What is your threat model?
Proper threat modeling is crucial to having a realistic IT infrastructure
Posted on: 2025-09-23

I recently watched a video talking about a threat against TOR users by doing BGP hijacking. If an attacker is able to hijack AT&T, Verizon or any large Internet backbone provider, they can hijack their BGP broadcasts, forcing traffic heading for that provider to go to a different provider instead. This video made me think about threat modeling, and how people often seem to focus on the wrong threats when doing IT security.
To give a comparison, this is like a prepper planning their lives around the threat of a zombie apocalypse. Nevermind the fact that it's far more likely the person may lose their job, be involved in a fire, flood, be mugged, etc. There are literally thousands of far more realistic scenarios that could happen and could benefit from preparedness, but instead a lot of preppers seem to have a fixation on the bigger, far less probable threats such as the Earth being overrun by zombies.
To be clear, I'm not saying BGP hijacking can't happen. It definitively can, and has happened in the past. However, this is a highly consequential attack that requires high levels of resources, access, and is very visible. There are tools out there to detect these things, and large providers are especially attuned to this type of threat.
So what is threat modeling?
Threat modeling is a process typically used in cybersecurity (although anyone can use these techniques in their daily lives) used to identify, evaluate, and mitigate potential security risks in a system before they can be exploited. At its core, threat modeling is about understanding what you're building, identifying what could go wrong, and planning defenses accordingly. Instead of responding to issues after the fact, you try to prepare yourself before they happen.
This process typically involves four key steps:
- Identify assets - What needs to be protected? This can include user data, intellectual property, infrastructure, or system availability.
- Document the system - Create a clear model of how data moves through your infrastructure, including software components, external dependencies, and data flows.
- Identify threats - Think about potential attack vectors. This includes anything from social engineering and injection attacks to misconfigured cloud storage or insider threats.
- Mitigate threats - Develop strategies to reduce or eliminate risk, whether through design changes, access controls, encryption, monitoring, and so on.
The goal isn’t to eliminate every possible threat, but instead to prioritize likely and high-impact risks, allowing you to make informed, strategic security decisions. Basically, you want to address threat vectors based on how realistic they are, and how devastating they would be to your environment.
Realistic attack vectors
The reality is that most digital threats are very simple and don't involve any highly complex attack vectors. Unless you personally made an enemy of a nation-state, those types of threats should be far down the list.
Based on my 20+ years of experience in IT, here are some realistic attack vectors I see facing organizations today:
- Phishing and social engineering - Still one of the most effective attack methods, phishing emails trick users into clicking malicious links or providing credentials. Advanced variants use spear phishing or business email compromise tactics, targeting specific individuals with convincing pretexts. It's still the most common attack vector by far.
- Ransomware - In this attack type, attackers encrypt critical systems and demand payment for decryption keys. More recently, double extortion tactics have emerged, where data is both encrypted and exfiltrated, with threats to leak it publicly if payment isn’t made.
- Misconfigured systems - As organizations migrate to cloud infrastructure, misconfigurations (like publicly exposed S3 buckets or overly permissive IAM roles) present easy targets for attackers. The same can happen on-premises, where a firewall may be left open by mistake, giving access to the internal LAN.
- Software supply chain attacks - This used to be a rare attack vector, but is becoming very frequent these days. Compromising one component in the software supply chain (like third-party libraries, external dependencies, CI/CD pipelines, etc..) can ripple across thousands of organizations at once.
- Zero-Day vulnerabilities - Zero-days are previously unknown vulnerabilities that attackers exploit before software vendors can release a fix. This is what you typically see in hacking movies, but is one of the least prominent attack vectors, because it's so hard to do.
The bottom line
I've worked with places that would spend hundreds of thousands of dollars protecting themselves against completely unrealistic threats, while very common attack vectors were left wide open. Usually, these decisions were made by executives without much of a tech background, or sales people worried about pushing a specific product or service.
I'm not going to tell anyone not to worry about BGP hijacks or other state-nation attacks. If you're a high profile activist based in an authoritarian country, your threat model is going to be vastly different than if you're a low profile individual in a western country. But the key is that you first need to establish your threat model, before starting to think up random attack vectors, or protecting yourself against unlikely threats while forgetting very common ones.