Challenges with cyber threat modeling in the modern day enterprise network

If you truly want to protect a system, you must deeply understand how it can be exploited. If you showed me a building and told me only authorized employees should be able to access the inside, I’d be asking plenty of questions. How can I verify this employee works for you? What hours does each employee work? What are the expected entry points for employees? Are there surveillance cameras on premises? Is the roof access secured? What contractors and subcontractors work here? This system, the company headquarters, is no different in the physical world than it is in cyberspace as it relates to security. In order to protect any system, we need to know its weaknesses, potential threat vectors, and access points. It is advantageous for security to understand the landscape they are working so hard to protect before it is exploited, rather than strictly reacting to situations as they arise.

Threat modeling is a process used by Security Operations Centers (SOCs) and other cyber security professionals to proactively identify potential threats and vulnerabilities in a system or network. When properly leveraged, threat modeling can shed light on vectors that attackers may exploit in order to gain unauthorized access to a network, application, or device. Threat modeling can help burdened teams prioritize threats by severity and impact and take actions to secure or at least monitor the most business-impactful systems.

It’s no surprise that securing the enterprise has never been so challenging. From growing on premise networks, to adoption and expansion into cloud environments, organizations are faced with monitoring more endpoints and more complex applications used by more people (and bots/code/automation) than ever before. Threat modeling can be a powerful tool for stopping attacks before they happen, but it does not come without challenges.

One of the biggest challenges facing teams attempting to threat-model is the complexity of modern systems and applications. With the proliferation of cloud-based services, mobile devices, and the Internet of Things (IoT), organizations are dealing with an ever-increasing number of interconnected systems and applications, which can make it difficult to identify all potential threats and vulnerabilities. Even worse, if the SOC cannot continuously monitor their entire landscape they cannot effectively respond when attacks affect unmonitored systems. Knowing a device may exist, or existed at some time, on a network is rather useless information if the team has no ongoing visibility or response capabilities for the device in question.

In order to address the scaling complexity of an organization’s network, I would recommend the SOC to break down these complex environments into more manageable chunks. Instead of looking at the enterprise network as a whole, tackle threat modeling per system/application or even a single feature of an application. The more detailed you can be with models, the more findings are often identified. Note that mitigations your team develops in response can potentially remediate much more than one finding so more findings is always a good thing. You can always later prioritize what you need to immediately focus on remediating. Due to the inherent complexity of modern day organizations using technology, it’s incredibly important to define a strict scope. Similar to how we approach penetration testing with a clearly defined scope of IP addresses, subnets, and systems, define a scope for every model and stick to it for the duration of the assessment.

Another challenge for organizations is the ever evolving threat landscape. It can be exhausting and daunting work to keep up with all the new critical CVEs being published on a daily basis. As your organization’s assets and networks evolve, so does the threat model - that new SaaS vertical going to market can unlock an entire new set of vulnerabilities attackers are eager to scan for and exploit as soon as they go live on the Internet.

My recommendation for keeping up with evolving threats and a growing network is to integrate threat modeling into the Software Development Life Cycle (SDLC). Utilize existing workflow tools; integrate into your engineers’ issue tracking software. Deploy a new application? That triggers a threat modeling exercise. This does not mean the SOC or any one cyber security analyst/engineer is responsible for all of the organization’s threat models - this would simply be infeasible. What scales here is to distribute the responsibility, the ownership, of threat model creation to the team that designed the feature, the workload, or the system. The SOC can review and advise the findings on an ongoing basis while leveraging the latest threat intelligence available to them.

Improving an organization’s capabilities to perform threat modeling can bring significant value to the business and the technical teams within. For the good of the organization, threat modeling will allow stakeholders to understand their most impactful risks. The organization will be able to appropriately and effectively prioritize investments into cybersecurity ensuring limited budgets go as far as possible. Threat modeling can provide guidance to technical teams so they can implement controls and mitigations to the identified risks, vulnerabilities, and threats. If integrated into the technical teams themselves, awareness of the risks associated with identified threats as it pertains to their systems and applications can empower the technical teams to mitigate threats before attackers can ever get to exploit them.