The way I see it, "Threat Modeling" is quite a bit different from "Threat Prediction". While the former focuses on using existing threat information to model trends and evaluate risk profiles (often incorporating measurement systems such as CVSS), the later tends to assume longer timescales and deals with factors or industry trends that can not be reasonably precomputed and modeled.
Threat prediction typically requires the crystal ball to be rolled out and, depending upon the diviner, can be a little hit or miss at the best of times. However, I've found that threat predictions tend to become more accurate if you assume a few things first:
- If the bad-guys can make money from exploiting it, then you bet that they'll try.
- The more sophisticated the technology, the more vulnerable it is to primitive attack.
- The lowest hanging fruit are the first to fall.
Common Sense Threat Prediction
Threats are evolving at an increasing pace, but in most areas it's not too hard to predict a few years in to the future. While many "new" threats appear original at first glance, if you study your Internet security history you'll soon be able to draw parallels with past and present threats. In fact, the more you understand the mechanisms that shaped past threats, the better you'll be able to predict how new ones will evolve.
For example, look at how protection against password guessing as evolved...
- [Whitehat] Force the user to supply a password in order to login - thereby stopping the blackhat from logging in with just the UserID.
- [Blackhat] Passwords can be guessed, automatically cycle through popular passwords to find the right one for the UserID and gain entry to the system.
- [Whitehat] Implement an account lockout procedure consisting of a maximum failed guess threshold (e.g. three failed password attempts and the account becomes inactive).
- [Blackhat] Abuse the threshold procedure to lockout lots of users accounts and construct a denial of service attack - seeking to make money via extortion.
- [Whitehat] Setup a proceedure to automatically 'unlock' locked accounts after a few minutes or hours - thereby negating the DoS threat and inconvenience to the end user.
- [Blackhat] Implement horizontal guessing of passwords. Armed with a long list of known UserID's, try the same password against each UserID before trying a different password - thereby making use of automated account unlocking without adversely hindering the guessing process.
- [Whitehat] Implement CAPTCHA's to stop the blackhat from using automated tools to pass the Turing test and guessing the USERID password.
- [Blackhat] Socially engineer or recruit other Internet users to answer the CAPTCHA's and include the results in to the automated password guessing tool. [more discussion on these techniques can be found here and here].
It's probably also worth pointing out that particular Internet threats and attack techniques never actually disappear, and it's not uncommon for the same threat to reappear several years later in a slightly different guise because of some new implementation of an old (and vulnerable) technology. I wrote a whitepaper on the topic a couple of years ago - Old Threats Never Die.
With all that in mind, It's also worth pointing out that threat prediction is getting easier. While the technologies are getting more and more sophisticated (and integrated), if you keep the thought "how would I make money from exploiting it?" at the forefront of your mind, you'll probably be reasonably good at predicting what the bad-guys will do