From 358dccf1070763dbb55d93a167913359dff4e5aa Mon Sep 17 00:00:00 2001
From: Anton Livaja <anton@livaja.me>
Date: Thu, 1 May 2025 16:10:28 -0700
Subject: [PATCH] feat: update content

---
 _layouts/threatmodel.html | 66 +++++++++++++++++++--------------------
 1 file changed, 32 insertions(+), 34 deletions(-)

diff --git a/_layouts/threatmodel.html b/_layouts/threatmodel.html
index 631f18c..e4d901b 100644
--- a/_layouts/threatmodel.html
+++ b/_layouts/threatmodel.html
@@ -8,23 +8,7 @@
 				<section class="flex-container">
 					<div class="flex-container-inner">
 						<h1>Distrust Threat Model</h1>
-						<p>Unlike conventional frameworks (e.g., STRIDE, PASTA) that focus on identifying and mitigating specific risks, the Distrust Threat Model, rather than modeling threats as potential risks, assumes that <b>systems are already compromised</b>. This pessimistic, assumption-driven approach focuses on building systems that can survive and remain secure even when critical components fail or are actively under attack by sophisticated threat actors at <b>all levels</b>.</p>
-					</div>
-				</section>
-
-				<section class="flex-container">
-					<div class="flex-container-inner">
-						<h2 id="assumptions">Assumptions</h2>
-						<ul>
-							<li>All screens and displays are assumed to be observable by adversaries.</li>
-							<li>Input devices, such as keyboards, are assumed to be monitored or logged by potential attackers.</li>
-							<li>Any system components (firmware or bootloaders) not verified on every boot are considered at risk.</li>
-							<li>Standard consumer hardware is compromised.</li>
-							<li>Network-connected systems and administrative endpoints are potential compromise points.</li>
-							<li>Insider threats are assumed; some personnel or third-party maintainers may be compromised.</li>
-							<li>Physical attacks are viable and likely, given the history of supply chain and infrastructure breaches.</li>
-							<li>Side-channel attacks (similar to those observed with Spectre/Meltdown) represent realistic threats.</li>
-						</ul>
+						<p>Unlike conventional frameworks (e.g., STRIDE, PASTA) that focus on identifying and mitigating specific risks, the Distrust Threat Model assumes that at some level <b>systems are already compromised</b>. This pessimistic, assumption-driven approach focuses on building systems that can remain secure even when up against the worst case adversary that have reason to target an organization.</p>
 					</div>
 				</section>
 
@@ -32,20 +16,23 @@
 					<div class="flex-container-inner">
 						<h2>Levels</h2>
 						<p>While the end-goal is to adequately address the risks which stem from the <a href="#assumptions">assumptions</a>, organizations are at varying levels of maturity and often need a path towards mitigating threats in a phased approach. To this end, the threat model defines 4 levels, each corresponding to increasingly more sophisticated threat actors as the levels increase. Each threat actor is assumed to have access to specific methods of attack limited by factors such as cost to execute, sophistication, time required etc.</p>
-						<p>It is a reasonable approach to apply different threat model levels to different parts of systems. It's also worth noting that essentially no companies, to our knowledge meet adequate controls for Level 4 adversaries except for select nation states organizations and militaries.</p>
+						<p>It is a reasonable approach to apply different threat model levels to different parts of systems relative to the amount of value they protect.</p>
 					</div>
 				</section>
 
 				<section class="flex-container">
 					<div class="flex-container-inner">
 						<h3 id="level-1">Level 1</h3>
+						<p>Defense against remote adversaries with limited resources.</p>
 						<h5>Adversary</h5>
-						<p>An unskilled or lightly skilled individual leveraging widely available tools and publicly known vulnerabilities. Their attacks are largely opportunistic and automated, rather than targeted.</p>
-						<h5>Attacks</h5>
+						<p>An unskilled or lightly skilled individual leveraging widely available tools and publicly known vulnerabilities. Their attacks are largely opportunistic and automated. We do however assume they can be very patient and willing to work across a long time horizon.</p>
+						<h5>Capabilities</h5>
 						<ul>
 							<li>Scanning for and exploiting known vulnerabilities with public exploits.</li>
 							<li>Phishing attempts using off-the-shelf kits.</li>
 							<li>Basic malware deployment (e.g., ransomware-as-a-service).</li>
+							<li>Making malicious changes to open source libraries</li>
+							<li>Buying expired domain names</li>
 						</ul>
 					</div>
 				</section>
@@ -53,14 +40,19 @@
 				<section class="flex-container">
 					<div class="flex-container-inner">
 						<h3 id="level-2">Level 2</h3>
+						<p>Defense against insiders.</p>
 						<h5>Adversary</h5>
-						<p>A skilled and resourceful individual specifically targeting a single organization. This adversary employs focused efforts to breach systems, including sophisticated social engineering and exploitation of newly disclosed vulnerabilities.</p>
-						<h5>Attacks</h5>
+						<p>We assume the adversary is an individual or system that already has some level of privilige or trust inside the organization. This could be anything from a disgruntled employee to a compromised work station or server.</p>
+						<h5>Capabilities</h5>
 						<ul>
-							<li>Focused spear-phishing campaigns against key personnel.</li>
-							<li>Rapid exploitation of vulnerabilities shortly after public disclosure ("N-day" exploitation).</li>
-							<li>Man-in-the-middle (MitM) attacks against poorly secured communications.</li>
+							<li>Can execute any code on at least one work station.</li>
+							<li>Can exfiltrate any secrets exposed to system memory.</li>
+							<li>Can use reputation to fast track change deployment.</li>
+							<li>Administrative privileges (email, MDM, AWS etc.)</li>
+							<li>Unencrypted traffic interception.</li>
 							<li>Injection of malicious code into development pipelines.</li>
+							<li>Physical access to all devices in the office.</li>
+							<li>Ability to impersonate unsigned actions of other empyoyees</li>
 						</ul>
 					</div>
 				</section>
@@ -68,13 +60,16 @@
 				<section class="flex-container">
 					<div class="flex-container-inner">
 						<h3 id="level-3">Level 3</h3>
+						<p>Defense against well-funded organizations.</p>
 						<h5>Adversary</h5>
 						<p>An organized, well-funded group possessing diverse expertise across multiple domains (malware, supply chain, network exploitation, physical access, insider recruitment). Capable of sustained campaigns combining internal and external compromise.</p>
-						<h5>Attacks</h5>
+						<h5>Capabilies</h5>
 						<ul>
-							<li>Coercion or recruitment of internal personnel ("insider threats").</li>
-							<li>Exploiting sophisticated zero-day vulnerabilities against internet-connected components.</li>
-							<li>Persistence and lateral movement after initial breach.</li>
+							<li>Deployment of agents willing to commit physical violence.</li>
+							<li>Compromised third party insiders (GitHub, AWS etc.)</li>
+							<li>Ability to do extensive reconnoisance on all personnell.</li>
+							<li>Access to large botnets or server farms.</li>
+							<li>Ability to purchase 0-day exploits for any internet connected device.</li>
 							<li>Coordinated, multi-stage attacks across digital and physical realms.</li>
 						</ul>
 					</div>
@@ -83,15 +78,18 @@
 				<section class="flex-container">
 					<div class="flex-container-inner">
 						<h3 id="level-4">Level 4</h3>
+						<p>Defense against nation state actors.
 						<h5>Adversary</h5>
 						<p>A state-backed or similarly resourced entity capable of executing the most advanced forms of cyber and physical attacks, including full-spectrum operations across the supply chain, hardware, firmware, and human factors..</p>
-						<h5>Attacks</h5>
+						<h5>Capabilities</h5>
 						<ul>
-							<li>Supply chain compromise of hardware, firmware, or software prior to deployment.</li>
-							<li>Physical relocation of assets for tampering (e.g., interdiction of shipments).</li>
-							<li>Advanced side-channel attacks (e.g., Differential Fault Analysis, TEMPEST attacks).</li>
-							<li>Data remanence extraction techniques targeting decommissioned or wiped systems.</li>
+							<li>Observe all displays and input devices in public areas.</li>
+							<li>Ability to tamper with a major hardware/firmware supply chain.</li>
+							<li>Access to any network-connected system.</li>
+							<li>Advanced side-channel attacks (RF, power, magnetic etc.).</li>
+							<li>Data extraction from insufficiently wiped systems.</li>
 							<li>Sophisticated deception and counter-forensics to evade detection.</li>
+							<li>Maximal access to computational resources.</li>
 						</ul>
 					</div>
 				</section>