The Importance of Threat Modeling

In cyber security, it feels like at least once a week there’s a news story that gets people spun up in a panic. While there is no shortage of vulnerabilities and critical issues in the world, not everything applies to everyone. Hence, the importance of threat modeling.

If you’ve never done a threat modeling exercise, you should. At its most basic level, threat modeling asks you to think about ways that things could go wrong, work backwards to understand how your current controls would help, then identify your gaps. Threat modeling is one of the Swiss Army Knives of security, paying dividends over and over once you’ve gotten the hang of it.

So why is threat modeling important, and why am I bringing it up? WhatsApp has been talked about a lot in the media over the past few weeks. The communications tool, now a part of FaceBook, provides its users with end-to-end encrypted communications and now voice and video calls. A researcher recently uncovered a mechanism the WhatsApp developers implemented to support usability, that under certain restricted circumstances, could possibly enable a third party to break that end-to-end secrecy model. Now comes the interesting part – the part where our industry peers put their tinfoil hats on and panic over “a backdoor for government spying.” SecurityWeek covered the news here. Make sure you read to the bottom.

So, what does this circus have to do with threat modeling? Frankly it perfectly illustrates how when you aren’t sure what you should be worried about, you worry about everything. Meteor strikes … a very real possibility but I’m not worried about it. Just like I’m not worried about zombies yet. I’m also not worried that a nation-state will hack my home network. Why do I not worry about these things? Simple. I’ve thought through a threat model –  nation states, zombies and meteors are not at the top of my list of threats.

That isn’t to say the things above aren’t threats to me – it’s just that there are things that I worry about that have a higher likelihood and more direct impact (and they’re likely things I can do something about, unlike meteors). Makes sense?

Let’s now apply this to our enterprise security roles. Do you ever find yourself trying to protect your organization from exotic attack scenarios that are highly unlikely or that would have a minimal impact on you? Or are you focusing on the statistically likely ways you’ll be attacked and fortifying those gaps? Are you more concerned that someone will develop or exploit a zero-day attack against your CEO’s iPad or that half of your company hasn’t received the Windows patch set from last month? Which is more likely, and more likely to cause you harm? These are things to consider.

Just for giggles – how do you know the difference? My friends, it’s impossible to protect and defend against everything bad that could happen. But you know that. So, the most important action you can take is to educate yourself and your teams about how to threat model to determine the things that are high impact, high likelihood. These are the ones that we can do something about… the rest are just edge cases that we can have contingency plans for if they ever happen.