In the world of Cybersecurity today, there are obviously many tools and technologies today that only will help you thwart off any kind of incoming threats, but even predict what future ones could possibly look like.  But technology can only go so far at times, and thus, it is necessary to go back to the old-fashioned white board and include the human element.

Such is the case with Threat Modeling, which is the focal point of this article.

What Exactly Is Threat Modeling?

In broad terms threat modeling is the process of looking and evaluating the risks your company faces through mapping out the topography of the network in its entirety. From the user accessing the network to the machines that are supporting your apps or services, every piece of the puzzle must be identified, named, and understood at a core level.

From here, the statistical probabilities are mapped out on the amount of vulnerabilities and risk of compromise, and your ability to mitigate those beforehand.

It is important to keep in mind that with Threat Modeling, you are taking a holistic view of your environment, you are not just simply examining a group of digital assets and the appropriate controls that go with them.  With Threat Modeling, you are taking every bit of intelligence that you have, whether they are log files or even reports outputted by your SIEM, and trying to understand exactly where your network is most vulnerable to malicious processes and other threats posed by any would-be hackers

The Process Involved In Threat Modeling

There are typically four steps that are involved, and they include the following:

1. Deciding upon the framework:

Threat Modeling is also viewed as a science, and as such, it is imperative that you make use of some sort of methodology in order to yield the maximum results from it.  In this regard, probably the two most popular frameworks that can be used are the Cyber Kill Chain from Lockheed Martin (which can be seen here) and the OWASP (which can be seen here).  With this approach, you will be examining those parts of the environment that you want to take a closer look at, in terms of where they stand right now in terms of their security level.

2. Identification:

In this second step, you will take an inventory of those threat vectors examining the kind of damage they could potentially cause.  Keep in mind that these are “what-if” scenarios, and because of that, be sure to make use of all tools and applicable team members (software dev, app maintainers., etc.) to get a full and complete understanding of the environment. It is a task that calls on multiple specialties and so everyone’s experience can be of use

3. Mitigation:

At this stage, after you have carefully mapped out what could potentially go wrong, you and your IT Security team need to come up with a plan as to how  these vulnerabilities could impact, your business and how they can be remediated as quickly as possible.  This is where the Incident Response (IR) Plan and the Disaster Recovery (DR) Plan will become especially important.  These plans should be detailed enough so that they can be used for any kind of attack, not just a particular one.  After all in the end, once a breach has occurred, getting back up and running ASAP will be crucial, and you simply will not have the time to find the right one to use.  In other words, these plans should take the proverbial “one size fits all approach”.  This part of the Threat Modeling phase will also give you the time to also take an inventory of all of the security tools and technologies that you have in place and try to consolidate them as much as possible.  For example, suppose you have ten firewalls at certain locations in your IT/Network Infrastructure.  The question you need to be asking and answering is how we can strategically place them so that only the minimal is needed.  For instance, how can we make use of instead of three firewalls?  This way of thinking will not only help to reduce your attack surface but will also help your IT Security analyze the log files for investigative purposes after the breach has been stopped.

4. Remediation:

This last phase of Threat Modeling can be considered the simplest, but it will require the teamwork of all of the employees in your company.  This is the actual dress rehearsal of the both the IR and DR plans.  They will address two key concerns:

*How quickly a threat variant can be mitigated;

*How quickly you can bring back up your mission critical processes and operations.

The rehearsing of these plans is not a one-time deal, but rather, they should be practiced on a regular basis, preferably at least once a quarter.  Also, pieces of documentation should be updated as quickly with any refinements or enhancements that are needed.


A great tool we recommend to help you with the Threat Modeling Process is available from Microsoft.  For more details on it, click here.  Also, if you need help with any part of this, please feel free to contact us at any time!