Despite it is well known fact and been documented extensively in the various regulatory compliance, but in the operation, we seldom to see anyone really fully understood threat modelling clearly and capable to make use of it, which result in the technical vulnerability management stage where technical officer and operation staff just know how to generate technical vulnerability assessment report and present the raw report full of vulnerability that do not even demonstrate the threat modelling been carried out, which counter productive for everyone involved in it. From the developer who needs to act on, from the business owner who needs to decide whether it is worth the time and resources to close all the technical vulnerabilities presented without carrying sound threat modelling in the first place.
It is also very dangerous for you to not understand and know how to perform threat modelling, and your enterprise most likely will be driven by the respective vendor on their product and upsell or cross sell you tons of product, module, features or services you do not need in the first place. Which results in spending unnecessary huge amounts of enterprise resources on things you do not really need.
For those who draw background from governance, risk management and compliance (GRC) is more capable to know the strategic importance of threat modelling and get it right, before carrying out technical vulnerability management.
How could we know the company possesses sound threat modelling practice?
The enterprise knows and possesses a good understanding of how cyber attacks work, enabling them to focus prioritisation efforts around the bugs, vulnerability, exploits, and threats that are most likely to affect their environment.
Threat modelling helps enterprises assess the security posture they are in, what matters most, rather than other generic features that may not be applicable to the enterprise in context. They know which vulnerabilities, exploits, threat or attack vectors are the most relevant at a given time that need to act first, so they one know how to pritizie resources to do what matters most first.
Threat modelling is the formal process of identifying and ranking the threats most likely to affect your environment. Remember, the keyword here is your environment, and each enterprise environment is different.
Two inputs for the process, one comes from technical vulnerability management (including penetration testing) to provide which vulnerabilities, exploits and threats are real in their enterprise environment and context. Another input comes from the attacker and threat landscape view, which need to take in account the sources, motivation, attacker strategies and attack path in consideration.
Regardless of the threat modelling approaches, the output, which is the threat model of the said company, typically represents through attack graphs, game theory or decision analysis that can be used for a variety of purposes. Such as provide the training for the enterprise team or use it for the architecture defence decision. As you can see, since it is different for most of the enterprise, simply copying others may not be effective in the first place.
You also realise that addressing all the vulnerabilities scan and detect from technical vulnerability management is pointless, because only few will meet the threat modelling criteria that matters most. It is unrealistic to assume attackers and choose every available vulnerability from the report to take enterprise resources and attempt to close all. Most high profile cyber criminals attacks are made-to-measure, they spend the time to research the said enterprise and study for the right way to compromise before they organise resources to do so. As such, a high quality out of threat modelling likely to provide highly likely and high impact threats for a given environment that so matter that any enterprise should spend the time and resources to get them addressed.
Another common question always asked by technical officers is how to decide which vulnerabilities to fix first? This is let you know as well, the said enterprise is lacking some sort of quality threat modelling practice in practice. A simple technique we called it risk-impact matrix you can can based on a given technical exposure what is likelihood and severity of it to be, usually, external before internal, high impact severity before low impact. Once you can put the vulnerability into the 4 quadrants of the matrix, you are easier to understand what needs to be dealt with, and which can be ignored first.
The lesson from this post, remember, Threat Modelling before technical vulnerability management, this will help to address a lot of resources utilisation and get what matters first paradigm across your organisation.
E-SPIN Group in the enterprise ICT solution supply, consultancy, project management, training and maintenance for corporation and government agencies did business across the region and via the channel. Feel free to contact E-SPIN for your project requirement and inquiry.
Other post you may be interest: