Threat modeling is increasing in importance as a way to plan security in advance. Instead of merely reacting to threats and incidents, an organization can identify and evaluate its security posture, relevant threats, and gaps in defenses that may allow attacks to succeed.

Threat modeling has a two-way relationship with incident response:

  • When an attack happens, incident responders can benefit tremendously from a threat model that shows them which attack vectors are likely to impact a system, what defenses are in place, and which steps are necessary to mitigate the attack.
  • After an attack, lessons learned by incident responders can and should be used to update the threat model.

What Is Threat Modeling?

Threat modeling is the process of mapping out and investigating threats with the goal of creating better security strategies. As Cynthia Gonzalez discusses in her blog, there are several threat modeling frameworks, including:

  • STRIDE – Microsoft’s threat model covering six types of threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Privilege Escalation
  • PASTA – A 7-step model designed to correlate business objectives with technical requirements
  • CVSS – The standardized scoring system used globally to communicate information about known vulnerabilities
  • Hybrid Threat Modeling Method (hTMM) – Focused on extracting security requirements and uncovering ways systems can be abused by attackers

Whichever framework you select, all have a common goal – to identify vulnerabilities, analyze the organization’s security posture, and define countermeasures to mitigate or prevent the threat.

Typically, the modeling process defines a threat as any potential or actual adverse event that might be malicious like a denial-of-service (DoS) or SQL injection attack. A threat can also be incidental, like storage failures that can compromise company assets.

Effective threat modeling determines where efforts should be applied in order to keep the organization (Read more...)