CRF

LOGIN

Practical Threat Modeling Based on Community Templates

Cybersecurity Team Working on Project in Office

Speaker: James Tarala
Event: SANS Webcast
Date: August 29, 2024
Watch on YouTube: https://www.youtube.com/watch?v=lLwxSOTWFTE&t=8s 

Introduction 

Threat modeling is a critical component of cybersecurity risk management, yet many organizations struggle to implement it effectively. In this SANS webcast, James Tarala discusses practical threat modeling techniques that leverage community templates to make the process more structured, scalable, and actionable. 

James Tarala emphasizes that threat modeling should not be an academic exercise, but rather a practical approach to identifying, prioritizing, and mitigating threats in alignment with business objectives. This session provides concrete methodologies and templates that organizations can use to build a repeatable threat modeling process. 

 

Key Takeaways 

  • Threat modeling should be integrated into security governance. It must align with risk management frameworks and business objectives. 
  • Not all threat models are created equal. Organizations should distinguish between models for vulnerability management, asset prioritization, and safeguard selection. 
  • Community-driven threat taxonomies provide a foundation. Organizations can leverage resources like MITRE ATT&CK, NIST 800-30, and the Open Threat Taxonomy to create structured threat inventories. 
  • Threat modeling should inform safeguard selection. The best way to prioritize security investments is by mapping threat severity to security controls. 
  • Automation and structured data improve threat modeling. Moving beyond spreadsheets to database-driven analysis and security intelligence integration enhances accuracy and efficiency. 

 

Summary of the Discussion 

The Role of Threat Modeling in Cybersecurity 

Threat modeling helps organizations anticipate, understand, and mitigate security threats before they become incidents. Tarala highlights the following challenges that prevent organizations from fully implementing threat modeling: 

  • Lack of standardization. Many organizations approach threat modeling inconsistently, leading to gaps in security planning. 
  • Overly technical focus. Some teams model threats purely from a technical perspective, without connecting them to business risks. 
  • Failure to link threats to safeguards. Threat modeling should drive security control selection rather than existing in isolation. 
  • Resource constraints. Manual threat modeling is time-intensive, making it difficult for organizations to scale the process. 

 

Different Approaches to Threat Modeling 

Threat modeling can serve multiple purposes in an organization. Tarala categorizes the main approaches as follows: 

  1. Threat Modeling for Vulnerability Management
  • Focuses on identifying software and infrastructure vulnerabilities. 
  • Helps prioritize patching and security updates. 
  • Uses frameworks like STRIDE and PASTA to assess risk exposure.

 

  1. Threat Modeling for Asset Prioritization
  • Determines which business assets require the most protection. 
  • Often used in business impact analysis (BIA) and disaster recovery planning. 
  • Helps align cybersecurity investments with business priorities.

 

  1. Threat Modeling for Safeguard Selection
  • Identifies threats that security controls should mitigate. 
  • Helps justify security investments based on real-world threat exposure. 
  • Uses threat-to-control mapping to guide security strategy.

This webcast primarily focuses on threat modeling for safeguard selection, as it is the most impactful for security governance and risk management. 


Using Community Templates for Threat Modeling 

Organizations do not need to start from scratch when building threat models. Tarala recommends using community-driven threat taxonomies as a foundation, including: 

  • MITRE ATT&CK – A widely used knowledge base of adversary tactics and techniques. 
  • NIST 800-30 – Provides a structured approach to threat assessment. 
  • Open Threat Taxonomy – A collaborative effort to categorize cybersecurity threats. 
  • Carnegie Mellon SEI Threat Taxonomy – Offers structured threat definitions.

By leveraging these resources, organizations can build comprehensive threat inventories without reinventing the wheel.

 

A Practical Approach to Threat Modeling 

James Tarala outlines a five-step process for practical threat modeling: 

  1. Build a Threat Inventory
  • Gather threat intelligence from industry reports, security vendors, and open-source taxonomies. 
  • Classify threats by type, impact, and likelihood. 
  • Ensure the threat inventory is continuously updated.

 

  1. Prioritize Threats Using Risk Scoring
  • Use models like DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) to score threats. 
  • Integrate threat intelligence feeds to refine risk scoring. 
  • Apply multipliers for executive concerns (e.g., high-profile threats in the news).

 

  1. Map Threats to Security Controls
  • Align threats with existing security safeguards. 
  • Identify gaps where new controls are needed. 
  • Prioritize security investments based on threat criticality.

 

  1. Automate Threat Modeling Where Possible
  • Move from spreadsheet-based risk tracking to database-driven analysis. 
  • Integrate security information and event management (SIEM) systems to validate risk models with real-world data. 
  • Use governance, risk, and compliance (GRC) platforms to track threats and control effectiveness.

 

  1. Communicate Findings to Leadership
  • Present threat modeling results in business terms. 
  • Use visual dashboards, heat maps, and scorecards to enhance clarity. 
  • Focus on actionable security improvements rather than theoretical risk discussions.

 

Actionable Insights 

  • Adopt community-driven threat taxonomies. Start with MITRE ATT&CK, NIST 800-30, and Open Threat Taxonomy to accelerate threat modeling. 
  • Link threats to security controls. The best use of threat modeling is to justify security investments and prioritize safeguards. 
  • Use structured data and automation. Move beyond static spreadsheets to database-driven risk tracking. 
  • Incorporate real-world threat intelligence. Align your threat models with data from security vendors, threat reports, and industry benchmarks. 
  • Regularly update threat models. Cyber threats evolve, so threat inventories must be continuously refined. 

 

Conclusion 

Threat modeling should be a practical, ongoing process that enhances security governance, risk management, and safeguard selection. By leveraging community templates, structured data, and automation, organizations can improve their threat modeling processes and strengthen their cybersecurity posture. 

By following this approach, security teams can prioritize real threats, make data-driven security decisions, and gain leadership buy-in for critical security initiatives. 

 

For more insights on this topic, watch the full webcast here.