Is a threat model totally subjective or can it be based on objective guidelines?

Question

We all know that in the security field everything depends on the threat model, which basically means you need to define who or what you are protecting from. But who should decide this, and on what objective basis? Since you can't protect everything from everything, you need to choose the most likely threats and focus on those. But I think it's difficult to assess the likelihood of a threat without making subjective decisions, and I don't know if there is a method or collection of best practices that can help.

I'm asking this question because I realized I can't decide what to protect from. It's easy to say "don't open attachments from suspicious senders", but who decides who's suspicious, and how exactly? It could be defined as "anyone not in your contact list", or "anyone as long as they aren't from [insert your favorite rogue country here]", but that seems very subjective to me. If I don't trust my browser I might use it inside a VM, if I don't trust the VM I might use it in an air-gapped machine, if I don't trust the machine... well, it never ends, so again, who decides what I should trust and on what basis? Or for example, how do I know if I should even protect from the government, if I'm likely a target? It might look like there's only a thin line between a threat model and paranoia, but at least real paranoia can be diagnosed. The doctor checks some symptoms in an official book, and makes decisions based on that (or at least he should). By analogy, if there was an objective method to define threat models, the doctor would open his book and be like, "Yes, China is officially considered a rogue country as far as infosec is concerned, so in this case you should definitely reject email coming from there", or "No, in your situation you should just trust the software in your distro's official repo; if you don't trust it then you might be paranoid and might have to take these pills".

Answer 1

"don't open attachments from suspicious senders" is not the kind of thing you would put in a threat model. The threat is what may be in the attachment. It's a threat no matter who sent it (and don't assume that it came from the specified email address).

Also, there's a difference between identifying threats and mitigating threats. Yes, the hardware may be compromised, and you can identify that in your threat model, that doesn't mean that you actually do anything about it. Basic risk management: avoid, mitigate, accept or transfer. At some level, everyone accepts risk. It's unavoidable. Identify your most likely threats, figure out your budget. For each threat, figure out the cost to avoid, mitigate and transfer and then determine if the cost is inline with the risk. If it is do it, if it's not then accept the risk or get a bigger budget.

Finally, budget isn't always about money, it's often time. If your #1 risk takes ten times longer to mitigate then your #2 and #3 combined, but your #1 risk is just slightly riskier than #2, which is slightly riskier than #3, then accept #1 and deal with #2 and #3.

There is no formula for this, it's about judgement.

Answer 2

To answer the headline question, you can threat model in an objective, predictable, and repeatable way.

I use a 4-question framework for threat modeling:

1. What are we working on?
2. what can go wrong?
3. what are we going to do about it?
4. Did we do a good job?

The specific building blocks you use for each step depend on who you are, where you are in the supply chain (chip makers use different techniques than end users).

Your questions about likelihood are part of answering #3, and asking 'do we bother with this?'

I'd like to suggest that the place your frame creates trouble is the assumption that you must focus on the most likely threats. This sounds like motherhood and apple pie, but there are other ways to work through the question, like do the easy fixes first.

For example, if you're building a system, you should fix your S3 bucket permissions without attempting to assess the likelihood of a breach to the bucket, or its importance. You should, generally, TLS all the network connections.

As an end user, you should use a password manager and 2FA your accounts where you can, because there are lots of breaches that leak your passwords, and re-using them across sites puts you at risk. You should turn on automatic updates because the manufacturers tell you there are defects, and the fixes are pretty reliable. So these are low-cost, low-effort ways to deal with objectively common threats. You should ask if you need flash, java and office, which are three big, often exploited clients, and there's data out there in various threat reports like ones from Microsoft or Symantec to tell you that. But you do not need to go to either original research or first principles to decide on those.

Answer 3

Well, there are objective guidelines that can help, though not with everything. And that comes with diagnosing paranoia as well, there are some basic check-boxes but for some things, the doctor has to use his opinion and experience.

So in case of info-sec, you have two important metrics. Cost of attack vs gain from attack. So you don't have to defend against a 10 million dollar supercomputer if you are protecting $100 of bitcoin. It is not profitable for the attacker, so he won't attack.

And annual cost of defense against annual loss caused by hacks. So you should not buy $10.000 worth of HW firewalls and other equiupment protecting your $100 worth of bitcoin.

These two are mostly objective, however you have to decide for yourself how much you value stuff like family photos or your privacy. You also have to guess what is such stuff worth to an attacker. Ideally never provoke attackers by for example claiming your system is impenetrable. That is just a recipe to attract all the hackers with near limitless effort and resources to break it.