Four Corners Model
November 13, 2024
The digital economy today, the interconnectedness and interdependence of business operations, and the controls that are in place, are constantly challenged by cyber threat actors and the increasingly sophisticated attacks they deploy.
The management of cyber risk cannot continue to be delegated to IT and operations functions. The prevalence of attacks, their wide-ranging digital nature in crossing all boundaries, the general lack of capability to stop them, and the consequence of their success means cyber should now be seen by Boards and management teams as a strategic risk. One that requires full engagement across any business.
However, engaging non-IT leaders in discussions about Cyber is often difficult in that it usually revolves around quite technical and niche terminology and conversations that it is difficult for wider audiences to actively participate in.
Michael porter’s four corners model was originally developed to analyse competitor’s capabilities, market position, and future action they might take. The model revolves around the single premise of understanding competitors’ strategies, capabilities, goals, and assumptions gives valuable insights into the future. It drives an approach designed to get inside the mind of the opposition. It argues that you should understand the modus operandi of your competitors, not only utilising past behaviour to predict future action but using ongoing investigation to determine any likely shift in strategy.
Understanding how a threat actor sees your business, what have you got that they want, possibly money, possibly data, possibly both, is key to the implementation and management of controls that can efficiently and effectively protect you from the direct or indirect consequences of an attack. This understanding needs to cover your whole business, so critical outsourced and partner services as well.
At a high level this could be as simple as:
- what drives the threat, the attackers goal
- what strategies do they pursue – particular malware, use of phishing
- do they see you as having weakened defences, possibly following a merger or acquisition
Transposing the Four Corners Model
With a simple reframing exercise competitor can be replaced with threat actor. Placing the cyber risk firmly in the context of strategic business intelligence and risk management. Threat actors today have sophisticated business models, including ‘as a service’ and have many of the same attributes of your competitors. But rather than seeking to hold on to their market position, or take some of yours, they are looking to injure or cripple your business and profit from that.
What are the Drivers of threat actors
What motivates the threat actor and why is that of concern to your business. If we consider ransomware actors, then there is an obvious financial driver but equally some are looking for fame as well as fortune. Damaging the reputation of your company enhances theirs.
Current Strategy
This is about understanding the threat actor’s current activity and forms of attack, what are they doing to achieve their business goals. It includes an analysis of their:
- Product offerings – Ransomware, distributed Denial of Service, Credential Harvesting
- Pricing strategies – how will they realise a value from action they take against you
- Marketing efforts – What can be understood from how they ‘advertise’
- Distribution channels – Do they conduct the attack or do they sell / ‘license’ the malware they have written to be used by others
Capabilities
What are the strengths and weaknesses of the threat actor. This requires an assessment of their resources, processes and assets, such as:
Resources
- Financial strength – there’s pretty much a sliding scale here from massively funded nation state proxies to criminal gangs, and script kiddies
- Highly skilled workforce, capable of writing zero-day exploits, or simply re using what’s in the public domain
Processes
- Efficient production methods
- Strong research capabilities
- Highly developedCommand and Control Infrastruture distribution channels
Assets
- Do they write and use their own malware (intellectual property!), cooperate with others to develop attacks, participate as an ‘expert’ provider in combined ‘as a service’ forms of attack
- Do they have their own Command and Control infrastructure
- Do they have an ‘established customer base’ – groups who hire their services, or who they sell things like ‘credentials’ to
- Are they a brand – a group with a known background of success.
Management Assumptions
This activity surfaces the assumption the threat actor is making.
Almost a given here is that they do not believe they will be caught, and that they can bypass your security.
But it is also useful to determine what they have that they believe is strong, and where do they believe they can exploit weakness. Simplistically, do they believe you’ll click on a generic email, or will they spend time developing something bespoke because they recognise you have some protective controls.
So, the beliefs that underpin the actions of threat actors you are concerned about could be :
- Themselves – We can bypass defences, there are no consequences to our actions
- Their targets (you) – people will click on anything, web pages many weaknesses we can exploit
- The cyber threat industry is a growing market with little downside
Using a reframed Four Corners Model can help you gain a comprehensive understanding of the threats your business model faces. By comparing yours and the threat actor’s business motivations, strategies, strengths, and weaknesses you can develop:
- intelligence on how easily you could be severely impacted, or stopped from trading to establish mitigation
- identify ways you can develop an advantage over the threats you face e.g. cyber risk management controls
- predict future activity by threat actors as you make changes within your business