top of page

Threat Modeling and Real-Time Intelligence - Part 1

Keeping Security Teams at the Forefront of Proactive Defense

Threat modeling is an integral part of security-by-design programs for applications, products, and services used by your organization that could be exploited by threat actors or suffer a software vulnerability. There are many different tools, methodologies (PASTA and STRIDE), and frameworks (OWASP and MITRE ATT&CK) to help security practitioners with threat modeling initiatives. Like the MITRE ATT&CK framework, threat models are adversarial-focused, requiring analysts to have a hacker mindset. Think like your enemy.

In a way, creating a threat model is comparable to authoring a "worst-case scenario" handbook specifically for defending against cybersecurity threats. And like any disaster scenario needs a corresponding recovery plan, the time to prepare is now, not later, when it is too late.

This blog series explores the relationship between threat Intelligence and threat modeling to demonstrate how they strengthen an organization's security. We will discuss how Threat intelligence informs adaptive threat models, merging strategic foresight with tactical preparedness to face evolving cyber threats.

Threat Modeling informed by Intelligence is Vital for Security-by-Design Initiatives

Threat modeling plays a vital role in security-by-design programs. Companies that need this level of security will analyze potential threats and vulnerabilities in applications, products, or services before they are brought to market. Security experts can identify weaknesses and create strong defenses against emerging risks by considering worst-case scenarios. However, the true power of threat modeling lies in applying threat intelligence to enable preemptive defenses.

Real-time threat Intelligence involves monitoring and analyzing threat actors, their motives, tactics, and the external threat landscape. It can be thought of as strategic reconnaissance in cybersecurity. It allows organizations to predict, adapt, and defend by identifying changes in adversary behavior.

When companies take a proactive approach to defending critical business applications, they recognize the need for tools to build visibility into threat actors operating in their geography and industry. This is where real-time threat intelligence and threat modeling step in to offer a preemptive defense strategy.

Threat Modeling and Intelligence-Led Use Cases

Threat modeling defends against potential cyber threats to applications, products, or online services. It's vital in identifying and addressing vulnerabilities and protecting digital assets from malicious actors. Integrating threat modeling into corporate initiatives early in development lays a secure foundation for product enhancements. Cyber threat modeling complements many different business initiatives and scenarios. Its versatility makes it applicable to a wide range of business initiatives, including:

Application Development and Design: Early-stage software and app development to pinpoint design, architecture, and code vulnerabilities.

Critical Network Infrastructure: Assessing routers, firewalls, and switches to identify attack vectors and improve network security.

Cloud and Virtualization: Understand the security implications of cloud and virtualization technologies and manage risks.

IoT Devices: A vital component of secure IoT device design and communication protocols, especially in medical settings.

Critical Infrastructure: Digital transformation projects create risks that need threat modeling to build defenses for anticipating cyber threats.

E-commerce and Finance: Online platforms handling online transactions and customer incentives need to build defenses against attacks that take into account seasonal impacts and changes to incentives and fulfillment partners.

Healthcare and Medical Devices: Connected patient healthcare and communications must be protected with built-in defenses.

Automotive and Transportation: Development of embedded defenses for secure connected vehicles.

Supply Chain Security: Assess security risks with threat models that include software supply chain partners used to deliver services and operate critical production systems and communications.

Incident Response: Simulate cyberattacks with threat modeling to develop response plans.

Government and Defense: Capture nation-state actors TTPs to build predictive defenses and proactive response.

Social Engineering: Improve awareness against social engineering cyber-attacks with threat models that visualizes a credential based compromise.

All of these will likely have internet facing systems, or communications that traverse it, making external threat intelligence a key ingredient for their success and security.

Create Preemptive Defenses using Frameworks and Threat Models

Security practitioners within enterprise organizations use tools, methodologies, and frameworks for comprehensive threat modeling. PASTA and STRIDE methodologies and OWASP and MITRE ATT&CK frameworks offer different approaches to modeling threat actor behavior and their techniques, tactics, and procedures. On the defensive side, many tactical workflows and processes use frameworks to anticipate attacks and devise built-in resiliency in case of compromise.

Frameworks like OWASP (Open Web Application Security Project) and MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) provide resources for analysts to build a threat modeling practice. MITRE ATT&CK adopts an adversarial perspective, encouraging analysts to think like a hacker. Security experts can identify weaknesses and create strong defenses against emerging risks by considering worst-case scenarios.

Start Early to Model Threats for New Applications and Changing Business Realities

A good example of using these combined initiatives and maximizing its benefits is during the early stages of the Software Development LifeCycle (SDLC), before an application or new online service reaches production. It enables security analysts and developers to scrutinize every aspect of the application's architecture. This scrutiny proactively identifies inherent weaknesses and potential vulnerabilities that might go unnoticed.

During this early phase, collaboration with the threat intelligence team becomes invaluable. These teams understand the evolving threat landscape, offering insights into threat actor behavior, tactics, techniques, and procedures (TTPs). By integrating threat intelligence into the threat modeling process, organizations can fortify their defenses and better align their security efforts with company business initiatives.

Threat modeling is most effective when it adapts to changing environments. Security leaders help align threat models with evolving dynamics by establishing feedback loops for ongoing assessment with business counterparts.

Dynamic factors, such as seasonal business variations and introducing new incentives, significantly change an application's risk profile and the type of attacks likely to occur. Our own research demonstrates that even your cyber adversaries have seasonal changes that impact when they are most likely to launch an attack against your organization. Business unit leaders play a pivotal role in these scenarios, as their insights can help align threat models with evolving commercial dynamics.

Establishing a feedback loop between threat modeling, intelligence, hunting teams, and business units is instrumental in assessing ongoing application changes and the internal and external threat landscape. For instance, integrating third-party access via APIs or introducing new monetization strategies can dramatically alter an application's threat model by introducing new threat vectors. This adaptability ensures that threat models remain relevant and effective in the face of emerging challenges.

Build Threat Models that include Partners and Cloud Services

Business transformation initiatives are a driving force in migrating to cloud services to speed up the launch of new applications and customer services. Third-party services available through APIs are another factor that spurs the adoption of cloud services and drives the availability of online customer services. Proactive defense of core applications critical to the business requires continuous monitoring and prioritization of CVEs, especially within vulnerable application development frameworks.

Organizations must enact proactive security measures that allow analysts to quickly discover new applications, points of entry, and how new business partnerships will change their attack surface and influence business risk. This is critical in light of the software supply chain that makes up online customer services or other core functions you cannot do without.

When analysts can operate with an outside-in view of your external attack surface that includes third parties and cloud services, they can better defend it.This level of visibility enables the creation of realistic threat models that consider third parties that support your applications.

As cybersecurity threats evolve, threat modeling emerges as an indispensable tool for organizations making strides toward a proactive security defense. Early examination of potential attack vectors and vulnerabilities using threat models empowers security practitioners to craft aggressive defenses in designing new services and products. By integrating threat intelligence and fostering collaboration across various teams, organizations can ensure their threat models remain relevant, agile, and capable of anticipating and mitigating emerging threats. The synergy between threat modeling, intelligence, and stakeholder involvement paves the way for a more secure and resilient digital future.

Further Reading:

Learn more about the threat vectors you should be considering in your Threat Model here

Read our customer case study about the discoveries made when external Threat Intelligence is applied over a Threat Model.


Recent Posts

See All


bottom of page