Security teams face a growing challenge: attackers are becoming more sophisticated, attack surfaces are expanding, and the stakes have never been higher. Threat modeling offers a structured approach to understanding these risks before they materialize into breaches. By systematically examining how adversaries operate, organizations can build defenses that actually work.
We explore the practical realities of threat modeling, risk mitigation, and how security teams can collaborate to protect their organizations. The insights reveal that effective threat modeling is less about following rigid frameworks and more about understanding your specific adversaries and building proportionate defenses.
Key takeaways from this conversation
- Threat modeling examines specific attackers, techniques, or malware families to identify protection opportunities at multiple layers.
- Risk mitigation focuses on disrupting the attack chain at various points, while risk acceptance acknowledges gaps that cannot be closed without breaking business operations.
- Attack trees help security teams visualize end-to-end attack sequences and identify where countermeasures will have the highest impact.
- Third-party risk and supply chain vulnerabilities represent some of the hardest problems in cybersecurity, with detection being extremely difficult (as demonstrated by Solar Winds).
- AI-powered attacks, particularly deep fakes and social engineering, are shifting threats from technical exploits to human-trust exploits, requiring new defensive approaches.
Threat modeling breaks down attacks into defensible components
Threat modeling is the practice of examining an attack type, attacker, methodology, or threat and breaking down every step to understand protection opportunities at different layers. The goal is not theoretical completeness but practical defense.
Consider ransomware as an example. A threat model for ransomware might include endpoint protection that confuses the malware during execution, data loss prevention controls that restrict unauthorized reading of files, encryption at rest so stolen data remains unusable, and network segmentation to limit lateral movement. Each layer addresses a different stage of the attack.
Threat actor modeling demands continuous intelligence
When the focus shifts to specific threat actors, the approach changes. There is an old saying in security: getting breached by a threat actor once is understandable, but getting breached by the same actor twice gets you fired. This reflects the expectation that organizations learn from attacks and adapt their defenses.
Modeling a threat actor requires understanding both their generic operational patterns and their specific techniques. Do they target edge devices like VPN concentrators? Do they use spear phishing? Do they make phone calls to trick employees? Many current threat actors excel at credential phishing but face the obstacle of two-factor authentication. Their response has been to call targets directly, impersonating IT staff, and socially engineering victims into providing one-time codes or clicking approval prompts.
Risk mitigation places barriers throughout the attack chain
Risk mitigation involves implementing controls that broadly prevent any step in the execution chain from succeeding. If a threat actor relies heavily on executable files delivered via email, mitigation options include blocking all executable attachments, restricting users from running unapproved software, removing local administrator privileges from endpoints, or implementing zero-trust architecture that requires reauthentication for every data resource access.
These mitigations require threat intelligence. Without understanding how a specific threat actor operates, security teams cannot select appropriate countermeasures. The intelligence requirement comes first; the mitigation follows.
Risk acceptance acknowledges business realities
Risk acceptance means understanding that a control is not being implemented even though it would reduce risk. The classic example: preventing users from clicking links in email would eliminate phishing risk but would also prevent them from doing their jobs.
When accepting risk, organizations typically implement compensating controls. Instead of blocking all links, they might route web traffic through an isolated browser that prevents system compromise even if users click malicious links. The risk is accepted, but not ignored.
Attack trees reveal countermeasure opportunities
Attack trees map out complete attack sequences from initial access to final objective. This visualization helps security teams identify where interventions can disrupt the chain or at least trigger alerts before significant damage occurs.
Security tools often alert too late in the attack sequence. By the time detection occurs, bad things have already happened. Attack trees help identify earlier intervention points. For example, many threat groups register domains following patterns like "SSO-dash-companyname-dot-com" for credential phishing. Knowing this pattern allows teams to block traffic to domains containing specific strings, achieving a high-signal detection with low false positive rates.
Even when attackers successfully steal credentials and session tokens, attack trees suggest additional countermeasures: blocking logins from unexpected countries, anonymizing VPNs, or Tor exit nodes. When visualizing the full attack path, teams can place countermeasures that provide broad protection against entire attack categories.
Third-party risk requires knowing who has your data and access
Third-party risk is well understood but remains a significant problem. Recent breach data shows that many compromises originate from suppliers. When vendors use services like Salesforce and those services - or tools that access them - get breached, customer data flows downstream to attackers.
Security vendors present particular risks because they possess sensitive information about their customers: network topologies, points of contact, debugging passwords, and access tokens. Okta's corporate breach demonstrated this when attackers leveraged support account access to target downstream customers. Beyond Trust experienced something similar.
Managing third-party risk means understanding who has your data and who has access to your network, then building detection capabilities for misuse. Detecting misuse is difficult, but the goal is identifying when a delegated vendor account begins performing unauthorized activities.
Supply chain risk detection remains extremely difficult
Supply chain risk involves detecting intentional or unintentional backdoors in deployed software or hardware. This problem is functionally harder than third-party risk.
The Solar Winds compromise illustrates the challenge. Attackers successfully compromised over 10,000 organizations through a software update. Of those thousands of victims, exactly one company detected the attack: FireEye. Supply chain vulnerabilities can be detected, but doing so at scale is nearly impossible, unless you have a staff of hundreds of the best incident responders on the planet. Your organization likely does not.
Every software patch addresses security vulnerabilities, which means every piece of software contains potential backdoors that simply have not been exploited yet. The difference is intent, but from a defensive perspective, unintentional vulnerabilities and intentional backdoors look similar until they are used.
Effective threat modeling requires cross-functional collaboration
Threat modeling exercises should be driven by whoever sets intelligence requirements, typically defining what the organization cares most about protecting against. This might be a specific threat actor, a technique, a malware family, or threats from a particular nation-state.
Once requirements are defined, threat intelligence teams gather information about how relevant threats operate and how those patterns map to the organization's specific situation. Not every threat applies equally. The Russian APT group Sandworm primarily targets electrical systems to cause blackouts. Unless an organization operates electrical infrastructure, Sandworm may be a low-priority concern, even given their technical sophistication.
Security teams then translate threat intelligence into detection rules. A rule that alerts on VPN logins from foreign countries might seem effective in theory but generate excessive noise in practice if many employees legitimately use third-party VPNs from various locations. Detection engineering bridges the gap between what seems like a good idea and what actually works operationally.
User training remains a component that technical solutions cannot replace. When threat actors call employees pretending to be IT staff requesting two-factor codes, no technical control can intercept that conversation. Awareness training that explains the specific threat becomes the primary defense. Threat modeling ultimately becomes an organization-wide exercise.
AI and deep fakes are shifting attacks from technical to human exploits
The security industry is not prepared for the wave of deep fakes. Insider threats were once a niche problem, but AI has changed the calculus. North Korean operatives are successfully getting hired into hundreds of organizations using falsified identities. Employees are working multiple jobs simultaneously using tools like mouse jigglers to simulate activity.
The bigger concern is attackers calling help desks with video deep fakes of executives. Creating convincing deep fakes no longer requires technical expertise. Human-driven compromises that exploit trust rather than software vulnerabilities will expand significantly.
This changes the nature of countermeasures. Traditional defenses were technical: block a malicious domain, detect a specific technique, prevent a particular action. Future countermeasures will need to detect when humans are being deceived by external parties. This is a fundamentally different problem requiring different solutions.
Organizations should start with simple threats before tackling complex ones
Many organizations make the mistake of targeting the hardest problems first. They perceive these as the highest impact and most interesting challenges. The advice from experienced practitioners is the opposite: start with the easiest problems.
Beginning with the simplest threat actor or the most straightforward technique allows organizations to build their threat modeling capabilities incrementally. The goal is catching the low-hanging fruit that might otherwise be missed while more complex threats receive attention. Organizations can then progressively tackle more sophisticated threats as their capabilities mature.
Frequently asked questions
What is the difference between threat modeling and risk assessment?
Threat modeling focuses specifically on understanding how attackers operate and identifying defensive opportunities at each stage of an attack. Risk assessment is broader, evaluating the likelihood and impact of various threats to prioritize security investments. Threat modeling feeds into risk assessment by providing detailed information about specific attack vectors.
How often should organizations update their threat models?
Threat models should be updated whenever threat intelligence indicates changes in adversary behavior, when the organization's attack surface changes significantly, or after any security incident. Many organizations review threat models quarterly, but continuous updates based on new intelligence produce better results than periodic reviews.
What role does threat intelligence play in threat modeling?
Threat intelligence provides the raw information about how threat actors operate, what techniques they use, and what targets they pursue. Without threat intelligence, threat modeling becomes theoretical rather than practical. Intelligence requirements drive what information gets collected, and that information shapes which countermeasures make sense for a specific organization.
How can small security teams implement effective threat modeling?
Small teams should focus on threats most relevant to their industry and size. Starting with commodity threats like ransomware and business email compromise provides more value than modeling nation-state actors that are unlikely to target small organizations. Leveraging public threat intelligence sources and focusing on a few high-priority threat models produces better outcomes than attempting to cover everything.
What technical skills are needed for threat modeling?
Threat modeling requires understanding of attack techniques, network architecture, and defensive technologies. Familiarity with frameworks like MITRE ATT&CK helps structure thinking about adversary behavior. However, the most valuable skill is the ability to think like an attacker while understanding business constraints. Technical depth matters less than the ability to translate between threat intelligence and practical defensive measures.
Building defenses that match real-world threats
Threat modeling bridges the gap between knowing threats exist and building defenses that actually stop them. By examining specific attackers, techniques, and attack paths, security teams can place countermeasures where they will have the greatest impact. The practice requires collaboration across threat intelligence, security operations, detection engineering, and user awareness functions.
As threats evolve toward AI-powered social engineering and deep fakes, the nature of countermeasures must evolve as well. Technical controls remain necessary but insufficient. Organizations that combine technical defenses with human-focused protections will be better positioned to handle the threats ahead.
The most practical advice: start simple. Build threat modeling capabilities by addressing straightforward threats first, then progressively tackle more sophisticated challenges as the organization!s defensive maturity grows.