Why threat model?
Most attacks or breaches aren’t the result of highly complex or technical methods, they’re the result of decisions and assumptions nobody has questioned early enough. Accounts with excessive privileges, credentials sitting in plain text in a shared repo, no identity validation for remote workers contacting your service desk, these are a few examples of what an attacker may take advantage of.
These issues might eventually get flagged through governance reporting, posture management or even a threat detection alert but by then, it’s often too far down the line and fixing it gets expensive. A threat found as part of a design costs a conversation whereas the same threat found in production costs an incident or worse. Threat Modelling is a great way to catch those “gotchas” early on whilst it’s cheaper to fix.
Threat modelling is totally worth it and here’s why:
-
Adversarial thinking. It enables your teams to think like an attacker and what their motives might be. Disgruntled employee? A target for activisim or protests because of the industry your business operates in? Work with high-profile organisations and handle valuable data?
-
Shfit left. Threat modelling shapes what is built in the early stages of change so you are one step ahead. Penetration testing, code reviews and other security tooling are extremely useful for finding issues and vulnerabilities in what already exists but they can only catch what’s already built. By definition they are reactive.
-
Mutual understanding. Different stakeholders have different perspectives and understanding of how something works and what matters. Collaborating on a threat model forces those conversations into the open, providing an opportunity to validate the change and what the organisation truly cares about.
-
Simplicity. It doesn’t require reams of documentation or a fancy rendered architecture diagram before you can start. If you can articulate what’s changing, what data moves where and what it talks to, in a few sentenaces or a rought sketch, you have enough to threat model. A quality threat model comes from how well the change is understood, not the quality of the diagram.
-
Proactive risk management. THreat models support stakeholders by helping them to understand the risks introduced from changes and deisgn decisions. The earlier these are identified, the more time teams have to evolve their designs to ensure threats are mitigated before entering production.