SlideShare a Scribd company logo

Threat Modelling | 2023

K
KharimMchatta

In this session we took the candidates through how to threat model when it comes to cybersecurity audits

Technology
1 of 17
HACK IT CONSULTANCY We secure what matters the most to you
Who am i • Mchatta Kharim • CEO at HACK IT Consultancy • Half a decade of experience in cybersecurity and digital forensics • My experience revolves around various industries including financial institutions, education institution, government institutions, non-profit organizations, telecommunication, research institutes, publication institutes etc Kenya • Public Speaking • Training • CTF Competition • Mentor Tanzania • Public Speaking • Training • CTF Competition • Digital Forensics • Penetration Testing • Curriculum Creation • Public Speaking Egypt • Public Speaking • Public Speaking Morocco Rwanda • Public Speaking Nigeria • Penetration testing Ghana • Penetration testing • Public speaking South Africa • Penetration testing Benin Uganda • Public Speaking Experience in Africa
Experience in USA & Europe • Penetration Testing US Department of Defense United States of America UK • Author at eForensics Magazine • Author at PenTest Magazine • Penetration testing ( Research Institute) Poland Germany • Subject Matter Expert (DW Swahili)
CYBERSECURITY IN DIGITAL TRANSFORMATION Todays talk will be around: What is threat Modelling - Business Perspective (Blue teaming) - Attackers Perspective (Red teaming) Key takeaway of threat modelling Reasons why we threat model
THREAT MODELLING Definitions: What is threat modelling a. The business perspective (Blue teaming perspective) b. The Attackers perspective (Red teaming perspective) In threat modelling there are two perspective that people need to understand depending on the occupation that you are in
THREAT MODELLING (BUSINESS PERSPECTIVE) PROTECTING PC Servers Applications Organization People Assets Hackers Virus/worms Firewall Threats Threat modelling from a business perspective is the process of
THREAT MODELLING (BRUCEWAYNE/BATMAN) BATMAN’S ASSETS Batman Cave Alfred Email Cell Phone ATTACKERS Police Joker Journalist VECTOR’S Low Risk Med Risk High Risk
BATMAN’S ASSETS Batman Cave Alfred Email Cell Phone ATTACKERS Police Joker Journalist CONTROLS THREAT MODELLING (BRUCEWAYNE/BATMAN)
THREAT MODELLING (REALWORLD SCENARIO) Application A Application B Internal Web Server Third party Web Server Milk company Tea company From the two companies who is going to spend a lot of resources to secure their application, and why?
THREAT MODELLING (ATTACKER’S PERSPECTIVE) Threat modelling from a business perspective is the process of ASSETS ATTACKERS Firewall Server Credentials Admin Panel Hidden Directories Databases Hackers
THREAT MODELLING (ATTACKER’S PERSPECTIVE) Threat modelling helps attackers identify shortest route to the end goal THREAT MODELLING 1. Understand your target - Understand your target business model and what are their assets 2. What are your objective - identify what is your end goal, is it to see what less privileged users can do in the system etc 3. List of tasks to do - You must have a checklist of things that you want must do 4. Attack vectors to cover What attack vectors are going to be used is is authentication, non authentication, Social Eng. etc 5. Hinderance of attack vector what is going to make your attacks not to be successful, is it firewalls, filtering mechanisms, IDPS, scripting disabled, enumeration disabled, changing of administrative url etc Mmmhh!!! I guess this threat modelling staff isn’t bad after all
THREAT MODELLING (ATTACKER’S PERSPECTIVE) This is one of the ways on which an attacker would approach their target. Rookie Website Access Admin Panel Credentials Password guessing Authentication Attacks Check for technology used Check if there is existence of WAF Check for filtering mechanism Hidden Directories Look for misconfiguration Backup files, Config files etc Non - Authentication Attacks
THREAT MODELLING (OUTCOME FROM BUSINESS) a. Identifying assets owned by the company b. What threats are the assets exposed to c. Helps to identify which assets need more emphasis on security d. Increase asset security Business Outcome of threat modelling
THREAT MODELLING (OUTCOME FROM BUSINESS) Attackers Outcome of threat modelling a. Find the shortest route to the target b. Efficiency and precise in their attacks c. Saves time for the attacker
“If you don’t invest in cybersecurity, you will be dead” Stephen Kwame – MD of SIC Insurance CYBERSECURITY IN DIGITAL TRANSFORMATION
ANY QUESTION?
Author: Kharim Mchatta Email: info@hackitconsultacy.com Website: www.h4k-it.com LinkedIn: hack it consultancy Instagram: @hackitconsultancy

Recommended

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022KharimMchatta
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021KharimMchatta
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญBAINIDA
 
Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023KharimMchatta
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals211 Check
 
EthicalHacking_AakashTakale
EthicalHacking_AakashTakaleEthicalHacking_AakashTakale
EthicalHacking_AakashTakaleAakash Takale
 
penetration penetration testingtesting mod.ppt
penetration penetration testingtesting mod.pptpenetration penetration testingtesting mod.ppt
penetration penetration testingtesting mod.pptjohnwesley758817
 

Recommended

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022KharimMchatta
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021KharimMchatta
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญBAINIDA
 
Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023KharimMchatta
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals211 Check
 
EthicalHacking_AakashTakale
EthicalHacking_AakashTakaleEthicalHacking_AakashTakale
EthicalHacking_AakashTakaleAakash Takale
 
penetration penetration testingtesting mod.ppt
penetration penetration testingtesting mod.pptpenetration penetration testingtesting mod.ppt
penetration penetration testingtesting mod.pptjohnwesley758817
 
A Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical HackingA Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical HackingSrashti Jain
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญBAINIDA
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNorth Texas Chapter of the ISSA
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
A Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdfA Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdfuzair
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?Anthony Melfi
 
Lesson plan ethical hacking
Lesson plan ethical hackingLesson plan ethical hacking
Lesson plan ethical hackingNigam Dave
 
Why_TG
Why_TGWhy_TG
Why_TGTOP GUN
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Saurabh Upadhyay
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Cyber threat in Africa | 2023
Cyber threat in Africa | 2023Cyber threat in Africa | 2023
Cyber threat in Africa | 2023KharimMchatta
 
AI in Cybersecurity | 2023
AI in Cybersecurity | 2023AI in Cybersecurity | 2023
AI in Cybersecurity | 2023KharimMchatta
 

More Related Content

Similar to Threat Modelling | 2023

A Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical HackingA Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical HackingSrashti Jain
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญBAINIDA
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
A Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdfA Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdfuzair
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?Anthony Melfi
 
Lesson plan ethical hacking
Lesson plan ethical hackingLesson plan ethical hacking
Lesson plan ethical hackingNigam Dave
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Saurabh Upadhyay
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 

Similar to Threat Modelling | 2023 (20)

A Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical HackingA Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical Hacking
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
A Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdfA Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdf
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Lesson plan ethical hacking
Lesson plan ethical hackingLesson plan ethical hacking
Lesson plan ethical hacking
 
Why_TG
Why_TGWhy_TG
Why_TG
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 

More from KharimMchatta

Cyber threat in Africa | 2023
Cyber threat in Africa | 2023Cyber threat in Africa | 2023
Cyber threat in Africa | 2023KharimMchatta
 
AI in Cybersecurity | 2023
AI in Cybersecurity | 2023AI in Cybersecurity | 2023
AI in Cybersecurity | 2023KharimMchatta
 
Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021KharimMchatta
 
Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022KharimMchatta
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022KharimMchatta
 
Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022KharimMchatta
 
Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022KharimMchatta
 
Application penetration testing | 2021
Application penetration testing | 2021Application penetration testing | 2021
Application penetration testing | 2021KharimMchatta
 
Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021KharimMchatta
 
Threat Modelling in Penetration Testing | 2021
Threat Modelling in Penetration Testing | 2021Threat Modelling in Penetration Testing | 2021
Threat Modelling in Penetration Testing | 2021KharimMchatta
 
Careers in cybersecurity | 2021
Careers in cybersecurity | 2021Careers in cybersecurity | 2021
Careers in cybersecurity | 2021KharimMchatta
 

More from KharimMchatta (11)

Cyber threat in Africa | 2023
Cyber threat in Africa | 2023Cyber threat in Africa | 2023
Cyber threat in Africa | 2023
 
AI in Cybersecurity | 2023
AI in Cybersecurity | 2023AI in Cybersecurity | 2023
AI in Cybersecurity | 2023
 
Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021
 
Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022
 
Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022
 
Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022
 
Application penetration testing | 2021
Application penetration testing | 2021Application penetration testing | 2021
Application penetration testing | 2021
 
Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021
 
Threat Modelling in Penetration Testing | 2021
Threat Modelling in Penetration Testing | 2021Threat Modelling in Penetration Testing | 2021
Threat Modelling in Penetration Testing | 2021
 
Careers in cybersecurity | 2021
Careers in cybersecurity | 2021Careers in cybersecurity | 2021
Careers in cybersecurity | 2021
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Threat Modelling | 2023

  • 1. HACK IT CONSULTANCY We secure what matters the most to you
  • 2. Who am i • Mchatta Kharim • CEO at HACK IT Consultancy • Half a decade of experience in cybersecurity and digital forensics • My experience revolves around various industries including financial institutions, education institution, government institutions, non-profit organizations, telecommunication, research institutes, publication institutes etc Kenya • Public Speaking • Training • CTF Competition • Mentor Tanzania • Public Speaking • Training • CTF Competition • Digital Forensics • Penetration Testing • Curriculum Creation • Public Speaking Egypt • Public Speaking • Public Speaking Morocco Rwanda • Public Speaking Nigeria • Penetration testing Ghana • Penetration testing • Public speaking South Africa • Penetration testing Benin Uganda • Public Speaking Experience in Africa
  • 3. Experience in USA & Europe • Penetration Testing US Department of Defense United States of America UK • Author at eForensics Magazine • Author at PenTest Magazine • Penetration testing ( Research Institute) Poland Germany • Subject Matter Expert (DW Swahili)
  • 4. CYBERSECURITY IN DIGITAL TRANSFORMATION Todays talk will be around: What is threat Modelling - Business Perspective (Blue teaming) - Attackers Perspective (Red teaming) Key takeaway of threat modelling Reasons why we threat model
  • 5. THREAT MODELLING Definitions: What is threat modelling a. The business perspective (Blue teaming perspective) b. The Attackers perspective (Red teaming perspective) In threat modelling there are two perspective that people need to understand depending on the occupation that you are in
  • 6. THREAT MODELLING (BUSINESS PERSPECTIVE) PROTECTING PC Servers Applications Organization People Assets Hackers Virus/worms Firewall Threats Threat modelling from a business perspective is the process of
  • 7. THREAT MODELLING (BRUCEWAYNE/BATMAN) BATMAN’S ASSETS Batman Cave Alfred Email Cell Phone ATTACKERS Police Joker Journalist VECTOR’S Low Risk Med Risk High Risk
  • 8. BATMAN’S ASSETS Batman Cave Alfred Email Cell Phone ATTACKERS Police Joker Journalist CONTROLS THREAT MODELLING (BRUCEWAYNE/BATMAN)
  • 9. THREAT MODELLING (REALWORLD SCENARIO) Application A Application B Internal Web Server Third party Web Server Milk company Tea company From the two companies who is going to spend a lot of resources to secure their application, and why?
  • 10. THREAT MODELLING (ATTACKER’S PERSPECTIVE) Threat modelling from a business perspective is the process of ASSETS ATTACKERS Firewall Server Credentials Admin Panel Hidden Directories Databases Hackers
  • 11. THREAT MODELLING (ATTACKER’S PERSPECTIVE) Threat modelling helps attackers identify shortest route to the end goal THREAT MODELLING 1. Understand your target - Understand your target business model and what are their assets 2. What are your objective - identify what is your end goal, is it to see what less privileged users can do in the system etc 3. List of tasks to do - You must have a checklist of things that you want must do 4. Attack vectors to cover What attack vectors are going to be used is is authentication, non authentication, Social Eng. etc 5. Hinderance of attack vector what is going to make your attacks not to be successful, is it firewalls, filtering mechanisms, IDPS, scripting disabled, enumeration disabled, changing of administrative url etc Mmmhh!!! I guess this threat modelling staff isn’t bad after all
  • 12. THREAT MODELLING (ATTACKER’S PERSPECTIVE) This is one of the ways on which an attacker would approach their target. Rookie Website Access Admin Panel Credentials Password guessing Authentication Attacks Check for technology used Check if there is existence of WAF Check for filtering mechanism Hidden Directories Look for misconfiguration Backup files, Config files etc Non - Authentication Attacks
  • 13. THREAT MODELLING (OUTCOME FROM BUSINESS) a. Identifying assets owned by the company b. What threats are the assets exposed to c. Helps to identify which assets need more emphasis on security d. Increase asset security Business Outcome of threat modelling
  • 14. THREAT MODELLING (OUTCOME FROM BUSINESS) Attackers Outcome of threat modelling a. Find the shortest route to the target b. Efficiency and precise in their attacks c. Saves time for the attacker
  • 15. “If you don’t invest in cybersecurity, you will be dead” Stephen Kwame – MD of SIC Insurance CYBERSECURITY IN DIGITAL TRANSFORMATION
  • 17. Author: Kharim Mchatta Email: info@hackitconsultacy.com Website: www.h4k-it.com LinkedIn: hack it consultancy Instagram: @hackitconsultancy