In today’s interconnected in the world, cyber threats are everywhere and always changing. Startups cannot afford to ignore the importance of securing their digital infrastructure. Waiting until a security breach occurs can lead to serious consequences, including financial losses and reputational damage.
ExpressVPN recently partnered with Linking Help, the NGO behind UA.SUPPORT that provides pro bono legal support to Ukrainian refugees, to conduct threat modeling analysis. The goal was to identify security concerns and provide effective mitigation measures. Inspired by this experience, I want to share our methodology with the wider community and empower you to improve your security posture — even with limited resources and other business pressures.
Exploit disclosure with threat modeling
Threat modeling is a key practice in strengthening digital defenses. Simply put, it involves understanding and knowing your organization so that others cannot harm you. The goal is to increase awareness of security gaps and minimize the risk of potential exploits by systematically analyzing potential avenues of abuse.
There are various threat modeling standards and frameworks, and the right choice for you depends on your specific framework. Rather than telling you which one to use, we’ll focus on the underlying methodology we used to conduct threat modeling for UA.SUPPORT, thereby creating effective and practical security recommendations.
Actionable security strategies for startup resilience
1. Know your enemy
Cybersecurity is a complex and multifaceted field, and even with thorough threat modeling, there is always the risk of compromise.
Identifying potential adversaries and their targets is critical to assessing why and how you might be targeted. For example, cybercriminals often target systems that handle credit cards or personally identifiable information (PII), while nation-state adversaries may be interested in information for espionage or intelligence purposes.
In the case of UA.SUPPORT, potential rivals included:
- Advanced opponents, who have the following objectives:
○ Collection of information about people from Ukraine.
○ Compromise systems to gain unauthorized access, collect sensitive information, or conduct espionage activities.
○ Disrupting the organization’s platform to hinder its ability to help vulnerable people.
- Opportunistic cybercriminals, who target: