SlideShare a Scribd company logo

Threat Modelling in Penetration Testing | 2021

K
KharimMchatta

Threat Modelling holds substantial importance in penetration testing, yet its significance often goes unrecognized. This presentation will elucidate the process of performing effective threat modelling during engagements, encompassing methodologies such as STRIDE and emphasizing real-world cases to underscore the implications of inadequate practices. Attendees will gain practical insights into implementing threat modelling through best practices, fostering a heightened appreciation for its role in enhancing cybersecurity strategies.

Technology
1 of 16
THREAT MODELLING IN PENETRATION TESTING
Whoami? ❖ Kharim Mchatta ❖ CEO of HACK IT CONSULTANCY ❖ Cybersecurity professional (Pen tester & Digital Forensics expert) ❖ Founder of H4K-IT (Cybersec community inTZ) ❖ CTF player ❖ Blogger ❖ Author at eForensics and Pentets Magazine ❖ DW Swahili Subject matter expert (cybersecurity)
What is Threat Modelling
Threat Modelling From Business Perspective
Threat Modelling From Business Perspective Hackers PC Servers Applications Firewall Organization PROTECTING Threats Threat Modelling from a business perspective is the process of People Assets Virus/worms
BRUCE WAYNE/BATMAN THREAT MODEL BATMAN’S ASSETS ATTACKERS Batman Cave Alfred Email Cell Phone Police Joker Journalist VECTOR’S Low Risk Med Risk High Risk
BRUCE WAYNE/BATMAN THREAT MODEL BATMAN’S ASSETS ATTACKERS Batman Cave Alfred Email Cell Phone Police Joker Journalist CONTROLS
Threat Modelling From Attackers Perspective
ASSETS ATTACKERS ATTACKERS PERSPECTIVE Hackers Firewall Server Credentials Admin Panel Hidden Directories Databases
Mmmhh!!! I guess this threat modelling staff isn’t bad after all
PERSONAL EXPERIENCE IN THREAT MODELLING AS A NEWBIE Kharim Credentials Internet Firewall WordPress Website Admin Panel Backend Access Request goes through If not malicious access If malicious Access denied Successfully Authenticated
PERSONAL EXPERIENCE IN THREAT MODELLING AS AN EXPERIENCED NEWBIE Kharim Internet Firewall WordPress Website Access Access Check the technologies Used by the application Check for existence Of anyWAF Perform Manual Enumeration Admin Panel If Present Attacker may use Tools for enumeration Enumeration for Credentials If not Present
IMPORTANCE OF THREAT MODELLING Determine where most effort should be applied on the system and assets Internet Banking Bank Website VS
Threat-modelling methods uses include. • To create an abstraction of the system • To create profiles of potential attackers, including their goals and methods • To create a catalogue of potential threats that may arise
THAT’S ALL FOLKS
Author: Kharim Mchatta Contacts Kharimhmchatta@gmail.com kharim.h mchatta KMchatta

Recommended

Application penetration testing | 2021
Application penetration testing | 2021Application penetration testing | 2021
Application penetration testing | 2021
KharimMchatta
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022
KharimMchatta
 
It security &_ethical_hacking
It security &_ethical_hackingIt security &_ethical_hacking
It security &_ethical_hacking
satish kumar
 
1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf
Shamsherkhan36
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
Thomas Roccia
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
fantaghost
 
Cybercrime 1
Cybercrime 1Cybercrime 1
Cybercrime 1
nayakslideshare
 
Chapter 3 Computer Crimes
Chapter 3 Computer CrimesChapter 3 Computer Crimes
Chapter 3 Computer Crimes
Mar Soriano
 

Recommended

Application penetration testing | 2021
Application penetration testing | 2021Application penetration testing | 2021
Application penetration testing | 2021
KharimMchatta
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022
KharimMchatta
 
It security &_ethical_hacking
It security &_ethical_hackingIt security &_ethical_hacking
It security &_ethical_hacking
satish kumar
 
1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf
Shamsherkhan36
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
Thomas Roccia
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
fantaghost
 
Cybercrime 1
Cybercrime 1Cybercrime 1
Cybercrime 1
nayakslideshare
 
Chapter 3 Computer Crimes
Chapter 3 Computer CrimesChapter 3 Computer Crimes
Chapter 3 Computer Crimes
Mar Soriano
 
Dark side presentation lwhippedtc515
Dark side presentation lwhippedtc515Dark side presentation lwhippedtc515
Dark side presentation lwhippedtc515
lisawhipp
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
MAFANTIRI SELLO
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
AdvAbdulMueedAhmad
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
haneefvf1
 
Volume And Vectors 090416
Volume And Vectors 090416Volume And Vectors 090416
Volume And Vectors 090416
Anthony Arrott
 
Cyber-Security.ppt
Cyber-Security.pptCyber-Security.ppt
Cyber-Security.ppt
SeniorGaming
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
Abdelfatah hegazy
 
my new HACKING
my new HACKINGmy new HACKING
my new HACKING
BABATUNDE OLANREWAJU GEORGE
 
Internet Security in Web 2.0
Internet Security in Web 2.0 Internet Security in Web 2.0
Internet Security in Web 2.0
Arjunsinh Sindhav
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Cameron Brown
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
Nathan Anderson
 
System-Security-acit-Institute
System-Security-acit-InstituteSystem-Security-acit-Institute
System-Security-acit-Institute
ACIT Education Pvt Ltd
 
Cyber-Security-.ppt
Cyber-Security-.pptCyber-Security-.ppt
Cyber-Security-.ppt
karthikvcyber
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Alapan Banerjee
 
Tip sheet series – Ransomware attacks
Tip sheet series – Ransomware attacksTip sheet series – Ransomware attacks
Tip sheet series – Ransomware attacks
Keepnet Labs.
 
Cyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptCyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.ppt
visik2
 
Guest Lecture-Computer and Cyber Security.pptx
Guest Lecture-Computer and Cyber Security.pptxGuest Lecture-Computer and Cyber Security.pptx
Guest Lecture-Computer and Cyber Security.pptx
GudipudiDayanandam
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
PranjalShah18
 
Cyber threat in Africa | 2023
Cyber threat in Africa | 2023Cyber threat in Africa | 2023
Cyber threat in Africa | 2023
KharimMchatta
 
Threat Modelling | 2023
Threat Modelling | 2023Threat Modelling | 2023
Threat Modelling | 2023
KharimMchatta
 

More Related Content

Similar to Threat Modelling in Penetration Testing | 2021

Volume And Vectors 090416
Volume And Vectors 090416Volume And Vectors 090416
Volume And Vectors 090416
Anthony Arrott
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
Abdelfatah hegazy
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Cameron Brown
 

Similar to Threat Modelling in Penetration Testing | 2021 (20)

Dark side presentation lwhippedtc515
Dark side presentation lwhippedtc515Dark side presentation lwhippedtc515
Dark side presentation lwhippedtc515
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
 
Volume And Vectors 090416
Volume And Vectors 090416Volume And Vectors 090416
Volume And Vectors 090416
 
Cyber-Security.ppt
Cyber-Security.pptCyber-Security.ppt
Cyber-Security.ppt
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
my new HACKING
my new HACKINGmy new HACKING
my new HACKING
 
Internet Security in Web 2.0
Internet Security in Web 2.0 Internet Security in Web 2.0
Internet Security in Web 2.0
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
 
System-Security-acit-Institute
System-Security-acit-InstituteSystem-Security-acit-Institute
System-Security-acit-Institute
 
Cyber-Security-.ppt
Cyber-Security-.pptCyber-Security-.ppt
Cyber-Security-.ppt
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Tip sheet series – Ransomware attacks
Tip sheet series – Ransomware attacksTip sheet series – Ransomware attacks
Tip sheet series – Ransomware attacks
 
Cyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptCyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.ppt
 
Guest Lecture-Computer and Cyber Security.pptx
Guest Lecture-Computer and Cyber Security.pptxGuest Lecture-Computer and Cyber Security.pptx
Guest Lecture-Computer and Cyber Security.pptx
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 

More from KharimMchatta

Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023
KharimMchatta
 

More from KharimMchatta (12)

Cyber threat in Africa | 2023
Cyber threat in Africa | 2023Cyber threat in Africa | 2023
Cyber threat in Africa | 2023
 
Threat Modelling | 2023
Threat Modelling | 2023Threat Modelling | 2023
Threat Modelling | 2023
 
AI in Cybersecurity | 2023
AI in Cybersecurity | 2023AI in Cybersecurity | 2023
AI in Cybersecurity | 2023
 
Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021
 
Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023
 
Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022
 
Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022
 
Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021
 
Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021
 
Careers in cybersecurity | 2021
Careers in cybersecurity | 2021Careers in cybersecurity | 2021
Careers in cybersecurity | 2021
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Threat Modelling in Penetration Testing | 2021