What is "Threat Modelling"

Threat modelling is about identifying risk and essentially boils down to:
- Identifying what systems and applications need to be secured and what function
they serve in the environment ("identifying the assets")
- Assessing what vulnerabilities and weaknesses these systems and applications may
have and how they could be potentially exploited
- Creating a plan of action to secure these systems and applications from the
vulnerabilities highlighted
- Putting in policies to prevent these vulnerabilities from occurring again where
possible (for example, implementing a software development life cycle (SDLC) for an
application or training employees on phishing awareness).

A threat model typically includes:

Description of the subject to be modeled

Assumptions that can be checked or challenged in the future as the threat landscape
changes
Potential threats to the system
Actions that can be taken to mitigate each threat
A way of validating the model and threats, and verification of success of actions
taken

Threat Modeling: Concentrates on identifying potential future threats and

vulnerabilities based on the system’s architecture, design, and functionality.
(Primary Objective Identifying and prioritizing specific threats for proactive
mitigation.)

Cybersecurity Audit: Is more reactive, focusing on what’s already in place. It

assesses the organization’s current security posture to find gaps or deficiencies
and checks compliance with industry regulations or best practices.

STRIDE, DREAD and CVSS (to name a few) are all frameworks specifically used in
threat modelling. If you are interested to learn more, check out the “Principles of
Security” room on TryHackMe.

To continue from the previous task, Paul Pols' Unified Kill Chain, published in
2017, aims to complement (not compete with) other cybersecurity kill chain
frameworks, such as Lockheed Martin’s and MITRE’s ATT&CK.
The UKC states that there are 18 phases to an attack.
pivoting Tunneling traffic through a controlled system to other systems that are
not directly accessible.

UKC steps : (search for the name of each step later)

Researching, identifying and selecting targets using active or passive

reconnaissance.

Preparatory activities aimed at setting up the infrastructure required for the

attack.
Techniques resulting in the transmission of a weaponized object to the targeted
environment.
Techniques aimed at the manipulation of people to perform unsafe actions.
Techniques to exploit vulnerabilities in systems that may, amongst others, result
in code execution.
Any access, action or change to a system that gives an attacker persistent presence
on the system.

Techniques an attacker may specifically use for evading detection or avoiding other
defenses.
Techniques that allow attackers to communicate with controlled systems within a
target network.
Tunneling traffic through a controlled system to other systems that are not
directly accessible.
Techniques that allow an attacker to gain knowledge about a system and its network
environment.
The result of techniques that provide an attacker with higher permissions on a
system or network.
Techniques that result in execution of attacker-controlled code on a local or
remote system.

Techniques resulting in the access of, or control over, system, service or domain
credentials.
Techniques that enable an adversary to horizontally access and control other remote
systems.
Techniques used to identify and gather data from a target network prior to
exfiltration.
Techniques that result or aid in an attacker removing data from a target network.

The UKC highlights a much more realistic attack scenario. Various stages will often
re-occur. For example, after exploiting a machine, an attacker will begin
reconnaissance to pivot another system.
Other frameworks do not account for the fact that an attacker will go back and
forth between the various phases during an attack.

Malware often tries to keep a footprint in the system such that it keeps running
even after a system restart. This is called persistence. For example, If a malware
adds itself to the startup registry keys, it will persist even after a system
restart.

Pivoting (MITRE Tactic TA0008)

"Pivoting" is the technique an adversary uses to reach other systems within a
network that are not otherwise accessible (for example, they are not exposed to the
internet). There are often many systems in a network that are not directly
reachable and often contain valuable data or have weaker security.
For example, an adversary can gain access to a web server that is publically
accessible to attack other systems that are within the same network (but are not
accessible via the internet).

Discovery (MITRE Tactic TA0007)

The adversary would uncover information about the system and the network it is
connected to. Within this stage, the knowledge base would be built from the active
user accounts, the permissions granted, applications and software in use, web
browser activity, files, directories and network shares, and system configurations.

credential dumping exploits vulnerabilities in your RAM to steal and copy your
credentials. Once your credentials are accessed, these data are said to have been
“dumped”.
credential stuffing, a type of cyber attack that “stuffs” stolen credentials into
multiple websites. Essentially, credential stuffing is akin to “throwing spaghetti
on the wall and seeing which one sticks,”

Lateral movement : With the credentials and elevated privileges, the adversary
would seek to move through the network and jump onto other targeted systems to
achieve their primary objective. The stealthier the technique used, the better.

Lateral Movement: Refers to the process of moving across systems or devices within
the same compromised network. The attacker gains access to one system and then
spreads to other systems in the same network to find more valuable information,
escalate privileges, or deepen their foothold.
Pivoting: Involves the attacker using a compromised system (often one inside a
segmented network) as a bridge or relay to access other networks that would
otherwise be inaccessible. It allows the attacker to "pivot" into other network
segments or VLANs from the initial compromised machine.

other definitions...
Network pivoting is the act of gaining access to other systems that are not
directly accessible.
This can be on other networks or on network edge points, or on the same network but
giving the tester access to new systems that weren’t exploitable.

Lateral movement is the act of spreading through an environment by pivoting from

system to system. In a sense they are the same, just that lateral movement often
involves multiple pivots.

IOC vs IOA

The Diamond Model of Intrusion Analysis

the Diamond Model is composed of four core features: adversary, infrastructure,
capability, and victim.

About Adversary part..

Adversary Operator is the “hacker” or person(s) conducting the intrusion activity.
Adversary Customer is the entity that stands to benefit from the activity conducted
in the intrusion. It may be the same person who stands behind the adversary
operator, or it may be a separate person or group.

About the Victim part...

Victim – is a target of the adversary. A victim can be an organization, person,
target email address, IP address, domain, etc. It's essential to understand the
difference between the victim persona and the victim assets because they serve
different analytic functions.
Victim Personae are the people and organizations being targeted and whose assets
are being attacked and exploited. These can be organization names, people’s names,
industries, job roles, interests, etc.
Victim Assets are the attack surface and include the set of systems, networks,
email addresses, hosts, IP addresses, social networking accounts, etc., to which
the adversary will direct their capabilities.

About the Capability part...

Capability – is also known as the skill, tools, and techniques used by the
adversary in the event.
Capability Capacity is all of the vulnerabilities and exposures that the individual
capability can use.
An Adversary Arsenal is a set of capabilities that belong to an adversary.

About the Infrastructure pert...

Infrastructure – is also known as software or hardware. Infrastructure is the
physical or logical interconnections that the adversary uses to deliver a
capability or maintain control of capabilities. For example, a command and control
centre (C2) and the results from the victim (data exfiltration).
The infrastructure can also be IP addresses, domain names, email addresses, or even
a malicious USB device found in the street that is being plugged into a
workstation.
Type 1 Infrastructure is the infrastructure controlled or owned by the adversary.
Type 2 Infrastructure is the infrastructure controlled by an intermediary.
Sometimes the intermediary might or might not be aware of it. This is the
infrastructure that a victim will see as the adversary. Type 2 Infrastructure has
the purpose of obfuscating the source and attribution of the activity. Type 2
Infrastructure includes malware staging servers, malicious domain names,
compromised email accounts, etc.
Service Providers are organizations that provide services considered critical for
the adversary availability of Type 1 and Type 2 Infrastructures, for example,
Internet Service Providers, domain registrars, and webmail providers.

Event meta features:

Timestamp
Phase
Result - While the results and post-conditions of an adversary’s operations will
not always be known or have a high confidence value when they are known, they are
helpful to capture. It is crucial to capture the results and post-conditions of an
adversary's operations, but sometimes they might not always be known. The event
results can be labelled as "success," "failure," or "unknown." The event results
can also be related to the CIA (confidentiality, integrity, and availability)
triad, such as Confidentiality Compromised, Integrity Compromised, and Availability
Compromised. Another approach can also be documenting all of the post-conditions
resulting from the event, for example, information gathered in the reconnaissance
stage or successful passwords/sensitive data exfiltration.
Direction - This meta-feature helps describe host-based and network-based events
and represents the direction of the intrusion attack. The Diamond Model of
Intrusion Analysis defines seven potential values for this meta-feature: Victim-to-
Infrastructure, Infrastructure-to-Victim, Infrastructure-to-Infrastructure,
Adversary-to-Infrastructure, Infrastructure-to-Adversary, Bidirectional or Unknown.
Methodology - This meta-feature will allow an analyst to describe the general
classification of intrusion, for example, phishing, DDoS, breach, port scan, etc
Resources - According to the Diamond Model, every intrusion event needs one or more
external resources to be satisfied to succeed. Examples of the resources can
include the following: software (e.g., operating systems, virtualization software,
or Metasploit framework), knowledge (e.g., how to use Metasploit to execute the
attack and run the exploit), information (e.g., a username/password to masquerade),
hardware (e.g., servers, workstations, routers), funds (e.g., money to purchase
domains), facilities (e.g., electricity or shelter), access (e.g., a network path
from the source host to the victim and vice versa, network access from an Internet
Service Provider (ISP)).
Metasploit is an open-source penetration testing framework that helps security
professionals find and exploit vulnerabilities in computer systems. It includes a
database of known vulnerabilities and tools and scripts for exploiting them.

The social-political component describes the needs and intent of the adversary, for
example, financial gain, gaining acceptance in the hacker community, hacktivism, or
espionage. (The scenario can be that the victim provides a “product”, for example,
computing resources & bandwidth as a zombie in a botnet for crypto mining
(producing new cryptocurrencies by solving cryptographic equations through the use
of computers) purposes, while the adversary consumes their product or gets
financial gain.)
Technology – the technology meta-feature or component highlights the relationship
between the core features: capability and infrastructure. The capability and
infrastructure describe how the adversary operates and communicates. A scenario can
be a watering-hole attack which is a methodology where the adversary compromises
legitimate websites that they believe their targeted victims will visit.
The technology meta-feature highlights how the capability (the adversary's tools
and techniques) and infrastructure (the platforms they use) work together to enable
the adversary’s operations and facilitate communication during an attack.
For example, an attacker might use a specific malware tool (capability) that
communicates back to a command-and-control (C2) server (infrastructure) to receive
instructions or exfiltrate data.
The Diamond Model is a scientific method to improve the efficiency and accuracy of
intrusion analysis. With this in your arsenal, you will have opportunities to
leverage real-time intelligence for network defence and predict adversary
operations.
Real-time intelligence involves the continuous gathering of relevant data from
various sources like network traffic, system logs, and endpoint sensors. Tools such
as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and
Security Information and Event Management (SIEM) platforms collect, analyze, and
correlate data in real-time.

There are several PDF related vulnerabilities and exploits that allow pdfs to carry
viruses just to name a few

One Click PDF reader exploit - An attacker can gain access to your system simply
with you clicking a .pdf file containing a virus provided that your pdf reader has
a vulnerability

PDF containing malicious scripts - An attacker can gain access to your system when
you open or interact with a .pdf file that contains malicious javascript code. This
is different from the one above as it does not exploit the pdf reader but instead
the contents that make up the pdf file.

Malicious content in PDFs - Not exactly a virus but the way it works is that the
user is tricked into performing some action like clicking on a link in the pdf file
that downloads a virus or submitting some form.

Unknown exploits - Well you dont know what you dont know, there are probably
exploits made by groups or nation states that you can find on the dark web that
work on the latest version of adobe which allows you to gain full access to your
machine/phones that work simply by downloading a pdf file or opening a pdf file.

To answer your actual question, I assume you mean tracking a phone's location. To
do that you need access to the phone's location service. You could program almost
any mobile app to request access to the phone's location service. Whether the
phone's settings allow an app to arbitrarily access that service is dependent on
how the user has it configured. Most phones open PDFs in the browser and modern
browsers would not allow malicious files/code to be arbitrarily executed, so using
a PDF as a vector to deliver a payload to phone doesn't make sense. Websites and
web applications, however, can (and often do) access location services. Again, if
the user has the phone's location services to implicitly deny access or request
access, this doesn't seem like it would be very effective.