Information Security 6 min read

Cybersecurity as a discipline: threat modeling, architecture, and business risks

Moving from chaotic software procurement to systematic cyber resilience through threat modeling, architectural controls, and Security by Design principles.

The updated NIST CSF 2.0 framework has officially established the 'Govern' function as the core of modern cybersecurity. This decision has shifted information security from a purely technical IT department task to a strategic corporate governance imperative. Building security based on a 'firefighting' approach or chaotic procurement of security software licenses is a path to inevitable financial and reputational losses. Effective enterprise cyber resilience requires the integration of threat modeling, architectural controls, and business risks into a single, managed discipline.

Evolution of NIST CSF 2.0: why the 'Govern' function changes the game

The main problem in the modern enterprise segment is the lack of a common language between technical specialists (engineers, SOC analysts) and company management. Business evaluates security in terms of budgets and compliance, while engineers operate with vulnerabilities, CVEs, and logs. When these worlds do not intersect, investments in information security turn into 'paper security'—formal fulfillment of regulatory requirements without a real reduction in the probability of a successful attack.

According to research by ENISA, which analyzed 4,875 incidents between July 2024 and June 2025, more than 53.7% of successful attacks targeted essential entities subject to the European NIS2 directive. This indicates that even the presence of regulation does not guarantee protection if controls are implemented only for show. The introduction of the 'Govern' function in NIST CSF 2.0 is intended to integrate cyber risk management into the overall corporate strategy, forcing business leaders to directly participate in defining security priorities.

Threat modeling via MITRE ATT&CK: focus on attack vectors

Threat modeling is the bridge between business risks and technical implementation. Instead of abstract protection 'against everything,' a company must clearly understand who is attacking it and which assets are the targets. The MITRE ATT&CK matrix structures attacker behavior into tactics and techniques, providing SOC teams with a common language for mapping alerts to real attack scenarios.

The ENISA Threat Landscape 2025 report confirms that phishing remains the leading vector for initial access, accounting for approximately 27.7% of compromises. If a company's architecture ignores this risk, traditional network protection tools will not help when a user voluntarily provides credentials through a fake site.

Another example of specific business threats is the telecom sector. According to the CFCA Global Fraud Loss Survey 2025, global losses from fraud in this sector are estimated at approximately $41.82 billion. The lion's share of these losses is caused by subscription fraud and IRSF (International Revenue Share Fraud). Without deep modeling of such scenarios, it is impossible to build effective architectural anti-fraud controls.

Practical scenarios for applying threat modeling

  • Prioritizing phishing protection: based on data about initial access, the organization invests in strict authentication policies and hardware keys, reducing the probability of a successful attack.
  • Mapping SIEM to MITRE ATT&CK: configuring detection rules according to tactics (e.g., Lateral Movement) allows SOC analysts to more accurately prioritize incidents and reduce false positives.
  • Gap analysis based on NIST CSF 2.0: assessing existing controls against the threat profile helps prepare for ISO/IEC 27001 certification without creating fictitious policies.

Architecture against chaos: Zero Trust and segmentation

Implementing new detection tools does not eliminate the vulnerabilities of an incorrectly designed IT infrastructure. The foundation of modern protection is the Zero Trust concept. It requires that every access request—both external and internal—be authenticated, authorized, and encrypted. Micro-segmentation of the network and databases ensures that if one node is compromised, the attacker cannot move freely deeper into the infrastructure, which is critical for meeting NIS2 directive requirements regarding supply chain security.

Integrating security into the system lifecycle: the Intecracy Group approach

The most effective way to implement controls is to design systems using the Security by Design principle. This is the approach applied by specialized teams within the Intecracy Group alliance (notably Softengi in the area of custom development and cloud solutions). They design complex enterprise systems based on the UnityBase technology platform.

UnityBase is a full-stack JavaScript low-code platform for enterprise applications, which is a joint development of Intecracy Group companies (where InBase acts as a key, but not the only, developer). By using a unified domain metadata model, security is embedded directly at the architectural level. For high-load projects or systems with increased security requirements, the official page recommends the commercial Enterprise (EE) or Defence (DE) editions. They provide powerful access control mechanisms:

  • Row-Level Security (RLS) and Access Control Lists (ACL): flexible differentiation of access to specific records in the database based on roles and attributes.
  • Attribute-level security: restricting access to individual fields of documents or entities, which prevents unauthorized viewing of confidential data within a table.
  • Audit trail: immutable logging of all critical operations, which is a mandatory requirement for ISO/IEC 27001 and NIS2 compliance.
  • Digital signature support: tools for working with digital signatures (particularly in the Defence edition), ensuring legal validity and data integrity.

An example of the effectiveness of this approach is the Megapolis.DocNet electronic document management system, built on the UnityBase platform. It holds a G2-level information protection certificate, which allows it to be used in organizations with the strictest data processing requirements without the need to deploy 'overhead' security tools.

Enterprise cybersecurity architecture maturity scale

Maturity LevelCharacteristics of architecture and processes
Level 1: ChaoticReactive protection. No threat modeling. Security is perceived as 'buying an antivirus.'
Level 2: RegulatedBasic policies in place. MFA and network segmentation implemented, but technical controls are not linked to business risks.
Level 3: ManagedThreat modeling via MITRE ATT&CK. Regular gap analysis based on NIST CSF 2.0. Compliance with key NIS2 and ISO/IEC 27001 requirements.
Level 4: IntegratedSecurity by Design. Security is integrated into system architecture and code. Continuous monitoring, use of platforms with built-in RLS/ACL mechanisms.

Building effective cybersecurity is a continuous risk management process. By using NIST CSF 2.0 and MITRE ATT&CK frameworks for threat modeling, as well as designing the IT landscape according to Zero Trust principles on modern, secure platforms, organizations can achieve real resilience against attacks, rather than just formal compliance.

FAQ

How can we link the MITRE ATT&CK matrix to the practical configuration of rules in our SOC?

To do this, it is necessary to map log sources (e.g., operating system and network equipment logs) to specific ATT&CK techniques. This allows the response team to configure detection rules in the SIEM system so that they see not abstract alerts, but a specific step of the attacker in the attack chain.

Which key requirements of the NIS2 directive are critical for Ukrainian companies operating in the European market?

For companies integrating with European counterparties, the most critical aspects are ensuring supply chain security, strict access control, and the obligation to report serious incidents. Implementing the 'Govern' function from NIST CSF 2.0 and threat modeling helps to systematically prepare for these requirements.

Where should we start a gap analysis of IT infrastructure using the NIST CSF 2.0 methodology?

A gap analysis should start with the 'Govern' function. First, key business goals, critical assets (essential entities), and regulatory requirements should be defined. After that, the current state of controls is assessed against other framework functions (Identify, Protect, Detect, Respond, Recover) and compared with the required security profile.

Data sources

Sources & materials

Materials and sources used in this article.

  1. ENISA Threat Landscape 2025 — enisa.europa.eu
  2. NIST Cybersecurity Framework (CSF) 2.0 — nist.gov
  3. MITRE ATT&CK — attack.mitre.org
  4. CFCA Global Fraud Loss Survey 2025 — cfca.org