Brutalist Threat Modeling - Updated
Note: The original Brutalist Threat Model article aimed for brevity and focus. Based on subsequent questions, I have updated the approach a little bit. Same, same, but different?
A threat model styled after a Security Brutalist approach is direct, unadorned, and hyper-focused on identifying the most critical threats to the most valuable assets, driving immediate and practical remediation. It strips away academic complexity to deliver actionable insights. The process is a lean, no-nonsense assessment of security risks. It prioritizes clarity and action over exhaustive detail. Instead of delving into every theoretical attack path, it brutally focuses on:
- What's most valuable? (Critical Assets/Data)
- Who wants it and why? (Threat Actors & Motivations)
- How will they likely get it? (Primary Attack Vectors)
- What's the worst outcome?. (Direct Impact)
- What's the simplest, most effective fix? (Key Mitigations)
The focus is on building a strong, raw, foundational understanding of risk, much like Brutalist Architecture exposes the raw materials and structural elements. No fluff, no hidden complexities.
Rationale
This approach is ideal for organizations starting from scratch or with failing security programs because it:
- Accelerates Action: Cuts through analysis paralysis to identify immediate, high-impact security work.
- Ensures Clarity: Everyone understands the core risks and the necessary controls.
- Optimizes Resources: Focuses limited time and budget on the most critical vulnerabilities.
- Builds Foundational Strength: Addresses the "concrete" security issues first, creating a solid base before adding layers.
- Enables Business: By quickly addressing core risks, it removes blockers and builds trust, allowing the business to operate more securely.
A Brutalist Threat Model Template
Note that this is just one template. You'll need to adapt it to your specific organizational needs.
| Field | Description |
|---|---|
| Asset/System | What specific system or data are we protecting? |
| Critical Function | What is its primary business purpose? |
| Top 3 Threats | Who (actor) and how (method) are the most likely/impactful attacks? |
| Top 3 Impacts | What are the worst direct consequences if a threat materializes? |
| Key Mitigations | What are the simplest, most effective controls to reduce these threats? |
| Owner | Who is directly responsible for this asset's security and its mitigations? |
Example: A Brutalist Threat Model for a Customer Login Service
| Field | Description |
|---|---|
| Asset/System | Customer Login Service |
| Critical Function | Authenticates users to access their accounts and data. |
| Top 3 Threats | 1. External: Credential stuffing/brute-force attacks (automated). 2. External: Phishing to steal credentials (social engineering). 3. Internal: Malicious insider attempting to gain unauthorized access. |
| Top 3 Impacts | 1. Account takeover, leading to data breaches and financial loss. 2. Reputational damage and loss of customer trust. 3. Unauthorized access to sensitive administrative functions (if applicable). |
| Key Mitigations | 1. Implement Multi-Factor Authentication (MFA) for all users. 2. Rate limiting and account lockout mechanisms. 3. Strong password policies and monitoring for compromised credentials. |
| Owner | Engineering Team Lead (owning the service) |
This example demonstrates the directness of a Brutalist Threat Model. It quickly identifies the core threats and the most impactful mitigations without getting bogged down in less likely scenarios. It doesn't have to be complicated. The more you apply this, the stronger the basics become, ultimately leading to a more resilient and adaptive security program.