Threat Modelling holds substantial importance in penetration testing, yet its significance often goes unrecognized. This presentation will elucidate the process of performing effective threat modelling during engagements, encompassing methodologies such as STRIDE and emphasizing real-world cases to underscore the implications of inadequate practices. Attendees will gain practical insights into implementing threat modelling through best practices, fostering a heightened appreciation for its role in enhancing cybersecurity strategies.
2. Whoami?
❖ Kharim Mchatta
❖ CEO of HACK IT CONSULTANCY
❖ Cybersecurity professional (Pen tester & Digital Forensics expert)
❖ Founder of H4K-IT (Cybersec community inTZ)
❖ CTF player
❖ Blogger
❖ Author at eForensics and Pentets Magazine
❖ DW Swahili Subject matter expert (cybersecurity)
6. BRUCE WAYNE/BATMAN THREAT MODEL
BATMAN’S ASSETS ATTACKERS
Batman Cave
Alfred
Email
Cell Phone
Police
Joker
Journalist
VECTOR’S
Low Risk
Med Risk
High Risk
7. BRUCE WAYNE/BATMAN THREAT MODEL
BATMAN’S ASSETS ATTACKERS
Batman Cave
Alfred
Email
Cell Phone
Police
Joker
Journalist
CONTROLS
11. PERSONAL EXPERIENCE IN THREAT
MODELLING AS A NEWBIE
Kharim
Credentials
Internet Firewall
WordPress
Website
Admin Panel Backend
Access
Request goes
through
If not malicious
access
If malicious
Access denied
Successfully
Authenticated
12. PERSONAL EXPERIENCE IN THREAT
MODELLING AS AN EXPERIENCED NEWBIE
Kharim Internet
Firewall
WordPress
Website
Access Access
Check the technologies
Used by the application
Check for existence
Of anyWAF
Perform Manual
Enumeration
Admin Panel
If Present
Attacker may use
Tools for enumeration
Enumeration for
Credentials
If not Present
13. IMPORTANCE OF THREAT MODELLING
Determine where most effort should be applied on the system and
assets
Internet Banking
Bank Website
VS
14. Threat-modelling
methods uses
include.
• To create an abstraction of the system
• To create profiles of potential attackers, including their
goals and methods
• To create a catalogue of potential threats that may arise