Introducing the Universal Cloud Threat Model

Monday, April 22, 2024   Chris Farris   CloudSecurity WhitePapers
Falling Water, Pennsylvania - September 2023

As part of building breaches.cloud, I realized that it doesn’t matter who you are. We all share 90% of the same threat to our cloud environments. Some of us are larger targets, but we all share the same network and control plane.

The basics are the basics—mishandled credentials and stuff that’s left on the Internet. Really, putting a machine that can access credentials unprotected on the Internet is just mishandling credentials.

As part of our talk at RSAC, Rich Mogull of Securosis and I developed the Universal Cloud Threat Model.

The Universal Cloud Threat Model applies to any organization operating in the public cloud, regardless of industry and the cloud provider(s) they operate on. The UCTM was designed as a cloud-centric update to traditional threat modeling. Standard threat models such as STRIDE are excellent but do not account for the different operating models of cloud computing. It identifies the commonalities all organizations face equally based on cloud usage. We call these the “90% of attacks experienced by 90% of organizations using the cloud.”

The UCTM can be summarized as:

Threat Actors have Objectives against Targets using Attack Vectors
which are observed by defenders as Attack Sequences.

Threat actors range from nation-states to cyber-syndicates to Rich’s cat1. The objectives are money, with the occasional bit of nation-state strategic advantage. The targets get more interesting. It boils down to data, compute, and networking, but the actor and objective determine which parts they want.

Attack Vectors are where the real action is. They boil down to these top seven:

  1. Lost, stolen, or exposed credentials
  2. Publicly exposed resources
  3. Credentials exposed via application security flaws
  4. Unpatched vulnerabilities and zero-days in overly exposed systems
  5. Denial of Service attacks
  6. Subdomain takeover
  7. Supply chain compromise

The mitigations and compensating controls are well-known:

  • Rotate long-term keys to reduce exposure time, avoid IAM Users, and maintain the quest for least privilege.
  • MFA, MFA, MFA!
  • Apply Service Control policies to prevent things that should never be allowed to happen.
  • Monitor the network perimeter. Don’t allow security groups to expose things to the internet.
    • And for the love of god, stop giving databases public IPs. Buy TailScale and spin up a t4g.nano.
  • Look at Data Perimeters. If the attacker can’t use the credentials and they make lots of noise when they do, you can respond to credential compromise.
  • Maintain good cloud hygiene. Delete un-needed resources, all of them (looking at you Route53 Record Sets) when no longer needed.

Most companies don’t have the resources to engage in extensive cloud threat modeling, and if they do, it should be on their applications and things specific to them. This Universal Cloud Threat Model is our gift to the overworked and underappreciated cloud defenders out there.


  1. An Inside joke that has perpetuated through all drafts of the whitepaper and presentation at RSAC. ↩︎