Threat modeling is an incredibly useful tool for security pros today. To conduct a threat modeling exercise, follow the steps below.
First, have your team brainstorm about your organization's most valuable information assets, your important computing resources and where they are located.
Next, discuss in detail who might attack your enterprise and why. These are your threats. Would cybercriminals attack you? How about nation-states? What about the insider threat? Don't forget to consider an errant worm or bot that gets installed inside your environment. Not all of today's threats are human ones.
Third, based on your list of threats, start thinking about how they could exploit you. What are the easiest ways in? What are the most damaging attacks that someone could do to you? Get very detailed, and don't immediately rule out the various outlandish ideas that your folks may come up with. Where threat and vulnerability overlap, you have a risk.
Finally, consider the countermeasures that you have deployed to deal with these risks. Would your defenses block the attack scenarios you've formulated? If not, would you at least quickly detect a malfeasance and respond in a timely fashion?
Of course, you won't be able to come up with all of the ways that bad guys and malware could attack you. The attackers are a creative lot and are constantly innovating. To use an old cliché: you can't think like all of the bad guys all of the time, but you can think like some of them some of the time. Thus, make sure that you can at least defend against what your team considers the most common and most damaging attacks. Without doing some of this basic threat modeling, you might get hit with a very predictable and obvious attack that should have been blocked.
The team over at the Open Web Application Security Project (OWASP) has put together a great synopsis of various threat modeling approaches, inspired by Microsoft's own process. This great summary describes different ways of determining an organization's greatest threats and associated risks. Various companies are also working on automated threat modeling software, including Skybox Security.
- Michael Cobb explains how threat modeling can improve the security of Web applications.
- Learn other ways to define an 'acceptable' level of risk.
This was first published in December 2007