Put it simply, threat modeling is understanding what threats can affect you and your assets, and what actions or mitigation activities you can focus on to minimize the chances of those threats from happening. Threat modeling will give you an initial analysis of what can go wrong based on the task at hand, the possible attackers’ profile, the most likely (and less likely) attacks, and the main issues the attackers can try to exploit or attack. This approach can help you map your threats, and give you a landscape of the most likely risks you’ll face.
The process can be simple if you follow the next steps *:
- Identify your assets: what do you need to protect?
- Identify your possible adversaries or attackers: who do you need to protect it from?
- Understand whether you have a problem or not: what can go wrong?
- Identify preventive measures: what are the controls you can put in place to mitigate the threats?
Identify Your Assets
An asset is anything you need to protect, whether it’s a person (you and your family), a physical object of value (your passport, money, etc), or information (stored in your mobile phone, in your camera, etc) that you want to protect.
So, first, let’s make a list of all the things - or assets - you need to protect. Make sure you also list who can access each asset, whether friendly or attacker.
Identify Your Possible Adversaries or Attackers
Next, make a list of who can be the possible adversaries. You started that in the previous step, but think outside the box. Go all the way, even if it sounds ridiculous (the head of the local mafia for example). List them and assign a probability to each adversary. Ask yourself how likely it is that this adversary will target you.
Discard those adversary that are unlikely to be an issue. The list that remains is the most likely attackers.
Understand Whether You Have a Problem or Not
In this next step we will try to understand whether we actually have a problem or not. Ask what can go wrong, what can happen. Based on those answers, understand whether the issue at hand is a problem or not. Focus on understanding the impact (the consequences) of the adversary successfully attacking the asset. If the impact’s severity is low, essentially the problem is not a problem after all, then discard the current issue and move to the next.
At the end of this step you will have a list of the main issues you need to focus on, and who are the likely adversaries
Identify Preventive Measures
Now that we know what assets might be targeted, by whom, and whether these are an actual problem, we can focus on identifying what we can do about it.
For each problem you identified, each threat, write down what options you have at your disposal in order to help you mitigate or prevent each threat. These controls will have to take into account what resources you have, whether money, training, technical or digital, or others, and whether those resources may generate threats of their own. Think about where you are (physical place), what you have (training, digital devices), and current situation.
Apply the controls and perform the threat model once more, just to be sure you didn’t miss anything.
That’s it. Now you have performed a threat model and have in front of you what you can do to mitigate risk.
The more you do it, the easier it becomes. With time you can perform on-the-fly threat modeling on pretty much anything, allowing you to mitigate the biggest threats from the very beginning.
* Adam Shostack's proposed these four questions for a threat modeling framework. These are:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
You can read more about this in Threat Modeling Manifesto.