JURIST for OpSec threat modeling

I had a conversation about threat modeling needs for an organization that needs to think holistically about threats, not only the typical infosec threats we usually deal with in threat modeling. One of my colleagues mentioned it would be nice to have a tool like STRIDE to spark conversation and thinking around potential areas of threats. Soon after, JURIST was born. It is still a work in progress of course - but it might be useful for someone to kickstart thinking with. This was created specifically thinking about the kinds of threats lawyers and journalists face, but I suspect it's quite general.

Judicial Attack

Depending on who the attacker is and what kind of assets you are trying to protect, different kinds of legal attacks could be very likely. These can take several different forms: court injunctions, tort lawsuits for defamation, arrests or withdrawal of license to operate. The attacker can be nation states, corporations or private individuals - this avenue of attack does require some resources on the part of the attacker, but not extreme amounts of it.

Use of Force

Depending on location and what kind of area the assets are in, this can be more or less likely. The range goes from state violence by police or military, assassination, physical threats, damage to buildings or equipment all the way to different kinds of denial of service attacks like demonstrations and civil disobediance.

Resources

There are several ways an opponent can use resources and money to attack. The more common forms would be things like bribery or the buying out of information or entitites. Resources can also be used for propaganda of different kinds, both misinformation and libel.

InfoSec

In the middle of thinking about generic types of attacks, all the kinds of information security attacks that regular threat modeling looks at are also applicable. Thus, STRIDE can be useful to embed here.

Surveillance

In many cases different types of spying can be very potent measures of attack. This includes physical tailing, placing different kinds of bugs, doing video surveillance, using telephone records and mobile phone locations and the kind of mass surveillance we now know that nation states are using. The more basic kinds of surveillance are within reach for most attackers, while the more sophisticated kinds is the exclusive domain of governments and large corporations.

Theft

The final type of attack is theft - this can happen using break-ins, insiders, robbery on the street or any of the other ways people steal things from each other.

Conclusion

I hope this is a useful overview of the kind of operational security risks you can face. As mentioned about, it's probably not complete and some of it is a bit forced. Remember, it is a tool to spark ideas, not a check list.