The Universal Cloud Threat Model is a collaboration between PrimeHarbor Technologies and Securosis. It is a cloud-centric threat model to help organizations focus security efforts on the most-common attacks most organizations will experience. The UCTM is designed as an adjunct to other threat models. From the introduction:

The Universal Cloud Threat Model applies to all organizations which operate in the public cloud, regardless of industry and which cloud provider(s) in which they operate on. The UCTM was designed as a cloud-centric update to traditional threat modeling. Standard threat models such as STRIDE are excellent, but do not account for the different operating models of cloud computing. The UCTM was developed to address three primary gaps in existing models:

  • In the cloud, infrastructure and applications are often deeply entangled and even indistinguishable thanks to options like serverless and infrastructure as code.
  • In the public cloud, the Internet-facing attack surface now includes the administrative management plane. This is unlike traditional infrastructure, where most administrative functions are protected on internal networks behind firewalls and DMZs.
  • In the public cloud nearly all organizations run on the shared infrastructure of three primary cloud service providers, followed by a slightly larger set of secondary providers (for IaaS, our focus for this threat model).

These three differences combine to expand the range of undifferentiated (target of opportunity) attacks, along with the potential for an attacker to pivot into a differentiated/targeted attack. Attackers search first for common initial vectors for attacks on a cloud provider, such as exposed credentials. Then they may use them for a more targeted attack if they identify a target of potentially higher value, such as financial services. The vectors and sequences of these attacks can be mapped, and pivot points identified.

In our research and experience, the vast majority of cloud attacks fall first into the untargeted/undifferentiated category, even for highly desirable targets, and defenders who focus first on these vectors are more resilient. Similarly, even small and uninteresting targets offer greater financial rewards to attackers who then use the smaller target as a foothold into the Cloud Service Provider (CSP) for ‘free’ resources such as cryptomining — even a small cloud customer can run extensive and expensive resources before hitting service limits — or as a platform for launching other attacks. Successful exploitation of even such a small and uninteresting target enables free networking and IP addresses — at least for the attacker.

Download the model here: The Universal Cloud Threat Model Version 1.0