How so? Since security cannot be absolute, the threat model is basically just placing the problem into appropriate context. You don’t need to formalize all the capabilities of attackers, but you need to have at least some idea of what they are.
and think, ok, we’re secure under this threat model, hence we’re probably secure
That’s actually the reverse: hardening up under your current threat models makes you more secure against the threats you listed but doesn’t help you against adversaries which your threat model ignores. E.g. if you threat model doesn’t include a nation-state, you’re very probably insecure against a nation-state.
You don’t need to formalize all the capabilities of attackers, but you need to have at least some idea of what they are.
But you usually already have an intuitive idea of what they are. Writing down even an informal list of attackers’ capabilities at the start of your analysis may just make it harder for you to subsequently think of attacks that use capabilities outside of that list. To be clear, I’m not saying never write down a threat model, just that you might want to brainstorm about possible attacks first, without having a more or less formal threat model potentially constrain your thinking.
But you usually already have an intuitive idea of what they are
The point is that different classes of attackers have very different capabilities. Consider e.g. a crude threat model which posits five classes:
Script kiddies randomly trawling the ’net for open vulnerabilities
Competent hackers specifically targeting you
As above, but with access to your physical location
People armed with subpoenas (e.g. lawyers or cops)
Black-ops department of a large nation-state
A typical business might then say “We’re going to defend against 1-3 and we will not even try to defend against 4-5. We want to be sure 1 get absolutely nowhere and we will try to make life very difficult for 3 (but no guarantees)”. That sounds like a reasonable starting point to me.
How so? Since security cannot be absolute, the threat model is basically just placing the problem into appropriate context. You don’t need to formalize all the capabilities of attackers, but you need to have at least some idea of what they are.
That’s actually the reverse: hardening up under your current threat models makes you more secure against the threats you listed but doesn’t help you against adversaries which your threat model ignores. E.g. if you threat model doesn’t include a nation-state, you’re very probably insecure against a nation-state.
But you usually already have an intuitive idea of what they are. Writing down even an informal list of attackers’ capabilities at the start of your analysis may just make it harder for you to subsequently think of attacks that use capabilities outside of that list. To be clear, I’m not saying never write down a threat model, just that you might want to brainstorm about possible attacks first, without having a more or less formal threat model potentially constrain your thinking.
The point is that different classes of attackers have very different capabilities. Consider e.g. a crude threat model which posits five classes:
Script kiddies randomly trawling the ’net for open vulnerabilities
Competent hackers specifically targeting you
As above, but with access to your physical location
People armed with subpoenas (e.g. lawyers or cops)
Black-ops department of a large nation-state
A typical business might then say “We’re going to defend against 1-3 and we will not even try to defend against 4-5. We want to be sure 1 get absolutely nowhere and we will try to make life very difficult for 3 (but no guarantees)”. That sounds like a reasonable starting point to me.