At a high level, threat modeling is a systematic way that security professionals assess risk and the potential consequences of security threats to systems and software. While threat modeling is often done during the software development phase, it can also be done proactively across a variety of enterprise technology assets to monitor ongoing risk.  Our introductory article to this series, “What is threat modeling,” provided a broad overview of the process, introduced many of the more prevalent models and looked at how the outputs can help organizations to confront the growing cyber threat. However, it is important to fully articulate the benefits that performing this analysis has on organizational operations. 

Why is threat modeling important?

When made a part of the security culture of an organization, threat modeling can help security teams ensure that the necessary protections are in place and are able to address evolving threats across their platform. Without performing a systematic review of software and systems, new or unintended threats may remain exposed and undefended, leaving organizations vulnerable to cyberattacks or data breaches.  Threat modeling can also help security professionals evaluate the security of newly developed or purchased software, providing a method to completely understand how new applications and tools may be vulnerable, how these risks may be mitigated and what potential impacts they may have if left unaddressed. As a result, organizations can make informed decisions about the safety of new additions to their enterprise and prioritize fixes based on the estimated impact and severity of the threats.  So how else can threat modeling help your security team and what else can it do for the safety of your technology assets?

1. Threat modeling can reduce attack surface

In a security context, attack surface refers to the total number of vulnerabilities that an organization has exposed across their entire enterprise environment.  Performing threat modeling — either during the software development phase or regularly as a part of proactive evaluation at another scale — can help reduce an organization’s attack surface by:

Creating an inventory of vulnerabilities: Being able to identify, track and maintain a list of vulnerabilities helps security professionals to take the necessary steps to mitigate them or request the required resources to address them. Over time, risks can be tracked and monitored so progress against them can be evaluated. Reducing complexity: A strength of threat modeling is its ability to force teams to completely break down a system or piece of software and look at it from different perspectives so that it is understood from end to end. When this occurs, software design can be evaluated, refined and fixed, stopping preventable errors from being released into a production environment. Lowering risk exposure: Not every risk can be fully abated; organizations may choose to accept risk and attempt to control any potential negative effects. Threat modeling can help to reduce the area of exposure, ultimately minimizing the attack surface of a system through the use of additional tools or security features to mitigate especially vulnerable components. 

2. Threat modeling helps prioritize threats, mitigation efforts and budgeting

As with any business initiative, organizations must prioritize their finite resources, and the same is true when remediating cyber risks. Threat modeling helps organizations to quantify risks and vulnerabilities, ensuring those that need the most attention and resources do so to minimize their attack surface is a purposeful way. Threat modeling can also help organizations to evaluate purchase decisions. If a team is evaluating whether to adopt a new system or tool, threat modeling can help to quantify the potential security risks it might introduce and make an informed decision about whether that component is worth adopting. Similarly, threat modeling can help organizations to prioritize fixes to legacy software, to determine if it is cost effective to attempt to continue to mitigate risks or accept risks versus the cost of replacing or upgrading.

3. Threat modeling identifies and eliminates single points of failure

Defense-in-depth, a security principle that encourages organizations to use a layered view of defensive tools to protect their assets, helps to reduce the chance that a cyberattacker can take advantage of a single point of failure in a system. In practice, organizations employ many different types of controls — administrative, technical and physical — into their design methods and ongoing security practices.  Threat modeling can help to not only identify points where vulnerabilities may exist in a piece of software or across a system, but also to provide validation that the current controls in place are enough to provide the level of control security professionals and organizational leadership desire. 

4. Threat modeling helps you to understand the complete cyberattack kill chain

The cyber kill chain, a well-known cybersecurity model developed by the incident response team at Lockheed Martin, outlines the steps that an external attacker could take to penetrate and exploit a network. The kill chain breaks down the individual steps — from reconnaissance to actions on objectives and exfiltration of stolen data — and breaks down the steps and tactics so that an organization can prepare to stop them at each stage. As reviewed in our “What is threat modeling” article, threat modeling helps organizations to systematically break down systems and software, evaluate and test for risks and identify and communicate mitigations for each of them. In this way, threat modeling can help organizations to walk through each stage of the kill chain in a methodological manner, using this opportunity to identify ways to incorporate key defensive mechanism such as those defined in the MITRE ATT&CK threat model:

Detect: Identify adversary activities or their effects Deter: Discourage the adversary from undertaking further activities by instilling fear or doubt that those activities would achieve intended effects Deny: Prevent an attack as it happens Disrupt: Make the adversary’s activity ineffective Degrade: Decrease the effectiveness of an adversary activity Deceive: Lead the adversary to believe false information about defended systems, missions, organizations or defender capabilities 

5. Threat modeling can improve your organization’s security posture

The purpose behind any cybersecurity endeavor is to increase your organization’s security posture, but what specifically makes threat modeling different?

Quantifying your security practices

As mentioned before, threat modeling is a method to systematically document every facet of a system or software. Ultimately, you are documenting the key aspects of every technical asset your organization cares about, how you will protect them, the available mitigations and what your team is attempting to protect it from. This inventory can then be used to facilitate discussions across groups and communicate updates with senior leadership. Depending on the threat model used, your team will have a comprehensive list or visualization of the system’s configurations, behaviors and features. This can be used to compare against threat intelligence data, known vulnerabilities and existing security controls — both initially and overtime.

Monitor your security program

Building on this quantification, overtime, threat modeling can help your organization to track progress against security benchmarks, compliance standards and goals over time. In addition to other security metrics, being able to document the number of vulnerabilities identified and fixed can help to inform senior leadership about the important role that security professionals play in securing operations.  Over time, as threat modeling becomes a more regular facet of your development and governance structures, the number of potential threats identified can trend downward even as your organization evolves and becomes more connected.

Structure security evaluations

Finally, threat modeling can help to provide continuity and consistency in your organization’s overall security program. In addition to other ongoing security measures, using a threat modeling methodology can provide a structured, consistent way for software and systems to be evaluated, ensuring that evaluations do not vary based on the individuals involved or when the review is conducted.  As employees come and go, having a consistent model in place can support knowledge transfer and help to ensure priorities and key components of an organization’s security program are documented.

6. Threat modeling helps improve your application security posture

From the perspective of software design, threat modeling also has a number of key benefits at the individual application level. In particular, threat modeling can help to:

Increase operational visibility: While many security tools focus on monitoring and controlling risks at the enterprise level, threat modeling applied at the application level can provide developers with precise operational visibility into which specific applications (and which components of those applications) are the most vulnerable to cyber threats. Armed with this information, developers can focus their attention on developing fixes, while security professionals can ensure the necessary controls are in place. Bolster quality assurance: When paired with existing testing and quality assurance practices, threat modeling can help developers to gain additional clarity into potential security issues while the software is still in the design stages. Key threat mitigations can also be added to secure coding guidelines or prioritized as requirements during design. Additionally, threat modeling can be used to supplement automated vulnerability scanning and testing tools, meaning security teams can worry less about the potential for false negatives or identify zero-days before attackers do. Improve collaboration: Mixing the perspectives and experiences of security professionals, managers and potential end users with developers can help to improve visibility into software as it is designed or evaluated, increasing collaboration and comprehensiveness about what exactly is being introduced into a network before too many resources are expended. Over time, this increased engagement can help to form new professional connections so that future work can be expedited while also increasing security awareness across the organization, regardless of role.

Conclusion

These are just a few of the many benefits that threat modeling can introduce to an organization. Of course, like any other security control, threat modeling cannot be used alone and it is certainly not a one-time event. Instead, if an organization chooses to use threat modeling, it should be performed as early as possible in the software development life cycle when potential vulnerabilities can be identified and remediated and continuously thereafter to monitor the effects of potential internal or external changes.  When used properly, threat modeling can not only help to design more secure products, but help organizations to save resources and money.

Sources

Characterizing Effects on the Cyber Adversary, MITRE The Cyber Kill Chain, Lockheed Martin