One fundamental principle every threat modeler learns very early in their career is that not all threats are created equal. Some threats can be fixed more easily than others. Among the threats most difficult to fix — if they can be fixed at all — are inherent threats, which are threats that touch the essence of a system.
Threat modeler Adam Shostack explained in a recent whitepaper that when a threat is tied directly to a system, protective measures cannot be perfect or complete — and understanding those tradeoffs influences threat modeling in two important ways: "First," he said, "it informs more in-depth threat modeling as we struggle to specify answers to 'What are we going to do about it?' Second, it helps us consider inherent threats when we scale threat modeling across hundreds or thousands of systems so we can prioritize what gets attention first."
Nataliya Shevchenko, a senior member of the technical staff in the CERT division at Carnegie Mellon University's Software Engineering Institute, said inherent threats are introduced by flaws or necessities in the design or processes of a system, which makes them the hardest and most expensive to mitigate, especially if identified late in the system engineering lifecycle.
"Early performance of threat modeling, ideally during the conceptual phase of system design, provides an opportunity to identify inherent threats before system construction or key decisions are finalized. This proactive approach enables the organization to address the flaw that creates the possibility of inherent threats or develop a mitigation to minimize the risk it introduces."
—Nataliya Shevchenko
Subsequent iterations of threat modeling should occur whenever alterations are made to the system's architecture, or processes, spanning all levels of abstraction from conceptual to physical implementations, she added.
Here are key takeaways from the Shostack + Associates whitepaper — along with insights from top threat modeling subject matter experts.
[ See Webinar: Threat Modeling and Supply Chain Security: Why It Matters More Than Ever ]
Building custom libraries will pay off
Inherent risks will be addressed via early detection and response or by risk acceptance and transfer, Shostack said. "If you find threats that will lock in design choices or create compatibility problems to fix, addressing them soon and even delaying a release will pay off," he wrote.
Chunyi Peng, an associate professor of computer science at Purdue University, said that identifying inherent threats can directly help organizations become aware of possible threats — and thus take actions to avoid such risks. That was the case in research cited by Peng.
"We investigated inherent threats in 911 services on 5G/4G networks. While these inherent threats have not been exploited as real attacks against 5G/4G networks and 911 services, our study was able to help standards makers and operators realize possible risks and make decisions with a good tradeoff between usability and security."
—Chunyi Peng
There is no 100% secure system, Peng added. That implies that it is impossible to mitigate all risks. Inherent threats are often those that are feasible but occur in an unanticipated way. "As usability is often more important than security in many cases, inherent threats are inevitable when well-established security protection is not fully performed or complex operations are partially checked in field trials," she said.
Chris Romeo, CEO of the threat modeling company Devici, said that categorizing, triaging, and mitigating inherent threats are crucial because such threats contain hidden organizational risks. Understanding inherent risks helps with threat modeling because it builds a custom threat library specific to your organization and environment, he said. Not all companies have the same risk profile, so their threat landscape differs. "The custom threat library lets you focus on the most crucial items in your world that will cause you the most reputational or monetary damage," Romeo said.
"When applying the custom threat library to your application inventory, you now have specific items backed by the security and privacy teams, thinking deeply about the real threats to the things you build. This will result in less pushback from development teams when asked to perform threat modeling because they have traceability between threat/risk and real-world challenges.”
—Chris Romeo
CERT's Shevchenko said that identifying inherent threats allows organizations to understand the potential risks based on their objectives and business operations. "By addressing the most critical risks, organizations can prioritize their resource allocation," she said.
Scale your threat modeling the smart way
Understanding if a threat is inherent to a system is tremendously clarifying, Shostack said. "It informs how we address that threat," he wrote in the whitepaper.
"It shows us where residual risk is unavoidable. It dictates our choices of how to balance protection, detection, and response. Last, but certainly not least, it enables us to scale threat modeling across the enormous application inventories that companies develop as they grow."
—Adam Shostack
Shevchenko explained how the discovery of inherent threats can help scale threat modeling across an organization, and she noted how applications developed within the same organization typically share architecture, platforms, and processes. When threat modeling is conducted on these shared resources and inherent threats are pinpointed, they become relevant to all applications utilizing those resources, she said
This eliminates the necessity for conducting exhaustive threat modeling rounds for each individual application, Shevchenko said. "Instead, the focus can be directed toward examining unique processes and architectural components. Therefore, by addressing or mitigating common inherent threats, protection is extended to all applications leveraging those resources."
Callie Guenther, a cyberthreat research senior manager at Critical Start, said that in today's digital landscape, recognizing inherent threats to our systems is more than just a precaution — "it's a necessity." Understanding these threats allows us to model potential risks accurately, discerning between those that are fundamental to the technology and those we can actually mitigate. "This knowledge not only guides us in making savvy decisions about which risks we can tolerate but also ensures that our resources are pointedly directed toward safeguarding critical aspects of our infrastructure," she said.
Make it a feature and not a bug of your approach
Additionally, the inherent risks that emerge from necessary trade-offs — such as the balance between functionality and security — require us to think strategically about implementing effective controls without stifling essential features, Guenther said.
"As we scale our threat modeling efforts across vast application inventories, this understanding prioritizes our focus, helping us to fortify our systems proactively rather than reactively. This proactive stance is not just about defending against threats. It's about creating a resilient framework that supports sustainable growth and innovation."
—Callie Guenther
