Establishing a Methodology and a Threat Model

As we begin to dive deeper into a better understanding of security and anonymity, and start applying what we will learn together here, it becomes important to establish certain rules for ourselves. Now, as I wish this process to apply both for your various devices and to your real life identity, this small guide will discuss two elements, and will introduce Firewall’s main line of articles. Our two elements today that we shall discuss is going to be methodology and threat models.

What is a Threat Model? Which one shall we use?

A Threat Model is a structured process by which we will identify our various vulnerabilities, quantify our threats, and prioritize our mitigation methods(which will be our Methodology, detailed below).

So far so good? Alright, so, where do we begin? Well, first we must come up with a Threat Model. Now that sounds extremely complicated and exhaustive. And, frankly, you are correct to think that. Which is why we can rely on the deposit of knowledge readily accessible for us on the ‘net!

Now, we could spend several days worth researching various Threat Models to try and find the objectively best there is, which would be a vain attempt in the best of circumstances as the innumerable variations of circumstances for each of us is going to make creating a perfect threat model, frankly, impossible. So what to do then? First, do not panic, no one of us is perfect, and as thus, no threat model can be perfect. What we can do however, is to find an easy to follow one, that will encompass a wide net to catch as many various threats and vulnerabilities that we can, and divide them in easy to understand categories.

Now, if I sound like I already have one in mind, that is because I do. We will be using Linddun.
I highly encourage you to go get their Linddun Go pdf cards, it’s free, and will help you understand each of Linddun’s categories in further detail.

LINDDUN Categories

Linkability
Linkability is all about how much data can be linked together to profile an individual user. Be it via our phone, computer, or a user’s Modus Operandi, it allows an outside observer to correlate these pieces of data together to profile each of these as coming from a single individual. This may be browser fingerprinting, or an unknown individual’s reoccurring actions within a service(either an app on your phone, or at say a specific commerce).

Identification
Identification are pieces of data(and remember, data is not strictly referring to computer data here. A person’s name is data, their age, car brand, everything can and is data) used to immediately dox someone, or, if you will, directly identify them. For computers, it means linking their accounts and usage directly to their real-life identity.

Non-Repudiation
Non-Repudiation is about being able to directly attribute a claim to a specific individual. Let me illustrate this with legal jargon. You are probably familiar with the term “beyond any reasonable doubt”. This is what Non-Repudiation is. Being able to directly, with primary evidence, demonstrate that X is linked to Y. A mundane example would be you buying something on say Amazon with a credit card. You wouldn’t be able to repudiate doing so except by very lengthy method by declaring your card as stolen, which is going to be a pain in the rear for everybody involved.

Detecting
Detecting is about using observation to deduce the involvement of an individual with a claim, be it an action, an account, or an element. In real life, a footprint, or a noise, is an element of detection. On a computer, it can be as mundane as a using a service.

Data Disclosure
DD is the act of storing, collecting, processing and sharing an excessive amount of data. Let me absolutely shatter any illusions with you on this one: biometrics. Your phone stores them if you use facial recognition and fingerprint unlocking features. And since it is processed in the cloud, it means that any hacker or, say, governmental entity, with enough time or clout can, in time, access these. What kind of crime can someone commit with your fingerprint? I’ll let your imagination do the rest here. And this is not just computers. A library that stores not just your name, address, and email or phone number, but also various other identifiers, or, to go back to biometrics, a fast pass at Six Flags…

Unawareness&Unintervenability
The act of insufficiently informing, involving and empowering individuals in the process of their personal data. Imagine going to a store with zero signs denoting that they use cameras, only to find a video of you shopping there on some strange account on a streaming service a week later. Now, this is a drastic example, for sure, but do remember that in 2020, it was estimated that in the US, there were 70 million surveillance cameras, or approximately one camera per five resident on US soil. It gets considerably more drastic in China(with an estimated 200 million CCTV). This also applies to privacy conditions hidden deep with that “Terms and Conditions” that people have been…well, conditioned…not to read. It’s also the act of collecting data under the nose of it’s users. Let’s use an example: go to your Google Account, on the navigation panel, click on Data&Privacy, and then on Data from apps and services you use and then Content saved from Google services. Let that cold shower wash away any pretense of ignorance you still held.

Non-Compliance
Finally, we have Non-Compliance. This is the action of someone, be it an individual or an entity like say Facebook, to deviate from best practices and legislations. Elements such as Invalid Consent, caused either by forcing someone to disclose unnecessarily data to use their services(like Instagram asking a picture of yourself with a codeword, and your account name on a piece of paper, or Facebook asking for an ID), and Automated-Decision Making, where no human in involved in the process are the primary concerns of the Non-Compliance category.

What is going to be our Methodology?

So now that we have integrated our Threat Model, and have at least a good surface understanding of how it works, it is time to decide on a methodology to mitigate and eliminate vulnerabilities and threats. Enter the Threat Onion discussed in our previous article Kicking Down the Open Doors.

Our method consist, like an onion, to add several layers of protection around our core, in this case, our person. Let’s examine those layers starting for the outermost and finishing with the core.

Pre-Emptive Encounter
This set of actions is all about forcing encounters where we have all the cards in our hands and forcing a situation to resolve in our favor (this may be confronting a nefarious person with overwhelming physical backup, or non-repudiable evidence of their wrongdoings before a third party with authority over them). They may or may not even be knowing about you at all. The point is to eliminate a threat by confronting it when you have the upper hand and force a resolution which satisfies you. A good example of this is you reading this very guide, as you are pre-emptively researching security and anonymity to better avoid having to be in a bad situation in the future.

Pre-Emptive Kill
Now this one may sound overkill, but remember this:
1-There is no such thing as overkill when it comes to personal security and anonymity
and
2-It is way less graphic than it may seem.
Now, while this may refer to actually killing a nefarious person before they notice you, which we at Firewall do not condone, approve or sanction in any way shape or form, nor do we encourage any illegal acts whatsoever, thank you FBI, but it also refers to way less drastic elements. One excellent example is “killing” your Home Network when not in use. Unplug it to make sure no one else can use it. Or unplug your desktop computer when not in use to pre-emptively eliminate any potential threat whatsoever. See? Way less graphic than imagined, and absolutely nothing illegal, mr. FBI agent. I jest of course, but the point remains: don’t anything illegal please.

Avoid Exposure
Next we have avoid exposure. This may be disconnecting your ethernet cable from your computer when not in use, or, in fact, using an ethernet cable even with your phone to connect to the internet to prevent connecting to a way more vulnerable Wi-Fi network. It may be avoiding a current riot that may get you connected to fringe elements, or avoiding exposing yourself in any manner physically while in the woods from the paths or the more visible ridges.

Avoid Detection
Avoiding Detection is all about mitigating usage. If you must use the subway, buy tickets with cash, or if you are walking home while in a situation where potential hostiles may be monitoring your normal route, use backalleys and secondary routes that leads back home. Don’t use online services that log in your usage or require identification for usage.

Avoid Targeting
Avoid becoming a target, don’t show your head above the crowd, or, if you will, anonymize yourself. This category, along with the previous two, is where Anonymity resides. By staying anonymous, by using services that don’t identify you, by using less used roads and streets, by dressing and acting as a grayman, by essentially becoming background noise to any observer, you avoid becoming a potential target to begin with. “A sniper cannot target someone he doesn’t even know exists” was a phrase one of my trainers back in the day taught me. This is true of any service. By using elements such as Tor online, to disappear in the crowd, makes you impossible to target, detect and expose, removing you at all from the line of fire.

Avoid Engagement
If detection, and targeting is unavoidable, then it is time to use the environment to your advantage. Use a crowd and a change of clothes to re-establish anonymity, or use the terrain to escape would be attackers. Situational Awareness is a skill that can hardly be taught in textual form, but do everything in your power to develop it.

Avoid Hit
If avoiding an engagement is impossible, then your next goal is to avoid getting hit. In combat, this means parries, dodging, using the environment to block attacks from attackers. From a computer side, this means using active countermeasures when an infiltrator is detected.

Avoid Kill
This is your final layer of protection. This means throwing your phone in the river, wearing ballistic armor, endurance training, the like. This may mean microwaving your CPU, or disposing of your hard drive. And yes, there are legitimate reasons to go this far. People are assholes see, a hacker may plant criminal evidence on your computer if they do get access to it to blackmail or frame you. This is an easy example, but there are quite a few more.

In Conclusion
It is important to understand what our threats are, to parse through them and prioritize what we feel like will be the most immediately dangerous for ourselves. This will greatly vary from one person to another. Once we have identified and prioritized our mitigations, we can start working on them through our threat onion to nullify as many possibilities as possible. Of course, no amount of preparation will protect us from everything (a direct hit by a nuke being a ridiculous, but real example, or our sun, by throwing several million tons of iron directly into it’s core, explode in a miniature supernova). But we can mitigate as many as we can. The rest is all about having good manners and practices.

Introducing SIP

SIP, or SARAH’s Intelligence Program, is going to be our main line of articles here on Firewall in which we will use both the LINDDUN Threat Model and our Threat Onion to examine various elements tied to security and anonymity, and give examples and tricks of the trade to deal with those same example as best as we can. Our first SIP is ging to be on Mobile Devices in general. Stay tuned for it.

Until then, thank you for reading, and try to apply these concepts for yourselves until next week.
We will be watching.
-The Ghost

Filed under: Uncategorized - @ November 9, 2023 6:02 am

 
Clicky