Skip to content

Threat Model

Building a threat model is an efficient way to know what threats you need to protect against and which ones to not focus on. Note: a threat could be a nuisance, such as data collection for running ads, or it could be an actual threat to your security. For example, most people will need to protect themselves against general threats such as malware from malicious downloads and corporations who collect data on everything possible. There are some special cases which will apply to a subset of people, usually based on their profession, such as journalists. It's common for nation state actors to spy on people in certain professions for a wide range of reasons.

If you need to protect yourself against a nation state actor, the info on this site isn't going to be able to help you. Their resources, talent, and capabilities are far beyond what a person or a small group can do. If you're ever truly wanted by one, they'll find you. While this may sound like a doomer take, it's realistic and I'm not going to give people false hope. The silver lining is that there's way more important matters going on at any time for a nation state to not care, outside of rare cases. If you avoid drawing unneeded attention from them, this won't be an issue unless you live in an oppressive country.

When it comes to building a threat model, once you've got your threats figured out for your case, you can start making plans to mitigate the risks as much as you can. I've seen occasional posts throughout the years of a person saying they have nothing interesting, therefore a hacker wouldn't be interested in their data. This is a total fallacy. If you get ransomware on your computer, all you're data is getting stolen, whether it's "interesting" or not. There may be someone out there who would have an interest in it. Or the attacker may decide to include it in a data dump and give everyone access to it.

Here are some examples of threats to consider:

Nation States
Malvertising
Advertisers
Ransomware
Phishing

Once you've figured out what your realistic threats are, you can figure out what security measures to take and how to apply them. Generally speaking, it's best to cover all your digital activity in this. One breach from being lax could cause you a headache later to clean up.

Here are some examples of items to protect (this is not an exhaustive list):

ALL of your data - passwords, photos, videos, emails, browser cookies, chats

Accounts - Email (this is critical!), online banking, social media, merchant sites (e.g. Amazon), password manager

Devices: Laptop, desktop, phone, tablet, router, IoT devices (e.g. cameras, thermostats, locks, etc.)

As you're doing this, I'll again stress it's important to be realistic. If the NSA is truly pursuing you, there's not much you can do. If you can do something to guard against their data collection - that's great. If you overestimate your threat model, it'll just turn into wasted time and effort. Once you've got you're list of threats to guard against and the assets you need to cover, it's not time to think about the ways a breach can happen (again, this is non exhaustive):

Ransomware, spyware, phishing, keyloggers, worms, vishing (this is becoming a larger threat due to AI voice generation), password attacks (brute force, dictionary, credential stuffing), vulnerabilities (apps, OS, firmware), data breaches, network attacks (e.g. Man-in-the-middle), browser fingerprinting, ISP monitoring, etc.

Now that you've got a better understanding of how these threats can attack you, you can prepare your defence. The rest of this website will apply heavily in this. For example, I always recommend using 2FA on all accounts when it's an option, even if the account seems insignificant. Even one breached account can cause you grief. Besides that, secure backups, strong passwords, and router security are examples of other items that are essential baseline security items that should always be taken care of. When you look are posts from people who've been breached and need help, the majority of the time, there was a lack of diligence which led to the issue.

It's also important to realize you'll have to deal with a breach sooner or later. This could be due to a mistake you make, or an issue caused by someone else (such as a business breach and your data being leaked). Plan ahead and think about what you'll need to do to clean up a mess. The sooner you prepare, the better the outcome will be. If you were driving a long road through the desert, you'd want two Camelbaks instead of one. Murphy's Law applies everywhere, so having an actual mitigation plan in place will help massively.

Changelog Acknowledgements