Your Threat Model Should Include Nation-States
Nothing is true. Everything is permitted. Especially to adversaries with three-letter agency budgets.
Think for yourself. Question authority. Then model what happens when authority wants your data.
Threat modeling isn't paranoia—it's realistic risk assessment. Assume attackers with infinite resources exist, because they do. They have APTs, zero-days, supply chain access, and legal compulsion powers.
ILLUMINATION: Your threat model should include nation-states. Because theirs includes you.
Let's build threat models that acknowledge reality. Here's our approach, based on documented methodology:
The Five Questions Every Threat Model Answers
1. What Are We Building?
System architecture, data flows, trust boundaries. Map it. Document it. You can't threat model what you don't understand.
If you can't draw your system architecture, you can't secure it.
2. What Can Go Wrong?
Use STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Systematic threat enumeration.
The threat you don't consider is the one that kills you.
3. What Are We Doing About It?
Controls, mitigations, compensating measures. For each threat: Accept, Mitigate, Transfer, or Avoid. Document your choices.
Unmitigated threats aren't risks—they're eventual incidents.
4. Did It Work?
Test your mitigations. Pen tests, red teams, bug bounties. Assumptions kill. Verification saves.
Untested security is security theater with extra steps.
5. What Did We Miss?
Iterate. New features = new threats. Changing environment = changing risks. Threat modeling is continuous, not one-time.
The threat model you did two years ago is now historical fiction.
STRIDE: Systematic Threat Enumeration
Microsoft's STRIDE framework—actually useful, surprisingly:
| Threat Type | Security Property | Example Attack |
|---|
| Spoofing | Authentication | Attacker impersonates legitimate user or system |
| Tampering | Integrity | Data or code modified without authorization |
| Repudiation | Non-repudiation | User denies action, no way to prove otherwise |
| Information Disclosure | Confidentiality | Data exposed to unauthorized parties |
| Denial of Service | Availability | System made unavailable to legitimate users |
| Elevation of Privilege | Authorization | User gains capabilities they shouldn't have |
Walk through each component, each data flow, each trust boundary. Apply STRIDE. Document threats. Prioritize. Mitigate.
META-ILLUMINATION: STRIDE is a checklist, not gospel. But it beats guessing.
Know Thy Enemy: Adversary Modeling
Different adversaries, different capabilities, different motivations:
- Script Kiddies — Low skill, automated tools, mass scans. Defend with basics.
- Cybercriminals — Financially motivated, targeted, patient. Ransomware, exfiltration, fraud.
- Insiders — Already have access. Your biggest threat that security teams ignore.
- Competitors — Corporate espionage. They want your IP, your customers, your secrets.
- Nation-States — Infinite resources, zero-days, supply chain access, legal compulsion. If they want in, they're in.
Your threat model should include the worst case—nation-state adversaries—because that sets your defensive baseline. If you can defend against APTs, script kiddies are noise.
CHAOS ILLUMINATION: If your threat model doesn't include nation-states, you're threat modeling for 1995.
Our Approach: Assume Breach, Design Resilience
At Hack23, our threat modeling assumes the worst:
- Assume Breach — Adversaries are already in. Design for containment, not just prevention.
- Zero Trust Architecture — Trust nothing. Verify everything. No implicit trust.
- Defense in Depth — Multiple layers. No single point of failure.
- Minimal Attack Surface — Less code, fewer dependencies, simpler architecture. Simple survives.
- Continuous Monitoring — Detection, not just prevention. Assume they're in; find them fast.
- Incident Response — Plan for compromise. Playbooks, not panic.
Full methodology in our public Threat Modeling documentation—because security through obscurity is incompetence.
Welcome to Chapel Perilous: Threat Modeling Edition
Nothing is true. Everything is permitted. Especially to adversaries with APT-level capabilities.
Threat modeling isn't paranoia—it's realistic planning. The threat you don't model is the one that breaches you.
Think for yourself. Your threat model is unique. Don't copy-paste someone else's threats. Model your actual adversaries, not generic FUD.
ULTIMATE ILLUMINATION: You are now in Chapel Perilous. Every system is attackable. Your job is making attacks expensive enough they go elsewhere.
All hail Eris! All hail Discordia!
"Think for yourself, schmuck! Question everything—especially any security design that doesn't threat model nation-states."
— Hagbard Celine, Captain of the Leif Erikson 🍎 23 FNORD 5