You don’t need to formalize all the capabilities of attackers, but you need to have at least some idea of what they are.
But you usually already have an intuitive idea of what they are. Writing down even an informal list of attackers’ capabilities at the start of your analysis may just make it harder for you to subsequently think of attacks that use capabilities outside of that list. To be clear, I’m not saying never write down a threat model, just that you might want to brainstorm about possible attacks first, without having a more or less formal threat model potentially constrain your thinking.
But you usually already have an intuitive idea of what they are
The point is that different classes of attackers have very different capabilities. Consider e.g. a crude threat model which posits five classes:
Script kiddies randomly trawling the ’net for open vulnerabilities
Competent hackers specifically targeting you
As above, but with access to your physical location
People armed with subpoenas (e.g. lawyers or cops)
Black-ops department of a large nation-state
A typical business might then say “We’re going to defend against 1-3 and we will not even try to defend against 4-5. We want to be sure 1 get absolutely nowhere and we will try to make life very difficult for 3 (but no guarantees)”. That sounds like a reasonable starting point to me.
But you usually already have an intuitive idea of what they are. Writing down even an informal list of attackers’ capabilities at the start of your analysis may just make it harder for you to subsequently think of attacks that use capabilities outside of that list. To be clear, I’m not saying never write down a threat model, just that you might want to brainstorm about possible attacks first, without having a more or less formal threat model potentially constrain your thinking.
The point is that different classes of attackers have very different capabilities. Consider e.g. a crude threat model which posits five classes:
Script kiddies randomly trawling the ’net for open vulnerabilities
Competent hackers specifically targeting you
As above, but with access to your physical location
People armed with subpoenas (e.g. lawyers or cops)
Black-ops department of a large nation-state
A typical business might then say “We’re going to defend against 1-3 and we will not even try to defend against 4-5. We want to be sure 1 get absolutely nowhere and we will try to make life very difficult for 3 (but no guarantees)”. That sounds like a reasonable starting point to me.