Case Study 1: The Equifax Breach - A Threat Modeling Failure

The 2017 Equifax breach, affecting 147 million people, stands as one of history's most devastating data breaches. While multiple factors contributed to the breach, inadequate threat modeling played a crucial role in leaving vulnerabilities unaddressed. Examining this failure provides valuable lessons for effective threat modeling.

Equifax's architecture included a web application framework with a known vulnerability (Apache Struts CVE-2017-5638). However, their threat model failed to adequately address several critical areas. First, the threat model didn't properly identify and prioritize third-party component risks. Despite using numerous open-source components, the organization lacked comprehensive tracking of dependencies and their vulnerabilities.

The breach began through the Struts vulnerability, but escalated due to architectural weaknesses that proper threat modeling should have identified. Network segmentation was insufficient—attackers moved laterally from the initial compromise to access multiple databases. The threat model failed to consider lateral movement threats and the need for internal network boundaries. Each database connection represented a trust boundary that should have been secured.

Data classification and protection represented another threat modeling gap. Social Security numbers, credit card information, and other sensitive data were stored in multiple locations without consistent encryption. A proper threat model would have identified these high-value assets and mandated encryption at rest. The 76 days attackers spent in the network exfiltrating data highlights the absence of data loss prevention controls that threat modeling should have recommended.

The lessons from Equifax are clear: threat modeling must encompass third-party components, consider insider movement and data exfiltration scenarios, identify all locations of sensitive data, and recommend detective controls for inevitable compromises. The breach's $1.4 billion cost starkly illustrates the price of inadequate threat modeling.