How To Create A Threat Model in 7 Easy Steps With Our Threat Model Template
Our team here at Alias is made up of hackers turned security professionals. In fact, they probably learned how to type before learning how to write. When you hire us for a pen test, we’re going to think as professionals, but also as hackers. In fact, if we see the option to get into your network with a rocket launcher, you bet we want to use a rocket launcher.
Unfortunately for us, most engagements, we get told to pump the breaks. More often than not, we hear something like, “A rocket launcher? I mean, doesn’t that seem a little over the top? We don’t have that in our threat model.” And sure. It’s a little excessive. But because something is over the top and not in your threat model, doesn’t mean somebody won’t try it. And that somebody might not be on your side, like us.
And with that, we’re at the crux of the problem here: your threat model.
When was the last time you reviewed your threat model? Do you even have one? Maybe you’re a small business without an IT or cybersecurity department. Or maybe you just never got around to putting one together. It’s okay, we understand. But, if you’re here reading this, you’re at least somewhat interested in putting one together. And that’s a step in the right direction!
Now, let’s talk about what a threat model is.
Threat modeling is the process of identifying, prioritizing, and remediating potential threats. This process answers questions like, “Where is my business most vulnerable to attack?” and “What assets need to be protected the most?”.
Having at least a baseline understanding of your vulnerability is critical. After all, you can’t protect something if you don’t know how open it is to attack. With this in mind, let’s go over some of the things you need to consider in your threat model.
Download our threat model template
Step 1: Inventory your assets
The first step in creating a threat model is evaluating your most valuable assets. This is typically called Asset Inventory or Asset Classification.
If you’re going to be attacked, the target will be your assets. Anything of worth. Just about anything that impacts your ability to make money is going to be considered an asset.
This can include encrypted data, private keys, access to security features, private client information, identifying customer information, etc.
Sometimes that means shutting your business down. That’s the whole foundation of ransomware. Make it so you can’t work due to the attacker having shut you down. Your business will be bleeding money. So much so that you might just pay that ransom to get back to work.
Step 2: Prioritize your assets
Once you have a list of your most valuable assets, we recommend ranking them in order from most valuable to least valuable. This will serve as a priority guideline on what you need to protect most to least. You’ll want to spend more time and energy protecting the most valuable assets compared to those that maybe might not be as critical.
What you consider an asset is up to you and your business. You may have 10 assets or 10,000. There’s no wrong number here.
Step 3: How will you be attacked?
Now that you know what’s targeted, let’s talk about the attacker.
Determine who you think is most likely to attack you and how.
Here you should do a little bit of research into the biggest threats for your specific industry. For instance, if you’re in banking, you need to worry more about wire transfer fraud attempts than a veterinarian clinic. Different industries come with different threats.
But you also need to consider common threats like phishing. What would happen if a hacker got your credentials through a phishing attack? Do some of your employees or coworkers have more access to your assets than others? If that’s the case, those employees would be considered more high value to attackers.
We could go on forever about the different attacks your business might encounter. Instead, we recommend you take some time to review the common threats for your business and assets.
Step 4: Establish your detection methods
The most overlooked step in the security process (in our opinion) is the detection phase. You can determine your most valuable assets and how you’re most likely to be attacked; but ultimately, that doesn’t matter if you can’t tell when you’ve been attacked.
Sure, you might have a firewall, but do you monitor the logs? Would you know what to look for if you did?
Come up with a plan to potentially fit a monitoring device or maybe even a separate service in your budget. Come up with a plan to detect threats inside your network. Since you know how your assets are going to be attacked, you know where you can increase your defenses.
Your defense strategy depends on how much money you want to spend and the tech skill you have. If you know how to read network logs, get yourself some software. But if that sentence alone confuses you, consider hiring a SOC as a service company who can watch the logs for you.
Regardless of what you do, you will need to come up with a plan on how you will spot an attack. And trust us, you don’t want to wait until the hacker reaches out to you directly.
Step 5: Plan your response
Knowing how you’re going to respond if you are attacked is critical. What are you going to do if you’re compromised? Going to fix it yourself? Panic? Call a third-party security company? Do you have cyber security insurance? Who would make these decisions?
If you don’t have a team in-house, we recommend having a third-party security company as your response option. And don’t just find any company and write their contact information down on a sticky note for future reference.
We recommend meeting with a company to know if they would be able to help. Get to know who they are. Don’t be afraid to ask them about their credentials. What are some previous incident responses they’ve worked on? How did they get resolved? Don’t just trust a company by their website, trust the people too.
If you want to go the extra (and cheaper) mile, put an incident response retainer in place. A retainer will give you peace of mind. If something does happen, you have cybersecurity experts ready to drop everything and help get you back up and running. It’s considerably cheaper to pay a little up-front for the retainer than to pay after a breach happens.
Step 6: Develop your mitigations
This is the step where you explain how you’re going to mitigate each of those potential attacks you listed out before. This is also the part where some of the answers are going to be easy and other are going to be hard.
Worried about email compromise? Require two-factor authentication. Worried about phishing attacks? Run your company through security awareness training so employees know what to look for.
For this portion, you want at least one mitigation for each possible attack against every asset you list. For the more valuable assets, we recommend more than just one mitigation.
Step 7: Create your own threat model
Now that you have a better understanding of what goes into a threat model, create your own! It can be as complicated or simple as you like. Anything is better than nothing.
To help you get started, we created a short, easy to use threat model template. You can download it and fill it in with your information. With some pages, like the asset inventory and the attack scenarios, you might need more than just one page. Again, it all depends on you and your business. Best of luck on your threat model!
Download our threat model template
If you have any questions about threat models, the threat model template, or incident response retainers, feel free to give us a call at 405-261-9517 or send us an email at [email protected]. Our team of cybersecurity experts are more than happy to help.