Skip Ribbon Commands
Skip to main content
Home > Services > Incident Response > Persistent Threat Modeling


Persistent Threat Modeling

What is Persistent Threat Modeling?

Threat modeling is a systematic methodology for an organization to identify, classify, prioritize, and therefore rate enterprise threats. Identifying and rating threats based upon a thorough analysis and base lining of the organization's architecture makes it possible to address threats that present the greatest risk, while also providing solid countermeasures.

Threat modeling allows the organization to implement a structured approach to security based on business impact. It is a process that starts during the early phases of the design of layered defense and continues throughout the security life cycle. Persistent Threat Modeling allows the organization to get answers and recommendations rapidly, and scale the response and investigation efforts to reduce time, resources and impact.

Combating advanced persistent threats (APT) against the architecture and its assets and data requires a sustained, efficient, repeatable and effective strategy. Therefore, it becomes paramount that an organization can verify and validate compromises, collect evidence, contain and eradicate threats, and recover from impacts rapidly. SecureState’s Threat Modeling allows an organization to respond rapidly to threats and validated events, and build an extension of the organization’s response team to minimize the impact of the incident and accelerate the recovery effort.

Related Article: APT: If It Ain't Broke...


  • Extend the organization’s Readiness and Response Team and capabilities with emerging threat detection and response capabilities.
  • Provides end-point analysis and full investigation capabilities.
  • Provides efficient containment to suspected systems and communications.
  • Agent, management and console architecture.
  • Ability to maintain operations throughout an incident.
  • Reduces the threat to sensitive, regulatory or proprietary information.
  • Minimizes the resources and costs of incident response, and business impact and recovery time.
  • Creates a baseline and discovers frequently missed intrusions and command and control activity.
  • Correlate and build new signatures, indicators of compromise and countermeasures.
  • Instantly access intelligence, attacker techniques and threat tactics.
  • Continue operations during a suspected attack by isolating and containing only suspected devices and activity.
  • Provides end-point analysis and full investigation.
  • Reduce the threat of sensitive, regulatory or proprietary information.


SecureState consultants have the expertise to develop, adapt and innovate the readiness and response capabilities that counter advanced threats. SecureState’s consultants maintain and advance their security and consulting experience through industry-leading certifications, presenting at top security conferences, possessing advanced higher-education degrees, and providing regulatory and compliancy framework analysis for government, financial and industry institutions. Additionally, SecureState consultants include former communication officers, intelligence officers and CERT team leads that have experience providing, leading and creating response teams and security solutions for the U.S Government and Military, and Fortune 500 companies.


Like on Facebook View on LinkedIn Share on Twitter Share on Google Plus

Retrieving Data

Did You Know?

  • Threat Modeling requires continued baselining and intelligence gathering
  • Preparation, readiness and exercises drastically reduce the disruption, impact and time to contain and recover from incidents
  • SecureState has a 100% success rate bypassing network/system countermeasures with customized malware
  • 91% of incidents SecureState is asked to manage are already months old
  • SecureState has found that 71% of organizations identify incidents from external sources
  • SecureState identifies most organizations rely on host-based malware signatures for end-point protection, which only provide a 49% detection rate
  • Most organizations do not properly segment data, processes, roles or communications
  • Most perimeter protection is only hardened for ingress communications
  • If you have 3,000 end-points, you are already compromised

Our Approach and Methodology

Through system and network baselining, network and host-based monitoring, and signature detection and creation, SecureState’s Threat Modeling is successful in identifying malicious activity and APT communication that suddenly becomes active or hides within legitimate traffic.  SecureState’s Threat Modeling consists of four primary methodologies:

1. Preparation Controls

  • Active end-point and corporate penetration testing
  • Active testing of IR procedures and data collection
  • Ensure logging and monitoring and alerting are in place
  • Baseline systems and network activity
  • Data Discovery and Classification Controls

2. Real-time Monitoring and Intelligence Gathering Controls

  • Network and system communication traces
  • Incorporate emerging threats and prior IR intelligence
  • Data aggregation, correlation and alerting
  • Baseline threshold monitoring
  • System and Network baseline health checks

3. Real-Time Investigation Controls

  • Validation of threat events
  • Rapid containment and blocking strategies
  • Virtual IRT Deployment

4. Real-Time Host Interrogation Controls

  • Rapid investigation response
  • Correlation of system artifacts, trends and anomalous patterns
  • Evidence collection

Threat Intelligence

Threat intelligence is the heart of Persistent Threat Modeling; without it there would be no value.  Threat Intelligence can be gathered through several methods: partnerships with law enforcement, government agencies, and security professionals.  Primarily, however, Threat Intelligence should consist of the collected data and analysis of IR investigations and Penetration assessments.  SecureState employs this primary method to enhance and build our attacks, trends, and evolving and emerging threat indicators.  SecureState has a powerful differentiator with intelligence gathering and analysis: SecureState knows how organizations are compromised and impacted because we do hacking and IR exercises daily, and incorporate our results and analysis.  SecureState has the ability to use cutting-edge attack techniques, monitor the attack methods and responses, develop custom threat indicators, and then correlate and combine with external threat sources and analysis – providing a dynamic and powerful monitoring solution.  The ideal Threat Intelligence will combine integrated forensic, hacker and risk perspectives:

  • Incident Response Team members should actually sit down with the IT and security staff to help monitor and identify attacks while performing an active attack (i.e. penetration test) concurrently.  This fosters a vehicle to monitor, collect, and develop attack and compromise indicators. 
  • Incident response should be augmented from a hacker’s point of view.
  • Attack patterns, compromise responses, and C2 communications should be actively captured and incorporated into evolving Threat Database.
  • Intelligence gathering should identify and validate incident’s impact and an organization’s risk controls concurrently.
  • Intelligence should provide an integrated response to determine how, when, why, and where a compromise or incident occurred.
  • Proactively become part of other testing and evaluation professionals, and state and local responders, who are actively engaged in and manage incidents –share information, methodologies and intelligence.

All Seeing Solution - ARGUS

ARGUS Network Appliance-Persistent Threat ModelingThe ability to counter and contain advanced threats requires a solution that can rapidly reach out to endpoints and within the network to collect evidence and determine incident scope and business impact.  ARGUS is a deployable solution that integrates within an organization’s environment and provides forward-reaching capabilities that follow the Persistent Threat Modeling Methodologies: 

  • Monitor for rogue activity
  • Provide real-time alerts and active blocking
  • Provide persistent threat intelligence and trends
  • Perform data discovery and mapping
  • Perform remote penetration and IR testing
  • Provide live analysis of suspect system and network activity
  • Provide evidence repository for data collection and correlation
  • Monthly system health checks

What Makes Us Different

By implementing a continuing Threat Modeling solution, the organization will rapidly know if an advanced and persistent threat has surfaced, significantly reducing the resources and time spent on containment, eradication and remediation:

  • Ability to adopt new signatures of an advanced threat or compromise
  • Ability to rapidly collect live data from suspect systems
  • Ability to identify anomalies, baseline breaches and compromise without the assistance from outside organizations or law enforcement
  • Ability to extend the Readiness and Response Team tactics, abilities and resources
  • Ability to continue operations by isolating and containing only suspected devices
  • Ability to provide end-point analysis and full investigation
  • Reduce the threat of sensitive, regulatory or proprietary information
  • Minimize the impact and costs of incident response
  • Ability to use SecureState’s MyState Security Portal to analyze and correlate intelligence

Related Blog Posts