What is Threat Modelling?
Threat modelling is a structured approach to identifying and assessing potential cybersecurity threats so that vulnerabilities can be remediated before attackers exploit them. It allows an organization to visualize the different components of its digital environment, understand where it may be exposed, and identify the most serious risks so that defensive controls can be applied where they matter most.
In simple terms, threat modelling entails:
- Mapping out the components of your IT infrastructure and the data flows between them.
- Identifying potential vulnerabilities or weaknesses.
- Determining what kinds of threats or attacks could exploit those vulnerabilities.
- Calculating the likelihood and potential impact for each threat scenario.
- Prioritizing which vulnerabilities need to be addressed first based on risk assessments.
Threat modelling provides a proactive way to strengthen defenses by addressing risks systematically rather than reactively responding to incidents after they occur. It enables complex digital environments to be broken down into manageable pieces for cybersecurity analysis.
Why is Threat Modelling Important?
With the rapidly evolving cyber threat landscape, organizations cannot rely solely on reactive security controls like firewalls and antivirus software. Attackers are constantly finding creative ways to bypass defenses using techniques like social engineering, supply chain compromises, and zero day exploits.
Threat modelling provides a crucial risk management capability by:
-
Identifying overlooked threats – Many breaches exploit relatively simple vulnerabilities that could have been discovered and mitigated in advance through threat modelling.
-
Prioritizing remediation efforts – With limited budgets and resources, threat modelling enables an organization to focus on fixing the weaknesses that matter most by ranking risks.
-
Supporting informed decisions – Quantifying risks helps justify investments in stronger controls and provides rationale for implementing security measures that may otherwise seem unnecessary to business stakeholders.
-
Meeting compliance requirements – Regulations like HIPAA and PCI DSS include provisions around managing organizational risks that threat modeling directly supports.
-
Optimizing resource allocation – Pinpointing critical vulnerabilities allows scarce security resources to be concentrated where they will have maximum impact.
-
Enhancing situational awareness – Documenting and visualizing infrastructure components improves understanding of potential attack vectors.
How to Conduct Threat Modelling
While approaches can vary, threat modelling typically involves four main steps:
1. Define Objectives and Scope
- What assets, data, systems, and processes are in scope? What is the desired outcome?
- Focus only on what is directly relevant to avoid unnecessary effort.
2. Map Architecture and Data Flows
- Diagram the people, processes, systems, and connections between them.
- Understand where sensitive data is stored and how it moves.
3. Identify Vulnerabilities and Threats
- Analyze the above architecture for potential weaknesses. Consider interfaces, protocols, roles and trust boundaries.
- Brainstorm what and how attackers could exploit the vulnerabilities.
4. Prioritize and Report Risks
- Estimate likelihood and potential impact for each threat scenario.
- Rank risks to determine remediation priorities and create action plans.
- Document findings and recommendations in a threat model report.
Key Threat Modelling Techniques
-
Asset-Centric – Focuses on safeguarding specific assets that are of value to attackers.
-
Software-Centric – Models the software architecture and trust boundaries between components. Well-suited for application security.
-
Attacker-Centric – Thinks from an attacker’s perspective regarding targets and methods. Useful for penetration testing mindset.
-
System-Theoretic – Considers systems holistically including interactions and emergent behaviors. Helps identify unintended consequences.
Real-World Examples
Here are some examples of how threat modelling could have prevented past cybersecurity incidents:
-
Target breach (2013) – Analyzing point of sale system data flows would have revealed lateral movement vulnerabilities used by attackers after exploiting an HVAC vendor. Segmenting the POS network could have contained the breach.
-
Equifax breach (2017) – Modelling identity management system threats would have identified the Apache Struts vulnerability that was unpatched for months after a fix was released.
-
Colonial Pipeline ransomware (2021) – Diagramming IT and OT networks would have shown risks from interconnected business and industrial systems. Better segmentation and access controls could have prevented disruption.
Getting Started with Threat Modelling
To begin applying threat modelling in your organization:
- Train staff on fundamental concepts and methodologies.
- Start small with non-critical systems or new projects to gain experience.
- Use tools and templates to simplify workflows rather than starting from scratch.
- Iterate on initial models to refine and enhance them over time.
- Integrate threat modelling into SDLC, change management, and operations.
- Designate owners to ensure models remain updated and action plans are executed.
Threat modelling provides immense value for security teams looking to get ahead of threats and more proactively manage cyber risks. Prioritizing resources based on data-driven risk analysis helps ensure that defenses stay aligned with evolving real-world attacks.