Threat Modeling and why using a VPN can be a bad thing

Hi 0x00’ers!

Depending on your level of skill, you may be under the impression that using a VPN for all your traffic is a good thing for your privacy, you’ll have been told that using Tor 24/7, or tunneling all your traffic through it may save you from the infamous 3 letter agencies. Whatever crud you’ve been told, it’s time to forget it, and make up your own mind before blindly accepting the next big privacy fad.

If you speak to any well-practiced security guy (or girl, I’m not judging), they will all tell you one thing:

What is a threat model? The definition straight outta Wikipedia mentions the following:

To make your threat model, you have to think about a few things. Your threat model can be applied to anything, your physical infiltration threats or your network infiltration threats. In this article, I am going to talk about computer based threats.

In blue team security, there are a number of different methodologies that have been created for companies and people to give people a methodical way to do things.

One of these is STRIDE, a threat classification model developed by Microsoft

It follows 5 threat categories as a mnemonic:

  • Spoofing of user identity
  • Tampering
  • Repudiation
  • Information disclosure (privacy breach or data leak)
  • Denial of service (D.o.S)
  • Elevation of Privilege

1. Who is a threat to you?

This is a big and very open ended question, but in short, who poses a threat to you, your safety, your information and/or your assets.

For a corporation, this is nearly always Blackhats, or rogue employees with a vendetta, however for an individual like yourself, it can be anything from Blackhats to the three letter agencies that you hear ranted about daily.

This step is very important to get right, if you don’t know who you’re protecting against, you will never protect yourself adequately.

2. What am I vulnerable to?

Now you know who you are defending against, you need to step into the shoes of your adversary, personally, my threat model revolves around Blackhats.

Look at yourself completely honestly, if you were a hacker, how would you go about compromising you, what pieces of tech do you have exposed, how might an attacker socially engineer you?

For most, social engineering is one of the leading vulnerabilities that we can all exhibit, one thing that can help our case significantly is our OPSEC, knowing what we can and can not reveal will give our attackers a hard time finding anything to use as leverage.

3. What are my high-value assets?

Have some information somebody might want? Have access to some server or physical location that might paint a target on your back?

Thinking about solutions

After thinking about all the potential threats, vulnerabilities, and targets relating to you, you must start thinking about how to remedy these, or give you a better chance. As I have already mentioned, this may be through Opsec, using stronger passphrases, or even using a VPN.

But wait, you’ve just told me that Tor and VPN’s are bad?

What services you use, where you route your traffic and how, is due to your threat model. Are you trying to hide your location and IP from criminal attackers? If so, a VPN and or Tor may actually increase your security posture.

Are you trying to hide from the NSA? A VPN or Tor may actually do the exact opposite, this depends entirely on your trust of an organization, but if you look at it from a full no-trust POV, you’re essentially just tunnelling all your traffic through a company that might not even nee subpoena to reveal.


In conclusion then, being aware of your threats, your vulnerabilities, and your adversaries will give you a firm basis for continuing to develop your Opsec, your Security, and what you choose (and choose not) to do in your day to day activities.

I hope this was helpful! If you have anything to add, or to disagree with me on anything, throw down a comment, if you enjoyed this, give me a like, and comment your opinion!

Do you have a threat model? What do you protect against?

Stay Snappy :wink:

- pry0cc


Nice post. Very interesting.

Why do you think Tor might harm your efforts to hide from the NSA?

1 Like

It’s a long-held belief, although not 100% verified, that the NSA has developed a technique for de-anonymyzing traffic being routed through tor. In more recent times, independent researchers have been able to reproduce similar vulnerabilities.

1 Like

Tor has been advertised as an anonymizing network. This will therefore attract a damn lot of shady people, where it has a lot of legitimate users, I can bet that 90%+ of its traffic is for shady purposes.

How do a lot of drug dealers, hackers, and other people anonymize themselves? Tor. I would suggest an organisation with the budget of the NSA, the single target in their crosshair’s would be tor nodes, make an 0day that affects tor nodes, pwn all the things, ???, Profit!

I think that Tor to hidden services is solid, and a mass attack of Tor is impractical, but if you were hacking a large target, and the CIA/FBI/NSA were looking hard enough for you, they would get you if you were using Tor.

1 Like

It is usually a client side problem, and a result of enabling JavaScript. If you use an up-to date tor browser bundle, use it in a confined space with no other devices, had the FBI only compromised the hidden service, and you’d disabled JavaScript, I would think it’s very very difficult to de-anonymize.

1 Like

Your traffic can still be de-anonymized even if you take client-side precautions. This involves the 3-letter agencies having 3 nodes that you connect to. That way they have an IP address at the entry node and the data at the exit node and with a little effort they can link the two together. Again it is unlikely this will be the case, but it CAN happen.

That is why I chose to get my entry node into switzerland and my exit node in the russian federation. Switzerland is infamous for not being part of the EU and being totally neutral (+ swiss privacy law requires that you need to be aware you are being watched if they need to). I chose russia as my exit node since it is unlikely that they will hand out any information to a western nation. If the thread model is different so is the exit node, but i always keep switzerland as my entry node.


I’ll have to dig up the documents on it, but they definitely have techniques for doing it (running as much as 60% of the exits nodes in the world at one time also helped).

Also, I feel like WackSec Radio did an episode on this very subject at one point :wink:

@pry0cc nice one foo!
Basic’s for inter/adv levels of 0x00’ers!
I think that it’s very important to make this kind of analysis of threats, vulns, and adversaries, more if u’r working on cybers3c stuff. Ch33rz!

This topic was automatically closed after 30 days. New replies are no longer allowed.