· 7 min read

Threat Modeling Intro

An overview of Threat Modeling, with an example to get started.

An overview of Threat Modeling, with an example to get started.

Have you wondered how security professionals deal with the onslaught of cyber attacks? One tool in our toolbox is called “Threat Modeling”, and this is a quick intro.

Can we really prevent attacks, or are we doomed?

Even if you don’t track the latest cybersecurity news, you know that companies large and small are being attacked by bad actors. Some stories make the news, like when a hospital is held hostage by ransomware and operations are disrupted. Other stories don’t make the news until it’s too late— long after sensitive information was stolen and the damage has been done.

There are thousands of attacks that could threaten the day-to-day life of companies and individuals. How do we stay safe? Can these threats be prevented, or are we doomed? Can we do something to avoid being the next target?

We can! That’s where the process of “Threat Modeling” comes in.

What is Threat Modeling?

Per the The Threat Modeling Manifesto:

Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics.

Or, in other words, we take a closer look to analyze what can go wrong. In this case “threat” = “what can go wrong.”

For example, could the files on your hard drive be held hostage by a ransomware attack? Would you pay thousands of dollars to unlock them? Could you have done something to prevent the ransomware attack from succeeding? Threat modeling can help us answer those questions.

Threat modeling helps us understand the threats and deal with them before they turn into attacks. As the saying goes, “an ounce of prevention is worth a pound of cure.”

Threat modeling can be boiled down to the following 4 questions.

The 4 Questions of Threat Modeling

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good enough job?

Starting with the question “what are we working on?” helps to clarify what it is we want to protect. What is the “asset” that we would like to protect?

Consider the following simple example:

1. What are we working on?

  • I’m working on critical, top-secret files on my laptop that cannot be recreated and are not saved anywhere else.

2. What can go wrong?

A lot of things could go wrong. What do I add to the list? Do I pick things that might happen more frequently than other things? Maybe— but I shouldn’t fall into the probability trap. Whether an event is “likely” or “unlikely” doesn’t matter.

What matters is reasonably identifying as many threats as we can. Don’t get lost in the weeds or start doing estimates to try to determine probabilities. Leave the math to the risk assessment people.

A few examples for “what can go wrong” based on “working on top-secret files on my laptop”:

  • My laptop can be physically stolen.
  • My credentials (such as username and password) can be stolen.
  • My laptop can be damaged in some way so that I could no longer work on the files.
  • The files can be copied from the laptop and their secret contents disclosed publicly.
  • The files can be modified/tampered with so that the files can no longer be trusted.
  • My laptop can have some sort of malware installed on it.
  • The files on my laptop can be held hostage by ransomware.
  • Another device on my network can be used to attack my laptop.
  • The operating system on my laptop can have a vulnerability that allows an attacker to access my files.

3. What are we going to to about it?

This is where we find ways to deal with the threats. We can choose to do nothing about the threat (accept it). We can choose do something about the threat (such as mitigate it, eliminate it, or transfer it to someone else).

Here are a few actions I could take to do something about the threats above:

  • I could physically secure my laptop with a lock to prevent it from being stolen.
  • I could implement two-factor authentication to prevent my credentials from being used without my permission.
  • I could make secure copies of important files in alternate locations. Having only one copy of any critical file that cannot be replaced is a bad idea, even without a bad actor. Having offsite backups could help deal with both physical threats (theft, damage) and virtual threats (ransomware, malware, tampering) to my laptop and files.
  • I could encrypt my files with strong encryption and a password to prevent the information in those files from being disclosed or tampered with.
  • I could use endpoint protection software on my laptop to detect/prevent unwanted software such as malware or ransomware.
  • I could use a network firewall with intrusion detection to prevent bad actors from entering my network and installing malware/ransomware.
  • I could implement a security event logging solution so that the activities on my laptop are monitored and so that I could be notified if an anomaly occurs.
  • I could install the latest security updates on my laptop to ensure there are no unpatched vulnerabilities.

OR I could avoid storing top-secret files on my laptop at all! Sometimes there are solutions that appear very different from the current state. For example,

  • I could only edit top-secret files using computers in a highly-secured facility encased in a granite-lined concrete structure. While this is NOT a realistic solution for me, it could be an option for someone with a higher budget, or for an organization that is more paranoid about top secret information disclosure.

4. Did we do a good enough job?

In threat modeling, the goal is improvement. There are tradeoffs to be made on the “what are we going to do about it” side. There may be high costs to eliminate a threat. There may be budget constraints or other requirements that limit what we can do. That’s ok. In the example above, I didn’t have the budget to set up a highly-secured facility. I can’t eliminate the “information disclosure” threat of leaking top-secret data from my laptop.

But even without building my own “Fort Knox,” I could still make significant progress. I can mitigate multiple risks by doing some of the security “basics” like having good backups, using a firewall, and performing regular software updates.

I’ve heard the saying, “all models are wrong, but some are useful.” This means that no model will ever be completely perfect, but even imperfect models can be valuable. The threat model doesn’t have to be “perfect” to address the threat, just “good enough” to be useful.

After some time, we’ll need to re-evaluate. Are we satisfied with the way our threat model is working? Is our model still useful, even if it isn’t “Fort Knox”? Or, does our model need to be updated because “what we are working on” has changed? What could we put in place to detect and verify that our threat model is working well?

Asking these questions leads us down a path of continuous improvement instead of just checking a particular box. Asking these questions regularly leads us to threat models that are more useful and more complete. That’s the goal.

Who can do threat modeling?

Everyone! Threat modeling doesn’t have to be something that only “those security experts” do. At some level, everyone is responsible for the security of their stuff. Try out the 4 questions above— you might be surprised at what you can discover and improve.

Where can I learn more?

For all things Threat Modeling, Adam Shostack is your guru.

For a good high-level summary and principles to use when threat modeling, check out The Threat Modeling Manifesto.

Also see Adam’s article The Ultimate Beginner’s Guide to Threat Modeling.

Other Books by Adam:

Share:
Back to Blog