Written by Hans Francken

Threat Modeling and Threat Intelligence: Distinct and Complementary

By Robert Hurlbut

Threat modeling and threat intelligence are essential practices of a proactive security strategy. Occasionally, these terms can be confusing or mixed up because they sound similar (both start with “threat” – aren’t they the same?). Instead, these terms represent distinct and complementary approaches to understanding and mitigating cybersecurity risks. This blog post will explore their differences, how they complement each other, and how they can be integrated to provide a more secure posture for your organization.

What is Threat Modeling?

Threat modeling is a proactive approach to understanding, identifying, and addressing potential security threats to a system, application, or organization. It’s a security analysis technique that examines what could go wrong and how to prevent it.

Key Characteristics of Threat Modeling:

Preventive/Forward-Looking: Threat modeling is ideally performed during the design phase or ongoing for an existing system as new features are created and before vulnerabilities can be exploited.
System-Specific: The focus areas are on systems, applications, or business processes, analyzing their unique attack surfaces and potential weaknesses.
Structured Frameworks/Methodologies: Common frameworks include STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) for application/system-centric threats and LINDDUN for privacy threats. PASTA (Process for Attack Simulation and Threat Analysis) is a 7-step methodology.

The Threat Modeling Process:

Understand the System: Create detailed diagrams showing system architectures, data flows, and trust boundaries
Identify Threats: Use structured approaches to enumerate potential threats against each system component
Assess Risk: Evaluate the likelihood and impact of identified threats
Define Countermeasures: Develop specific controls and mitigations for high-priority threats
Validate and Iterate: Continuously update the model as the system evolves

What is Threat Intelligence?

Threat intelligence collects, analyzes, and disseminates information about current and emerging security threats. It analyzes raw data about threats and turns them into actionable insights that inform security decisions.

Key Characteristics of Threat Intelligence:

Data-Driven/Reactive: Based on observed threat actor behavior, attack patterns, and indicators of compromise from real-world incidents.
Contextual Information: Detailed threat actor motivations, capabilities, tactics, techniques, and procedures (TTPs).
Timeliness: It focuses on the current threat landscape and emerging trends that could impact the organization.
External Focus: This strategy typically reviews sources outside the organization, including commercial feeds, open-source intelligence, and industry sharing.

Key Differences Between Threat Modeling and Threat Intelligence

	Threat Modeling	Threat Intelligence
Orientation	Future-focused, anticipates potential threats	Present and past-focused, analyzing current and historical threats
Scope/Context	Internal and system-specific	External and industry/threat-landscape focused
Methodology	Structured analytical process, uses established frameworks	Data collection, correlation, and analysis from multiple sources
Output/Application	Specific countermeasure/security controls	Contextual information to inform broader security strategy and operations
Stakeholders	Primarily used by developers, architects, and security engineers	Security operations teams, incident responders, and strategic decision-makers

How Threat Modeling and Threat Intelligence Complement Each Other

Threat Identification
Threat intelligence provides real-world context, making threat modeling more realistic and comprehensive by incorporating actual threat actor behaviors and attack patterns observed in the wild.

Prioritization of Threats
Threat intelligence helps organizations understand the most relevant threats to their industry, geography, or technology stack. This enables threat modelers to focus on credible attack vectors rather than on every conceivable threat equally.

Validation and Updates
As threat intelligence reveals new attack techniques or threat actor campaigns, existing threat models can be updated to reflect these evolving realities. This, in turn, creates feedback loops that keep threat models current and relevant.

Strategic and Tactical Security
Threat modeling provides a tactical approach to security, while threat intelligence provides the strategic context about the threat landscape.

Practical Integration Strategies

Improving Threat Models
Begin threat modeling exercises by reviewing any relevant threat intelligence reports. Understanding what threat actors target organizations like yours and their known TTPs can improve threat scenarios.

Validating Threat Models
Use threat intelligence to validate assumptions made during threat modeling. If your threat model assumes specific attack vectors are unlikely, check whether recent intelligence contradicts this assessment.

Updating Threat Models
Establish processes to update threat models based on new intelligence regularly. When threat intelligence reveals new attack techniques or threat actors targeting your industry, assess whether your existing threat models account for these developments.

Shared Risk Assessment Framework
Develop risk assessment criteria incorporating threat modeling outputs (system-specific vulnerabilities) and threat intelligence findings (threat actor capabilities and intentions).

Cross-Functional Collaboration
Foster collaboration between threat modeling teams and threat intelligence analysts. Use cross-team training so each set of teams understands the techniques and approaches of the other. Regular knowledge-sharing sessions can help each discipline inform and improve the other.

Conclusion

Threat modeling and threat intelligence represent distinct but complementary approaches to cybersecurity risk management. Threat modeling provides the systematic analysis needed to understand and secure specific systems, while threat intelligence offers the external context necessary to understand the evolving threat landscape.

You don’t have to choose between these approaches to apply—you can leverage both of them! By using threat intelligence to inform and validate threat models and threat modeling insights to guide intelligence collection and analysis, organizations can develop a more comprehensive and practical approach to cybersecurity.

Ready to master threat modeling?

About the Author

Robert is a seasoned software developer, software architect, and recognized leader in application security and threat modeling. He is dedicated to helping developers, architects, project managers, and other stakeholders strengthen their understanding of secure software design and architecture through threat modeling and related security practices. A strong advocate for building and sustaining organizational Threat Modeling Programs and Security Champion Programs, Robert brings extensive experience in guiding teams to successfully launch, scale, and mature these initiatives.