice work, is that these groups exist in a universe which is wildly unsafe, which presents a universe of threats, dangers, and insecurities.  

I was exposed to computers early. I remember being 12 or 13, playing with Red Hat Linux and using things, which at the time, weren't super common, at least amongst my community. I began to occupy this weird space as a social movement organizer also interested in technology. And as that progressed, I found myself helping social movement organizations assess their security and figure out what sort of vulnerabilities they had. 

As I tried to figure out how to do that better, I ran into technical software-based threat modeling. I was able to understand the logic of it because I had a bit of a technical background. Fast forward a few years, and now I'm working abroad in conflict zones and with international NGOs. Groups like Doctors Without Borders. I've never worked with them, but groups like that. And helping international NGOs figure out where are their risks and dangers, and threats. And maybe more importantly where are their blind spots.  

As I've moved into more of a digitally based job, I've consumed this material incessantly over the past five years. And I've begun to hone and professionalize and formalize the work that I'm doing, moving from something I did on the side for activist groups I know to a more formal methodology that we've now applied to a number of very large organizations that have security needs.  

Intersectional Threat Modeling 

Threat modeling for activist groups; this is not your average threat model. Activist groups deal with real-world problems beyond people getting into our web apps. Threat modeling beyond a web application on the Internet opens a new world: what Dr. Loadenthal calls intersectional threat modeling. 

Early in this, I developed a term, intersectional threat modeling. The idea that technical threats, threats in a software architecture, cryptographic theme, key exchange, et cetera, represent a very important portion of a much larger network.  

If we're thinking of some sort of prototypical activist organization, sure, they may have vulnerabilities in the way they deliver information, the way they store information. But when we're looking at an intersectional perspective, we have to take into account that a lot of those threats come from other areas.  

For example, a simple one would be something like legal threats, the threat of arrest or lawsuit, or things like social threats, malicious insiders. People pretending to be things that they are not, what is often called infiltration. It became apparent early on that when I was walking groups through this, that oftentimes the biggest risks that they were unaware of were non-technical. They were social. They were legal. They were legislative. They were political. They were environmental. They were trust-based. They were economic. They were organizational. They were institutional. And helping groups identify these and use some of the same methods we use in threat modeling. Broadly enumerating the threats, ranking those threats in terms of, basic risk matrix of impact and likelihood, and then prioritizing.  

With activist organizations, they're worried about surveillance, they're worried about entrapment, they're worried about infiltration, they're worried about disruption. They're not as often worried about elevation of privilege or information leakage, though, oftentimes, there is quite an overlap there.  

I've tried to promote this two-pronged approach. One is this intersectional, in the field of conflict analysis, a nested view, where each system is nested within a larger subsystem. Both this intersectional nested version of conflict and also the notion of harm reduction. The notion that this is a dangerous world, and we're likely not going to be able to fix everything. The idea is to reduce both the attack surface and the likely areas in which insecurities exist.  

That's the two-prong strategy I use, mapping the intersectional nature of the insecurities and attempting to reduce that insecurity to the most usable place possible.  

The Harm Reduction Framework 

Dr. Loadenthal introduced me to the idea of a harm reduction framework. A harm reduction framework in drug use is defined as policies, programs, and practices that aim to minimize the negative health, social and legal impacts of drug use, drug policies, and drug laws. If we extend this out more generically, we could say that a harm reduction framework is various practices that aim to minimize negative impacts. 

The harm reduction framework is common in public health and other things, but trying to apply a harm reduction framework to threat modeling has been one of the main approaches I've taken. You look at a public health model, there's harm reduction models for all sorts of different things. The common example is intravenous drug use. For people who decide to use intravenous drugs and do not want to eliminate that, there's things that people can use to reduce the harm, whether it's cleaning needles or using safe testing sites or whatever. 

The more common example that's probably easier for people to remember is things like driving a car. Driving a car is dangerous. It goes fast. It's made of metal. It's full of gasoline. It can explode. But we do all these things to reduce harm, the potentiality for damage. We wear a seatbelt. We make sure the car is maintained, we drive sober, we drive at a reasonable speed, etc. We fully acknowledge that this thing is dangerous, this thing has risks, that this thing could kill us, but we want to, again, reduce the attack surface as much as possible that we're able to focus on prioritizing our security.  

There are some things I take from this public health model, but largely what I'm trying to do is develop very context-specific solutions to highly contextual problems.  

Beyond Technical Threats 

Threat modeling should extend beyond the technical. There are many other classes of threats to consider at the system level. The area of the Law and Legal risk is one such area. 

I had a client about six months ago who was not exactly a cloud storage provider, but that's basically a simple way of describing them. We looked at how the different parts of their web infrastructure integrate, but we also looked at political and legal risks.  

We need to make sure that they are not opening themselves up to lawsuit. One of the areas I work in is looking at terrorist content online. How does a cloud storage company prevent themselves from being a bucket where everyone stores terrorist propaganda? That's both a political, legal, and technical threat. There's technical answers to that through hash sharing, but there's political, legal, ethical, and social answers to that as well. That's what I try to walk them through. There's not a lot of good models to say, hey, let's do that and export it, but there's bits and pieces that you can take. And the public health model is a good example of where you can get a lot of good harm reduction theory and practice.  

Threat Modeling is a Team Effort 

I've been involved in the world of technical security for twenty-five years, but I don't feel like I'm qualified to speak about the legal side of the business. Dr. Loadenthal highlights the need to work with a qualified team of experts that makes you better. 

I'm not alone in a room doing this. I'm working with advisors who I trust, people who I think have different subject matter expertise, and the client themselves. If we're a cloud storage company, and we're trying to prevent ourselves from, again, being the next Dropbox for Islamic State videos or neo-Nazi propaganda, the way in which we do that needs to draw on different people's expertise.  

In that specific example, I have a very good knowledge in the history of material supportive terrorism cases. We track them through a research center that I manage. But I may not be as familiar with the history of the technical threats against that. I think this is brought up in the threat modeling manifesto, the idea that this needs to be a team effort. Without people saying, this is all mine, we build from a network cooperative perspective because everyone has different levels of expertise.  

In the same example, the legal, the legislative, the political, the trust-based, are areas which I'm very well versed because of my formal academic training. But the specific ways in which this cloud company may manage something behind the scenes, like how they integrate TLS with other systems, may be above my understanding.  

What I think is important here is that people are cooperative, and people can work with other folks who may know areas better. When I'm doing this, I'm routinely consulting with lawyers, or I'm routinely consulting with legislative or legal aides or people who specialize in this or that. I've spoken a lot to physical security specialists when we've talked about these things. Part of it is networking amongst people, the human side of cooperative work, knowing who to ask, and making sure that we're getting the best folks at the table. 

Mind Mapping and Data Flow Diagrams 

Tools, in my mind, are crucial to effective threat modeling. Dr. Loadenthal uses mind maps as a tool. Mind maps are not specific to threat modeling but are another tool that can be repurposed to assist with threat modeling success. 

What I'll often do is I'll sit down with a client, and I'll do these broad, sprawling mind maps, which can take days. And it's a big brainstorm. And once we list all the big, small, and existential threats they could possibly do, what I do is group them categorically. I rank them hierarchically on a tree.  

If you can picture a mind map with your company in the center, you may have four first-tier branches, but you may have 32 second-tier branches and 64 third- and fourth-tier branches. We build those out, group them that there is some taxonomy that threats are near each other, and then we can work to mitigate. If you think of this first-tier, second-tier, third-tier model, we may be able to mitigate an entire branch with one solution. And in other senses, we may need to go twig by twig by twig.  

Let’s say we're a cloud storage company, we run a data farm or a data storage site somewhere, one of those branches might be natural disaster. Your formal threat modeling is not going to matter if the building gets washed away by a tsunami. One of those branches might be natural disasters. One of those branches might be workplace accidents. But things like that can be eliminated from our assessment if we can say either A, we have a good storage plan, that the people who do this have integrated physical protections to this, or B, that this is something that we're just going to live with acceptable risk.  

Part of threat modeling is not only ranking these things, but it's saying some of these things are beyond our control or some of these things are someone else's problem. And if there's someone else's problem, let's dig deeper and figure out how we can work with that.   

More Tools for the Threat Modeling Toolbox 

Data flow diagrams and mind mapping tools are in the tool belt. But other tools can extend into your threat modeling toolbox that Dr. Loadenthal introduces. 

Things like cost-benefit analysis, things like SWOT analysis, things like the four W's. We work them through often qualitative, brainstorming-themed activities, which are attempts to move beyond our thinking into more of a group understanding. if I were to say, what are like the four or five things I'm doing, we’ve named a number of them, but there's also a number that I've developed afterward that I use a lot.  

SWOT analysis, risk matrices. Bruce Schneier has this interesting idea of a security products review he talks about, which I often do, which is, again, taking a large system, breaking it down to its products, protocols, and methods, and then doing what amounts to a product review or in my field, a literature review on each one of those individually.  What are the smartest people in the field say about this protocol or this encryption scheme versus this one. I'll often do that security products review and go product by product for all the different parts that make it up. I'll often do what I would call a user-driven archetypal matrix, where we try to determine what different kinds of people use your system and their individual needs, and what sort of risks they have.  

We use a user-driven archetypal matrix, which looks like a risk matrix you're used to, but each of the columns is based on a different user type. Because different user types have different risks and risk tolerances, I'll often do that, and I'll give them a whole series of different matrices based on the different types of users they can expect to experience or that they can expect to have. And borrowing from the structured analytic technique handbook is essential for me. And I've learned reading about both the use of structured analytic techniques in formal red teaming, as well as the use of structured analytic techniques in intelligence analysis.  

There's a good collection, which I believe is called Structured Analytic Techniques. I think it was published by the US Army or the US Marine Corps. It's a great book that walks you through how to break big decisions down into small parts and how to go past, again, issues of cognitive bias or groupthink or things like that. The book is called the red team handbook, and it's developed by the Army. And even though it's called the red team handbook, it is just a textbook of structured analytic techniques. The other really good book is called structured analytic techniques.  

Threat Modeling Applied in a New Context 

All of this brings us to this moment -- from a high-level perspective, how is threat modeling applied to an individual holding public office. 

The people that I've done that for, speaking in general terms, oftentimes have security assigned to them, and they don't trust that security for a number of complicated reasons.  

Two different examples, one is a federal official with an African nation. He is an executive member of an African government, and the other person I'm thinking of is an elected member of the United States House of Representatives. Both have security. The House rep has security from the US Secret Service, and a leader has security from their executive security team.  

Neither one of them, for various reasons, trusted that or rather, just like in healthcare, wanted a second opinion. The risks there are multiple, and I’m certainly not going to claim to be able to do a better physical security assessment than the United States Secret Service. That would be like an absurd statement. But what I can do is have a broader perspective. I can look beyond the purview of my job.  

In these situations, what are they concerned about? Yes, they're concerned about information disclosure. They want to make sure that the devices they're using are secure. I don't want to downplay the digital part of this. Oftentimes, when we get to the mitigation stage, the first thing I'm walking people through is what we'd call basic digital self-defense, cybersecurity, and cyber hygiene. That's a huge part of what I'm doing because I don't want to say it's easier, but it's in a sense easier to fix some of those things than it is to bomb-proof your home or develop things to prevent car-ramming attacks to a building.  

Oftentimes I'm walking people through how you take pre-existing technologies, off-the-shelf technologies and string them together into a secure workflow. If we're talking about an elected official, how they can combine, let's say, a zero-knowledge cloud solution with an end-to-end encrypted messaging platform. How they can combine sync with signal to maintain information security amongst their team because they don't want to use whatever system is set up for them.  

Oftentimes I'm using off-the-shelf technologies, and I'm teaching people how to string them together correctly. We're talking about end-to-end messaging platforms. I like Signal, Wire, and Keybase. We do work with three of those technologies, combined with zero-knowledge cloud solutions, combined with virtual private networks, combined with virtual machines, combined methods of identity separation and segmentation, creating different barriers to work-life balance or different parts of your job.  

Maybe a major concern for elected officials is how they keep a semblance of private life, which they often can't, and maintain public effectiveness. How do they silo and segment off, whether pictures of their kids or their writing from public sphere work?  

Oftentimes it's figuring out where are those potential vulnerabilities and how we mitigate against them. A common request I get, especially from people who are high profile or public, is what can I do to prevent doxing? Or what can I do to prevent unintentional information disclosure about myself or my family? That's a major concern. And working with people about that how does that integrate to the way in which they do their job, their actual employment job.  

How does the way through which they do their employment affect their family. What concerns a United States House of Representatives is gonna be different than what concerns someone in another country in another sociopolitical context with less, or at least different, resources.  

Threat modeling is more than analyzing a system-level feature and considering technical challenges against it. The threat model opens the analysis of any representation, whether it is a technology feature or the lifestyle of a prominent politician. Threat modeling makes both better and more secure. But, analyzing the life of a politician makes for a better movie plot than a DFD for a feature. 

People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Application Security Podcast Artwork

The Application Security Podcast

Chris Romeo and Robert Hurlbut
The Security Table Artwork

The Security Table

Izar Tarandach, Matt Coles, and Chris Romeo