Threat modeling and vulnerability assessment have a lot in common in terms of their objective, but where they differ is in scope. In this post we will define these terms, clarify their differences, and dig deeper into the cybersecurity challenges threat modeling and vulnerability assessment address.
Let’s start by defining threat modeling, threat assessment, vulnerability assessment, and risk assessment.
Threat modeling is a set of practices that involves identifying potential and legitimate vulnerabilities, followed by setting up countermeasures and controls to prevent exploitation of those vulnerabilities. In threat modeling, security IT leaders are not only looking to identify indicators of compromise (IOCs) but more importantly catch indicators of attack (IOA), which allows security analysts to proactively stop an attack before it can cause devastation to an organization.
The threat modeling process can be broken down into 3 key approaches in which security experts examine infrastructure from different point of views.
The attacker’s perspective
Your security team looks at cyber intrusions from an attacker’s perspective through focusing on the adversary’s goals, abilities, behavior, and range of damage they might cause to your organization’s network.
From a bad actor’s point of view, attacks may not necessarily happen on the outer layers of your network, but from the middle and inner layers such as within firewalls, servers, and company workstations (this can even include insider threats).
Security analysts position themselves from different angles of your network, allowing them to strategize ways attackers could harm your organization within different portions of your security infrastructure.
Security architecture perspective
In threat modeling through an architectural perspective, your security team looks at cyber incidents from the viewpoint of components making up your business network. This includes examining public facing servers, internal servers, printers, workstations, wireless devices, laptops, routers, switches, other endpoints, and everything making up your infrastructure.
The architectural perspective security method allows security experts to look at individual vulnerabilities within parts of your systems. From there, security teams can start implementing countermeasures and solutions to mitigate the risk of a cyber intrusion exploiting those areas and vulnerabilities.
Valuable assets perspective
Security teams can also assess your security needs from the point of view of your company’s assets.
Through identifying your organization’s most critical assets, experts can build strategies based on the threat actor’s motivation, amount of effort, and how they might get to your valuable resources.
By approaching threats from a valuable asset perspective, security teams can better understand the lengths an adversary will go to in order to pull off a successful intrusion and consider the “work factor,” or amount of work the adversary would need to commit in order to reach a certain critical asset.
A threat assessment is a process which formally evaluates and verifies the nature of a threat to an information system or company. Many threat assessments are used to gauge the likelihood of perceived threats.
A vulnerability assessment (VA) analyzes systemic security flaws in a network or host. Vulnerability assessments help identify and prioritize vulnerabilities found in network computers and systems. These are the software flaws or bugs that are susceptible to threats. Vulnerability management helps organizations classify and prioritize vulnerabilities across their network at scale.
Risk combines the assessment of both threats and vulnerabilities to identify your organization’s ability to protect its endpoints and systems from cyberattacks. Risk assessment can focus on identifying popular targets for cybercrime, such as assets housing sensitive information. This type of assessment includes investigating whether your organization has the capacity to remediate vulnerabilities.
What’s the difference between threat modeling vs vulnerability assessment?
Their primary focus: Threats vs vulnerabilities
Threat modeling focuses on identifying threats and developing ways protect systems against them. A threat is something that can take advantage of software vulnerabilities or weaknesses.
Vulnerability assessment focuses on identifying and prioritizing software vulnerabilities, the flaws or errors that are exploited by threats.
Proactive vs reactive processes
Threat modeling is process part of proactive risk management which helps security teams visualize and analyze IOCs, IOAs, and MITRE ATT&CK TTPs (tactics, techniques, and procedures) of adversaries. By first assigning risk scores to models and identifying objectives, technical scope, vulnerabilities, and risks, threat modeling can then develop preventative countermeasures against these weaknesses.
Vulnerability assessment is commonly thought of as a reactive process because it reveals the vulnerabilities already present in your network and systems. However, in some situations vulnerability management can be considered a proactive measure when security teams are able to remediate vulnerabilities before they can be exploited.
Threat intelligence-driven anaysis
Both threat modeling and vulnerability assessment use threat intelligence-driven data to fuel their processes.
For vulnerability assessments, vulnerability ranking is a process used to categorize the severity of vulnerabilities via the Common Vulnerability Scoring System (CVSS). Other resources include the library of common vulnerabilities and exposures (CVEs) found in the National Vulnerability Database (NVD) and MITRE ATT&CK framework.
Threat modeling uses CVSS and MITRE TTPs to identify vulnerabilities and threats and goes a step further to quantify threats and prioritize ways to remediate them. Combined with understanding the criticality of vulnerabilities, threat modeling sheds light on the assets in your system that are most vulnerable and likelihood these weak points will be explioted. This helps your security team uncover which potential threats are of highest priority and remediate them using the appropriate threat modeling approach (attacker, architecture, or asset perspective models).
To read more about today’s latest threats visit the Malwarebytes Threat Intelligence Blog.
Can threat modeling and vulnerability management work together for your business?
Certainly! Both vulnerability management and assessment can be used in the threat modeling process. Commonly known threat modeling frameworks or attack trees include Process for Attack Simulation and Threat Analysis (PASTA), Trike, Visual, Agile, and Simple Threat (VAST), and CVSS.