DREAD Threat Modeling Process

The cybersecurity challenges faced by defense contractors, especially those managing Controlled
Unclassified Information (CUI), are complex due to threats from nation-state actors. When using the model
to evaluate risks related to email and shared file services, significant vulnerabilities emerge that highlight
the need for strong security measures.

The impact of breaches caused by nation-state adversaries is incredibly significant. The compromise or loss
of CUI can lead to national security consequences, including weakening technological advantages and
operational capabilities. Both the Department of Defense (DoD) and the National Institute of Standards and
Technology (NIST) have provided guidelines like NIST SP 800 171 (NIST, 2020) to protect information
emphasizing the critical nature of these issues.

Nation-state actors possess tools that enable them to replicate attacks easily, allowing them to systematically
exploit vulnerabilities across various targets. This ability raises concerns about widespread disruptions
beyond individual entities.

The exploitability factor is further heightened by these adversaries’ capabilities, including their use of zeroday exploits and intricate phishing tactics. NIST’s advice, such as in publications such as SP 800 172, aims
to strengthen defenses against those risks by suggesting increased security standards for assets (NIST,
2019).

The Impacted Users go beyond the contractor’s staff to involve the national security network, allies, and the
public, highlighting the extensive consequences of potential breaches. This impact calls for thorough
security measures to safeguard the data and those connected or possibly impacted by it.
The possibility of adversaries with significant resources discovering vulnerabilities suggests that no
weakness is too insignificant to be taken advantage of. This fact requires an alert security stance to
consistently evaluate and reinforce defenses against evolving risks.

In addition to threat modeling, it is crucial to incorporate monitoring and threat intelligence into the security
plan. Resources such as the NIST Cybersecurity Framework (CSF) offer an approach to handling
cybersecurity risks (NIST, 2018). This involves recognizing threats quickly and adjusting defenses based
on current information about adversary tactics, techniques, and procedures (TTPs).

Another important aspect is focusing on supply chain security since weaknesses in the supply chain can
create routes for adversaries to reach sensitive systems and information. Additionally, the Department of
Defense’s CMMC program aims to enhance the cybersecurity defenses of defense industry suppliers by
emphasizing the importance of securing all parts of the supply chain (DoD, 2020).

To sum up, using the threat assessment model highlights the necessity for a versatile and proactive security
approach to safeguard against cyberattacks from nation-state actors targeting defense contractors’ email and
file services. Following practices and recommendations from reputable sources like NIST and a dedication
to ongoing enhancement and supply chain security is key to protecting against these adversaries’ complex
and persistent threats.

• Department of Defense (DoD). (2020). Cybersecurity Maturity Model Certification (CMMC).
• National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework).
• National Institute of Standards and Technology (NIST). (2019). SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information.
• National Institute of Standards and Technology (NIST). (2020). SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.