Ask the Expert

Can threat modeling help enterprises?

Is threat modeling a useful defense mechanism? Is it really possible to think like an attacker?

    Requires Free Membership to View

Threat modeling is an incredibly useful tool for security pros today. To conduct a threat modeling exercise, follow the steps below.

First, have your team brainstorm about your organization's most valuable information assets, your important computing resources and where they are located.

Next, discuss in detail who might attack your enterprise and why. These are your threats. Would cybercriminals attack you? How about nation-states? What about the insider threat? Don't forget to consider an errant worm or bot that gets installed inside your environment. Not all of today's threats are human ones.

Third, based on your list of threats, start thinking about how they could exploit you. What are the easiest ways in? What are the most damaging attacks that someone could do to you? Get very detailed, and don't immediately rule out the various outlandish ideas that your folks may come up with. Where threat and vulnerability overlap, you have a risk.

Finally, consider the countermeasures that you have deployed to deal with these risks. Would your defenses block the attack scenarios you've formulated? If not, would you at least quickly detect a malfeasance and respond in a timely fashion?

Of course, you won't be able to come up with all of the ways that bad guys and malware could attack you. The attackers are a creative lot and are constantly innovating. To use an old cliché: you can't think like all of the bad guys all of the time, but you can think like some of them some of the time. Thus, make sure that you can at least defend against what your team considers the most common and most damaging attacks. Without doing some of this basic threat modeling, you might get hit with a very predictable and obvious attack that should have been blocked.

The team over at the Open Web Application Security Project (OWASP) has put together a great synopsis of various threat modeling approaches, inspired by Microsoft's own process. This great summary describes different ways of determining an organization's greatest threats and associated risks. Various companies are also working on automated threat modeling software, including Skybox Security.

More information:

This was first published in December 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: