Do Not Make These 5 Mistakes In Threat Modeling
Make sure you avoid these mistakes when starting your threat modeling career!
“What is the one skill I should improve in Cloud Security ??”
I get asked this question quite a bit, and my answer is almost always the same: Threat Modeling.
The reason is simple .. it does not matter if you are a beginner-level cloud security engineer or a Head of Cloud Security .. Threat Modeling is a skill you will need to use often.
Described by OWASP as
“A threat model is a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through the lens of security. “
Or, more simply put .. Threat Modeling is a formal way of diagramming and assessing the threats/risks to your application
Unlike standard risk assessments, it is application-centric and can be quickly used to understand the entry points for attacks on your cloud environments.
Despite how easy Threat modeling is... I often see people making quite a lot of mistakes when they start in their journey.
I wanted to show some common goof-ups I have seen and hope you can avoid them in your career!
1. Focusing Too Much on Tools
Don't get me wrong .. tools are great for Threat Modeling
But remember, they are there to help and not replace.
Threat modeling tools can give you great insights and automate some parts of the process.
However, they cannot provide the detailed understanding that comes with human analysis and understanding.
In a company I worked at many years ago, cybersecurity heavily depended on a popular threat modeling tool.
During a manual review session, an intern pointed out a potential threat related to an application that the tool had completely missed.
This discovery led to some red faces and significant changes in their security measures.
Use tools to complement and not replace your threat modeling sessions, as human oversight is always required !
2. Ignoring Business Context
It is common for cybersecurity teams to focus on the technical aspects of an application and ignore its business context.
This results in threat models that overlook threats unique to a particular business or industry.
A friend of mine worked at a financial services team that created great technical threat models that often ignored the business / operational aspects of the application.
As a result, they rated a threat as quite low risk until they discovered that it was directly related to a regulatory compliance issue, resulting in a costly fine.
Understandably, this experience taught them to always align their threat modeling with the application's business context.
Make sure you develop a deep understanding of your business’s unique context.
This may involve knowing the business processes that a security breach could impact and the industry-specific threats your organization might face.
Tailor your threat models to reflect this context.
3. Lack of Collaboration
Another mistake is treating threat modeling like it is the Cybersecurity team’s shiny toy that no one else can play with
To be effective, Threat modeling has to be a collaborative effort that involves cross-functional teams. Excluding stakeholders such as developers, business analysts, and IT staff can result in key risks being missed out.
Create a culture of collaboration.
Ensure all relevant teams are involved in the threat modeling via meetings, workshops, and open channels.
Getting together and brainstorming will give you diverse perspectives that help create a more comprehensive threat model.
4. Static Threat Models
A colleague of mine worked at a retail company that expanded into an online business.
Their security controls were derived from their original threat model, BUT unfortunately, that model became outdated once they entered e-commerce.
They later faced a significant data breach because they had implemented superficial controls over the new online application without doing a fresh threat modeling exercise.
Do not treat threat modeling as a one-time activity, as the landscape is dynamic and constantly evolving.
A threat model created today might not be relevant tomorrow due to changes in technology, business processes, or the emergence of new threats.
Make sure you have a process for periodic reviews and updates.
Stay informed about the latest threat intelligence and ensure your model evolves accordingly.
5. Over-complicating the Process
I created a threat model for a company I worked at many years ago
I was honestly very proud of it as it captured every possible threat vector I could think of
The only problem ??
It was too complicated for team members to grasp both in my team and outside.
This complexity led to miscommunications and errors in security implementation.
After simplifying this threat model, I found managing and communicating with different stakeholders much easier.
Threat modeling does not have to be complex. You can use a simple whiteboard to communicate it.
Complexity looks good on paper but reduces the threat model's practical application, making it less effective in guiding security efforts.
So Keep it simple.
Aim for simplicity and clarity in your threat modeling process.
Focus on the key threats that matter most, not everything under the sun.
Use visual aids and straightforward language to communicate the threat model effectively.