Attack Models (BSIMM6 Part 5)

"A good decision is based on knowledge and not on numbers." - Plato


The Attack Model practice is the first of three practices in the BSIMM6 Intelligence domain. The goal of this practice is to create customised knowledge on attacks relevant to the organisation. More information about the Attack Models practice can be found here. The full BSIMM6 is available under the creative commons license and can be downloaded at

Practice: Attack Models

The intelligence domain contains practices that result in collections of corporate knowledge that are utilised while carrying out software security activities throughout the organization. Attack Models, the first of three practices in the intelligence domain is about collecting information used to think like an attacker, including threat modelling, abuse case development and refinement, data classification, and technology-specific attack patterns.

In the first part of this blog series it was established that BSIMM6 activities are categorized in maturity levels ranging from low maturity (level 1) to high maturity (level 3). This article focuses on the foundational activities (maturity level 1), however if you want to learn more about the activities in maturity level 2 and 3 visit the Attack Models section at the official BSIMM6 website.

Build and maintain a top N possible attacks list

The members of the software security group (SSG) help the organisation understand attack basics by maintaining a living list of attacks most relevant to the firm. This list is used to prioritise efforts, raise awareness, and drive positive change. 

Create a data classification scheme and inventory 

Out of all activities in the Attack Models practice, this one has been observed in most organizations.
If you are not doing this activity yet, then it is a good place to start.

The organization agrees upon a data classification scheme and uses it to inventory all of its software. This enables the prioritisation of security activities for software throughout the secure software development life-cycle (SSDLC) based on that classification. 

Identify potential attackers

The SSG identifies information about potential attackers and compiles a set of attacker profiles. By understanding the most likely threat actors, the organisation gains valuable insight that can be leveraged in other activities.

Collect and publish attack stories 

The SSG collects and publishes stories about attacks against the organisation that have happened in the past. These attacks are especially useful in training classes and as input for the design of new systems.

Gather and use attack intelligence 

The SSG keeps the stakeholders in the organisation informed about new types of attacks and vulnerabilities. In addition to general briefings on attack information, it must also be made actionable and useful for software builders and testers.

Build an internal forum to discuss attacks 

The organization has an internal forum where the SSG and other stakeholders can regularly discuss both historic and recent attacks against the company. The information collected in the previously described activities is used to discuss incidents from the perspective of attackers.

Start. Stop. Continue.

Consider the following strategy:

  • Start: Building a complete inventory of your software and classify it accordingly to the data it processes.
  • Stop: Planning a security strategy based on generic attack patterns and attackers.
  • Continue: Identifying potential attackers and understanding what they are after.

How does your software security initiative compare with your industry peers? Contact us to find out.