While there is not one exact industry wide definition, threat modeling can be summarized as a practice to proactively analyze the cyber security posture of a system or system of systems. Threat modeling can be conducted both in the design/development phases and for live system environments.
It is often referred to as Designing for Security. In short, threat modeling answers questions as “Where am I most vulnerable to attacks?”, “What are the key risks?”, and “What should I do to reduce these risks?”.
More specifically, threat modeling identifies cybersecurity threats and vulnerabilities and provides insights into the security posture, and what controls or defenses should be in place given the nature of the system, the high-value assets to be protected, the potential attackers’ profiles, the potential attack vectors, and the potential attack paths to the high-value assets.
Threat modeling can consist of the following steps:
1. Create a representation of the environment to be analyzed
2. Identify the high value assets, the threat actors, and articulate risk tolerance
3. Analyze the system environment from potential attackers’ perspective:
- How can attackers reach and compromise my high value assets? I.e. what are the possible attack paths for how attackers can reach and compromise my high-value assets?
- What of these paths are easier and harder for attackers?
- What is my cyber posture — how hard is it for attackers to reach and compromise my high-value assets?
If the security is too weak/risks are too high:
4. Identify potential measures to improve security to acceptable/target levels
5. Identify the potential measures that should be implemented — the most efficient ways for your organization to reach acceptable/target risk levels.
Why threat model: The business values
Threat modeling is a very effective way to make informed decisions when managing and improving your cybersecurity posture. It can be argued that threat modeling, when done well, can be the very most effective way of managing and improving your cyber risk posture, as it can enable you to identify and quantify risks proactively and holistically and steer your security measures to where they create the best value.
Identify and manage vulnerabilities and risks before they are implemented and exploited
- Before implementation: Threat modeling enables companies to “shift left” and identify and mitigate security risks already in the planning/ design/ development phases, which is multiples — often 10x, 100x, or even more — times more cost-effective than fixing them in the production phase.
- Before exploited: As rational and effective cyber defenders we need both proactive and reactive cyber capabilities. Strengthening security proactively, before attacks happen, has clear advantages. However, it also comes with a cost. An effective threat modeling enables the user to make risk-based decisions on what measures to implement proactively.
Prioritize security resources to where they create the best value
- One of the very key challenges in managing cybersecurity is to determine how to prioritize and allocate scarce resources to manage risks with the best effect per dollar spent. The process for threat modeling, presented in the first section of this text, is a process for determining exactly this. When done effectively, it takes into consideration all the key parts guiding rational decision making.
There are several additional benefits to threat modeling. One is that all the analyses are conducted on a model representation of your environment, which creates significant advantages as the analyses are non-intrusive and that analyzers can test scenarios before implementations.
Another set of values are that threat models create a common ground for communication in your organization and increase cybersecurity awareness. To keep this text concise, we here primarily highlight the values above. We also want to state that there are several other excellent descriptions of the values of threat modeling, and we encourage you to explore them.
Who does threat modeling and when?
On the question “Who should threat model?” the Threat Modeling Manifesto says “You. Everyone. Anyone who is concerned about the privacy, safety, and security of their system.” While we do agree with this principle in the long term, we want to nuance the view and highlight the need for automation.
Threat modeling in development
This is the ”base case” for threat modeling. Threat modeling is typically conducted from the design phase and onward in the development process. It is rational and common to do it more thoroughly for high criticality systems and less thorough for low criticality systems. Threat modeling work is typically done by a combination of development/DevOps teams and the security organization.
More mature organizations typically have more of the work done by the development/DevOps teams and the less mature organizations have more work support from the security organization.
Threat modeling of live environments
Many organizations also do threat modeling on their live environments. Especially for high criticality systems. As with the threat modeling in development, organizations have organized the work in different ways. Here, the work is typically done by a combination of operations/DevOps teams and security organization.
Naturally, it is advantageous when threat models fit together and evolves over time from development through operations and DevOps cycles.