In today’s interconnected world, cyberthreats are everywhere, and they’re always changing. Startups can’t afford to ignore the importance of securing their digital infrastructure. Waiting until a security breach happens can lead to severe consequences, such as financial losses and reputational damage.
Recently, ExpressVPN collaborated with Linking Help, the NGO behind UA.SUPPORT that provides pro bono legal support to Ukrainian refugees, to conduct a threat modeling analysis. The objective was to identify security concerns and provide effective mitigation measures. Inspired by this experience, I want to share our methodology with the wider community and empower you to enhance your security posture — even with limited resources and other business pressures.
Unmasking exploits with threat modeling
Threat modeling is a key practice for strengthening digital defenses. Simply put, it involves understanding and knowing your organization, so others can’t cause you harm. The goal is to raise awareness of security gaps and minimize the risk of potential exploits by systematically analyzing potential avenues for abuse.
Various threat modeling standards and frameworks exist, and the right choice for you depends on your specific context. Instead of telling you which of these to use, we will focus on the underlying methodology that we used to conduct threat modeling for UA.SUPPORT, thereby generating efficient and practical security recommendations.
Actionable security strategies for startup resilience
1. Know thy enemy
Cybersecurity is a complex and multifaceted field, and even with thorough threat modeling, there’s always a risk of compromise.
Identifying potential adversaries and their objectives is crucial for assessing why and how you may be targeted. For instance, cybercriminals often target systems that handle credit cards or personal identifiable information (PII), while nation-state adversaries may be interested in information for espionage or intelligence purposes.
In the case of UA.SUPPORT, potential adversaries included:
- Advanced adversaries, who have the following objectives:
○ Gathering intelligence on individuals from Ukraine.
○ Compromising systems to gain unauthorized access, gather sensitive information, or conduct espionage activities.
○ Disrupting the organization’s platform to hinder its ability to assist vulnerable individuals.
- Opportunistic cybercriminals, who aim to: