Anchors a threat to a real structural element from the platform decomposition
Contextualized Threat Modeling produces enumerated AN-THR elements, one per threat. Every element names the structural element it actually targets via TOE (Target of Exploitation). This worked example anchors a single threat to the firmware element selected for the chain, the SurfBeam2 modem firmware on the KA-SAT subscriber network, using the publicly attributed Sandworm threat actor that overwrote that firmware with the AcidRain wiper on 24 February 2022.
AST : FW : Firmware : 00 · SurfBeam2 modem firmware image deployed across all KA-SAT residential and commercial subscriber modems.SVC : DP : Data Plane : 00 → SEG : US : User : 00 → PCE : TE : Terrestrial : 00. Subsystem: modem.
LAYER : TAG : LABEL : ORDINAL · all four fields required, LABEL written in full. Ordinals scoped to the (LAYER, TAG) pair.
One concrete threat anchored to the firmware element via TOE.
| Field | Value |
|---|---|
| Identifier | AN : THR : Threat : 00 |
| Description | Russian GRU Unit 74455 (publicly tracked as “Sandworm” / “Voodoo Bear”), a state-sponsored APT with demonstrated capability to develop and deploy custom wiper malware against satellite-communications infrastructure. Demonstrated against KA-SAT subscriber modems on 24 February 2022. |
| TOE | AN : THR : Threat : 00 via TOE → AST : FW : Firmware : 00 (parent chain SVC : DP : Data Plane : 00 → SEG : US : User : 00 → PCE : TE : Terrestrial : 00) |
| Source | Viasat post-incident report, 30 March 2022; CISA AA22-110A (joint advisory with NSA, FBI, NCSC-UK); SentinelOne AcidRain technical analysis; public attribution by US, UK, EU, Ukraine. |
| Confidence | High. Multiple independent analyses converge on Sandworm attribution and AcidRain as the wiper artifact deployed against the SurfBeam2 firmware. |
| Field | Required? | What to capture |
|---|---|---|
| LAYER / TAG / LABEL / ORDINAL | Required | Always AN : THR : Threat : NN with the next ordinal in your AN-THR sequence. |
| DESCRIPTION | Required | Plain-English statement of who or what the threat actor is and why this threat matters to your platform. Avoid sales language; cite capability evidence. |
| TOE | Required | Fully-qualified enumerated identifier of the structural element the threat actually targets. Multiple TOE references are allowed when the threat applies to several elements. |
| SOURCE | Required | Public attribution, government brief, ISAC bulletin, vendor advisory, or internal incident report. The source must be specific enough that someone else can open it and verify the claim. |
| CONFIDENCE | Recommended | High / medium / low, with one-line rationale. Useful when downstream functions (the attack-path function, the detection-engineering function) need to weight the threat. |
| DRIVES | Auto-populated | The set of AN-ATT elements the attack-path function will derive from this threat; populated forward, not during the threat-modeling step. |
Sandworm has multiple satellite-communications-relevant capabilities, but the demonstrated capability against this asset class is firmware-overwrite via management-plane abuse. Other Sandworm capabilities (network-level disruption, ICS targeting) would anchor to different structural elements and become separate AN-THR entries with their own TOEs. Contextualized Threat Modeling captures one threat-to-target relationship at a time, and one actor can produce many AN-THR entries when the platform exposes multiple targets.