Guest Post

5 steps to implement threat modeling for incident response

This five-step process to develop an incident response plan from Rohit Dhamankar of Alert Logic includes threat modeling, which is key to thwarting cyber attacks.

Effective incident response is critical in minimizing damage and reducing the recovery time of a cyber attack. A successful outcome depends on having an incident response plan in place before an incident occurs. A threat modeling approach can also help organizations quickly and clearly assess your business's risk and develop a plan.

Threat modeling is a method for identifying vulnerabilities, anticipating the most probable types of attacks and establishing the necessary security measures to protect your business against those threats. While there are many threat modeling frameworks, these are some broad steps you can follow to ensure your environment is always secure.

Step 1. Identify assets

Unauthorized access is the root of most threats. Once attackers get inside your network, they will target your business's most valuable assets -- the same way home intruders look for cash, jewelry and expensive electronics.

The first step is to identify your assets and prioritize the ones needing protection. For most organizations, anything deemed business-critical can be considered an asset. Specifics will depend on the nature of your business, but common assets include the following:

  • customer data and payment information
  • corporate financial data
  • proprietary software code
  • HR information
  • patents and copyrights
  • client or vendor contracts
  • manufacturing processes

Once assets have been identified, it is imperative to understand where each one is located and to consider how it can be accessed. For example, does a critical database live on a server that has remote access? Mapping assets to their location and tracking how and how often they are accessed will help determine their vulnerability to a cyber attack.

Step 2. Identify who has access

Once crown jewel assets and their locations are determined, identify who has access to the assets and if their roles are controlled. This can include employees, contractors and business partners. Next, determine if those accessing the asset have appropriate access privileges assigned. There should be policies in place to alert security teams when someone is accessing a database without the appropriate privileges. In these cases, security teams should restrict or deactivate users' access when responding to an incident.

Step 3. Identify vulnerabilities and threats

Next, consider what threats each environment faces. Try using an adversary-based threat model to identify potential attackers who may try to compromise the network. This model usually outlines four types of attackers:

  1. Network. This attacker typically conducts man-in-the-middle attacks, intercepting communication between two parties.
  2. Malicious insider. This can be any authorized user -- employees, vendors or anyone who has access to your network.
  3. Remote software. This attacker attempts to breach security software by introducing malicious scripts/code or a virus to steal data or gain control of the device or network.
  4. Advanced hardware. This attacker needs physical access to the device and will often launch sophisticated attacks using specialized equipment.

Next, identify potential vulnerabilities. Consider any hardware, apps, connected devices and communication channels that could enable attackers to enter the network. Vulnerabilities can include anything from overprivileged accounts and weak password policies to security misconfigurations and unpatched software. For each possible vulnerability, take a threat model approach at each entry point to determine potential security threats.

Step 4. Determine mitigations for each threat

After identifying potential threats for each environment, implement an appropriate level of security to protect them. This can be done by outlining classes of responses based on the seriousness of the incident and environment.

For example, a cautious response to unauthorized user access may be taking a watch-and-wait approach, where the user's privileges would be restricted and monitored for further suspicious activity. Alternatively, if a user's password has been hacked, access should be immediately disabled.

The Common Vulnerability Scoring System can be helpful to evaluate the impact of threats. It applies a score of 0 to 10 to indicate how a particular attack would affect a device or network. The higher a threat's score, the more focus and resources you would dedicate to it.

Step 5. Repeat the cycle

Threat modeling for incident response is a repetitive process. Once an incident response plan based on threat modeling has been developed, you must continuously assess its effectiveness by measuring the rates of critical incidents over time. If the number of incidents drops after making policy changes or other mitigations, that is evidence your incident response plan is working well. As elements are added to the system -- such as application updates, new devices and additional users -- you can continue this threat modeling process to ensure that the system is constantly secure.

Preparation and a clear process are essential for effective incident response. Developing an incident response plan can be challenging, but taking a threat modeling approach can get you started on the right track.

About the author
Rohit Dhamankar is vice president of threat intelligence at
Alert Logic. Dhamankar has more than 15 years of security industry experience across product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte and founded consulting firm Durvaankur Security Consulting. He holds two Master of Science degrees: one in physics from the Indian Institute of Technology in Kanpur, India, and one in electrical and computer engineering from the University of Texas.

Next Steps

Cloud incident response: Framework and best practices

Dig Deeper on Security operations and management

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing