Threat modeling can be very involved, but shortcuts are fair game:
1) What do you have?
2) Who wants it?
3) What are the adversary's capabilities?
Can't answer 2 & 3? Start with industry threat reporting: https://github.com/rabobank-cdc/DeTTECT/tree/master/threat-actor-data.
Thanks for this, @bakk3rm and @rubenb_2!
4/14/2020, 1:49:20 PM