Distrust threat model
Distrust's threat model aids organizations in methodically eliminating surface area for attack, making entire classes of attacks impossible. 
						
						
Unlike conventional frameworks (e.g., STRIDE, PASTA) that focus on identifying and preventing specific risks, our threat model assumes that at some level systems are already compromised. This pessimistic set of assumptions allows organizations to build systems that can remain secure even when up against their worst case adversary.
Levels
While the end-goal is to adequately address the risks which stem from the assumptions, organizations are at varying levels of maturity and often need a path towards mitigating threats in a phased approach. To this end, the threat model defines 4 levels, each corresponding to increasingly more sophisticated threat actors as the levels increase. Each threat actor is assumed to have access to specific methods of attack limited by factors such as cost to execute, sophistication, time required etc.
It is a reasonable approach to apply different threat model levels to different parts of systems relative to the amount of value they protect.
Level 1
Defense against remote adversaries with limited resources.
Adversary
An unskilled or lightly skilled individual leveraging widely available tools and publicly known vulnerabilities. Their attacks are largely opportunistic and automated. We do, however, assume they can be very patient and willing to work across a long time horizon.
Capabilities
- Scanning for and exploiting known vulnerabilities with public exploits.
- Phishing attempts using off-the-shelf kits.
- Basic malware deployment (e.g., ransomware-as-a-service).
- Making malicious changes to open source libraries
- Buying expired domain names
Level 2
Defense against insiders.
Adversary
We assume the adversary is an individual or system that already has some level of privilege or trust inside the organization. This could be anything from a disgruntled employee to a compromised work station or server.
Capabilities
- Can execute any code on at least one work station.
- Can exfiltrate any secrets exposed to system memory.
- Can use reputation to fast track change deployment.
- Administrative privileges (email, MDM, AWS etc.)
- Unencrypted traffic interception.
- Injection of malicious code into development pipelines.
- Physical access to all devices in the office.
- Ability to impersonate unsigned actions of other employees
Level 3
Defense against well-funded organizations.
Adversary
An organized, well-funded group possessing diverse expertise across multiple domains (malware, supply chain, network exploitation, physical access, insider recruitment). Capable of sustained campaigns combining internal and external compromise.
Capabilities
- Deployment of agents willing to commit physical violence.
- Compromised third party insiders (GitHub, AWS etc.)
- Ability to do extensive reconnaissance on all personnel.
- Access to large bot-nets or server farms.
- Ability to purchase 0-day exploits for any internet connected device.
- Coordinated, multi-stage attacks across digital and physical realms.
Level 4
Defense against nation state actors.
Adversary
A state-backed or similarly resourced entity capable of executing the most advanced forms of cyber and physical attacks, including full-spectrum operations across the supply chain, hardware, firmware, and human factors..
Capabilities
- Observe all displays and input devices in public areas.
- Ability to tamper with a major hardware/firmware supply chain.
- Access to any network-connected system.
- Advanced side-channel attacks (RF, power, magnetic etc.).
- Data extraction from insufficiently wiped systems.
- Sophisticated deception and counter-forensics to evade detection.
- Maximal access to computational resources.