As threat modeling continues to gain in popularity as an essential cybersecurity process, it may be tempting for newcomers to dive right in, purchase some technology and get going. But that would be putting the cart before the horse. Because threat modeling doesn’t start where you think it does.

Threat Modeling Doesn’t Start Where You Think

Technically, you don’t need any threat modeling technology, or to even how threat modeling works, to get started with threat modeling. The simple truth is, that you can’t model threats until you identify what’s threatened. And that’s the crucial first step in threat modeling.

You start threat modeling by thinking through what an adversary is going to do. You don’t need any technology for that. In fact, technology won’t help, and anything you purchase will be of limited value until you do this.

The bottom line is, that if you don’t know what’s valuable in your system, you’re not ready to do threat modeling. We pointed this out in our recent article, Why Every Business Needs to Threat Model Like a Bank. That’s because banks were the first ones to try and get inside their adversaries’ heads.

What do Your Adversaries Want?

Every attack boils down to printing or stealing money. Figure out what theft and printing money looks like in your system, and you’ll start to understand what you need to threat model.

The big challenge is that the assets that have value may not at first be readily apparent. As an example, imagine you run a gaming company, where if a user plays the game for a certain number of days in a row, they earn a reward. Now, if a hacker can create that reward and give it away for free, not only does the value of that asset go to zero, but it could also impact the usage of your services (and consequently your bottom line).

The creating, distributing ,and storing of that reward now becomes an asset that must be threat modeled. Of course, the opposite can also be true. You can identify assets that have zero value to an attacker. In that case, threat modeling that asset would not be a priority.

Where to Start Looking?

There’s always something that’s worth money—you just have to figure out what it is. And the best place to start is with senior management. C-level executives, or business owners at smaller businesses, must be included in the discussion to identify valuable assets worth stealing. 

These higher-ups frequently see threats to the business that those in technology are not aware of. A good way to proceed is with a brainstorming session. Go through a list of company assets and ask, what would an adversary be motivated to do with this? Or better yet, ask the question, what keeps you up at night?

It’s important to remember that this search for valuable assets is not a one-time activity. It should be done every time the technology or the physics of your business changes. That’s when threats change, and that’s when threat models need to be updated.

Once you feel comfortable that you’ve identified the threats (for now), then you can move on to securing technology to help build out your threat models. And when that time comes, we’d like you to consider ThreatModeler. ThreatModeler automates many of the threat modeling processes, so you can go from identifying threats to protecting fast. Go here to request a free live demo.