Blog
Risk Assessments Aren’t Enough – Why You Need Threat Modeling
In order to defend yourself and your organization from a cyberattack, you need to have a clear understanding of the threat landscape and your potential vulnerabilities. Just as you may use a traffic app to avoid gridlock on your way to work or how a football team watches hours of tape on their rival team’s plays to understand their patterns, the same goes for cybersecurity. Called threat modeling, this process analyzes the threat groups and their modus operandi within specific industries to determine the cybersecurity defenses an organization should prioritize.
But if your organization is already doing risk assessments, is threat modeling necessary? The answer is YES. This article will help you gain a deeper understanding of what threat modeling is, how it’s different (but complementary) to risk assessments and why you should leverage threat modeling to fortify your security posture.
What is threat modeling?
Threat modeling is a process that uses a series of concrete steps to identify potential security threats, assign a value in terms of severity to each threat and prioritize the techniques and tools an organization will use to protect their resources.
There are a variety of threat modeling frameworks and methodologies with slightly different focuses and nuances, but they all seek to determine the biggest threats to your organization based on TTPs (or tactics, techniques and procedures) of threat actors and groups.
How is threat modeling different from risk assessments?
If you already conduct risk assessments, you may wonder why you need threat modeling. Their purposes are different. Risk assessments, which are done primarily for compliance reasons, allow you to measure risk tolerance and fine-tune risk management programs. The assessments provide a view of threat management via security controls and how they are applied and monitored.
The threat modeling process looks at threat groups and concentrates on TTPs, which are not addressed in compliance standards. The typical output is a threat modeling report and read-out to help security decisionmakers understand the TTPs being used against their industry. The report recommendations explain steps you can take to combat high-priority cyber threats in your environment.
The task of reducing cyber risk never ends. Industry-specific cyber threat modeling accelerates this effort for all sizes of organizations at all stages of cyber maturity.
Why should I use threat modeling?
Most threat groups no longer fit the stereotype of shadowy, hooded figures working alone. Many threat groups are well-organized and well-funded, and some develop and sell “TTP packages” on the dark web. Threat actors specialize and share tactics, mimicking legitimate organizations. While it’s normal to want to protect your organization against all threats, there are good reasons to narrow your focus using threat modeling.
Reason 1: Learn what threat groups are most relevant to your organization
Implementing many cybersecurity solutions in hopes of catching more bad guys leads to overspending and overwhelmed security teams. Instead, implement security controls based on relevant threats.
For example:
Retail and hospitality sectors have been long targeted by the FIN7 threat group, which often uses point-of-sale malware to steal payment card records. The group uses many techniques, but the initial breach may be accomplished through phishing emails with attachments that contain the malware.
Reason 2: Prioritize threats and mitigation efforts to make the best use of limited resources
How many security tools are brought to market every year? Probably hundreds. How do you make good choices? Start with the TTP and work backwards to the right solution.
For example:
Phishing emails are a common TTP in both the financial and healthcare industries. Once in the environment, threat actors may use scheduled tasks in financial environments and remote access tools stored in memory in healthcare environments.
Reason 3: Understand where to expand or optimize protection with which products or services
Cybersecurity controls should provide the most defense with the least amount of resource consumption. For immediate return on investment, focus on solutions to block the highest priority threats.
For example:
Manufacturing attackers often target machines on the production floor with the aim of changing formulas, halting lines or stealing intellectual property. Air gapping no longer works for machines connected to the internet and exposed to potential threats. OT requires protections similar to IT.
Reason 4: Be proactive and block attacks before they can do harm
Proactive security depends on your awareness of all the endpoints on your network, who is using the network and the data you have on that network. Without this visibility, you’ll find it difficult to put the right controls in place to prevent attacks.
For example:
E-commerce sites are targeted by digital credit card skimmers that embed malicious code into websites and/or the third-party payment systems. Retailers with aging networks that rely on the internet to receive and process orders are particularly vulnerable.
Reason 5: Fortify defenses related to your most valuable assets
A threat modeling questionnaire asks you to identify your most valuable assets and where they are located. When you know your high-priority enemies and how they go about accomplishing their objectives, your team can develop a defense-in-depth strategy for these assets.
For example:
The healthcare industry consists of small, medium and large clinics, offices and hospitals, which all have a similar level of risk for identity theft and ransomware. These TTPs aim to collect and store sensitive data such as patients’ personally identifiable information (PII), insurance information and credit card data.
