SlideShare a Scribd company logo

Threat modeling (Hacker Stories) workshop

Download as PPTX, PDF
T
Ty Sbano

The document outlines the agenda for a threat modeling workshop. The workshop includes three sessions: (1) BYOTM where attendees bring their own threat models to work on together, (2) an advanced threat modeling session on applying rapid techniques in a DevOps environment, and (3) an introductory threat modeling primer. The document then provides more details on topics covered in each session, including customizing approaches to organizational needs, key threat modeling terms, and frameworks that can be used. It emphasizes the importance of focusing threat modeling efforts on adding value and keeping practices sustainable.

Technology
1 of 30
Threat Modeling Workshop Agenda BYOTM (Bring Your Own Threat Model)301 ● Let’s threat model together! ● Bring your own threat model scenarios Advanced threat modeling in a DevOps world (aka Hacker Stories) 201 ● Rapid Threat Modeling ● Applying a business oriented process ● Customize to your need Overview of Threat Modeling101 ● Threat Modeling Primer ● Threat Modeling Approaches (Pros vs. Cons)
Whoami Education ● Penn State University - B.S. Information Science and Technology ● Norwich University - Masters of Science Information Assurance Certifications ● CISSP, SSCP, CEH, CCSK, CPT
Independent, personal opinion, not a representation of my current employer or specifically of any past employees Disclaimer “A man person convinced against his their will, is of the same opinion still” - Ben Franklin
Threat Modeling 101 Overview of TM
What is Threat Modeling?
Basis of Security Context Reputati on 1. Confidentiality = Authorized 2. Integrity = Tamper Proof 3. Availability = Accessible 4. ...Reputation?
1. Actor - The subject, but can be a hacker, malware, employee, etc. 2. Threat - An actor who is regarding as a danger or a menace 3. Vulnerability - A specific weakness in protections or controls 4. Impact - How bad could it be 5. Likelihood - What is the probability of it occurring Threat Modeling Key Terms
When do I threat model? 1. Scope Defined a. Significant Changes b. New Features c. Business Critical Feature Enhancements 2. Time Defined a. Align with SDLC b. Project timing, resource availability Anytime
When do I stop? 1. Lacks value or actionable outputs 2. Resource constraints 3. ...People stop caring or doesn’t add value Risks have been mitigated or goals have been achieved
Who do I involve? 1. Product Owners 2. Architects 3. Business Leaders 4. Developers 5. Testers 6. Etc. It depends on the scope of the threat model and your goals
What framework should I use? NAME PROS CONS STRIDE / DREAD Business Oriented Simple (Impact vs. likelihood) Usability Adoption OCTAVE, OCTAVE-Allegro Organization / Practice focused Flexible (large vs. small org) Time Consuming Not for ad-hoc TRIKE Tool driven Flexibility Time Consuming Maintenance? PASTA Risk Centric Incorporates other security activities Time Consuming Scalability FMEA Business focused Simple business engagement Time Consuming Limited validity in Isolation Pick any, just try to start smart
Can’t I just use tools? 1. Can require Data Flow Diagrams a. You create Data Flow or Architecture Diagrams 2. Cost (Direct vs. Indirect) a. Tools can be free and open source b. Windows only!? (e.g. Microsoft Threat Modeling tool 2016) 3. Potential for missing the business intelligence You can always partner or purchase tools to assist, but don’t forget about the culture
Threat Modeling Thematics 1. Data Driven a. Architecture / Data Flow Diagram 2. SME Involvement 3. Actionable Artifact 4. Taxonomy Determine how to add maximum value with minimal overhead
Threat Modeling 101 Takeaways 1. Threat Modeling is valuable in communicating risk a. Be focused and “Don’t try to boil the ocean” 2. Find what works for your organization a. Culture is key 3. Don’t try to over engineer or make it too complex a. Keep in mind sustainability
Threat Modeling 201 Advanced TM in a DevOps world (aka Hacker Stories)
HACKER STORIES! Pros 1. Agile/DevOps Friendly 2. Requires Semi-Defined Requirement 3. Requires less SMEs 4. Time-Boxed AKA ● VAST, Rapid TM, Misuse/Abuse Cases, Tactical TM HACKER STORIES are Product Management friendly
What is In-Scope? 1. High Risk changes (contextual to the business) 2. New Tech, New Supplier, New API 3. Architect doesn’t have a “trusted” blueprint 4. Authentication Changes Out of Scope 1. Repeat changes using existing controls 2. Content Changes 3. Threat model already exists and are nominal changes HACKER STORIES are Product Management and Engineering friendly
How do I understand the business? 1. Assets a. Keys to the Kingdom (Credentials, Information, People) b. Data Processing Systems (Financial, Intelligence, Movement) c. Physical (Currency, Goods, People) 2. What are the goals of the organization a. Overall Mission b. Annual / Quarterly Goals Understand how your company makes profit
What about existing security controls? 1. Capabilities / Services Matrix a. What already in place? i. Secure SDLC ii. IDS/IPS iii. FIM iv. Authentication/Authorization b. What is in the pipeline? i. RASP / Next Gen Firewalls ii. vSOC Focus on actionable risks, not capabilities already established
High Level Post-It Completion Who - Well defined persona ○ Malicious Hacker ○ Casual Security Researcher ○ Internal Threat What/How - Attack Pattern /Goal ○ Steal Money/Data ○ Upload Malware Any Where - Location of opportunity ○ Environment ○ Internal/External ○ Cloud vs Data Center When - Likelihood ○ Timing ○ Environment
Hacker Persona 1. How can I impact the business? 2. What do I have to do, to cause damage? 3. What are the benefits for me? Hacker GOALS. 4. How easy it to exploit the vulnerability? Put on your HACKER GOGGLES and think about what you could do, but keep it grounded.
Definition of done? 1. Controls get built-in a. Code/Feature delivered 2. Manual or automated code review to validate 3. Manual or automated dynamic testing to validate 4. Introduce Test Cases within QA Trust, but verify
Downsides to Hacker Stories? 1. Not as comprehensive as traditional threat modeling 2. Lacks visual documentation, but doesn’t have to 3. Quick pivots 4. Experience/Knowledge/Wisdom Internally you need to be processing other frameworks for Hacker Stories to work
Example 1 - https://www.dayofshecurity.com/
Threat Modeling 201 Hacker Stories Takeaways 1. Extremely customizable and meets the intent of threat modeling 2. Threat Modeling doesn’t have to be exhaustive a. Don’t start with the “Doomsday” conversation 3. Add significant value with low overhead a. You business may appreciate your efforts “Absorb what is useful, discard what is useless and add what is specifically your own” - Bruce Lee
Continuing Education ● http://safecode.org ○ A non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. ● https://www.owasp.org ○ A worldwide not-for-profit charitable organization focused on improving the security of software. ● https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx ○ Microsoft has been a pioneer in the Secure SDL and Threat Modeling space. “Absorb what is useful, discard what is useless and add what is specifically your own” - Bruce Lee
Threat Modeling 301 - BYOTM (Bring Your Own Threat Model)
Example Breakdown - What is the project/feature? Set CONTEXT 1. Ask Simple Questions a. Who b. What c. Where d. When e. Why Security CONTEXT 1. What is at risk a. Who b. What c. Where d. When e. Why Let’s whiteboard together!
Contact Me 1. Twitter - @tysbano 2. Linkedin - https://www.linkedin.com/in/tysbano/ 3. Articles - https://techbeacon.com/contributors/ty-sbano 4. Website - http://www.tysbano.com 1. Instagram - https://www.instagram.com/takoyakity/ a. Nothing to do with security, I just enjoy photography
P.S. I’m Hiring!!!!

Recommended

Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
Ankita Ganguly
 
Introduction to Threat Modeling
Introduction to Threat ModelingIntroduction to Threat Modeling
Introduction to Threat Modeling
InMobi Technology
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
EC-Council
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star Wars
Adam Shostack
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 

Recommended

Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
Ankita Ganguly
 
Introduction to Threat Modeling
Introduction to Threat ModelingIntroduction to Threat Modeling
Introduction to Threat Modeling
InMobi Technology
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
EC-Council
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star Wars
Adam Shostack
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
EC-Council
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
Dawn Yankeelov
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
Marco Morana
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
Dragos, Inc.
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
Symantec
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
Peter Wood
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat Modeling
EC-Council
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
Cisco Security
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?
Aaron Clark-Ginsberg
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
North Texas Chapter of the ISSA
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16
James Rutt
 

More Related Content

What's hot

Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
Symantec
 

What's hot (20)

Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat Modeling
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 

Similar to Threat modeling (Hacker Stories) workshop

Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16
James Rutt
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
hforhassan101
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
Dave R. Taylor
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
PECB
 
Successful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid BalutSuccessful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid Balut
Dawid Balut
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
TrustArc
 

Similar to Threat modeling (Hacker Stories) workshop (20)

Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16Cybersecurity-Real World Approach FINAL 2-24-16
Cybersecurity-Real World Approach FINAL 2-24-16
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
 
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Successful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid BalutSuccessful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid Balut
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Threat modeling (Hacker Stories) workshop

  • 1. Threat Modeling Workshop Agenda BYOTM (Bring Your Own Threat Model)301 ● Let’s threat model together! ● Bring your own threat model scenarios Advanced threat modeling in a DevOps world (aka Hacker Stories) 201 ● Rapid Threat Modeling ● Applying a business oriented process ● Customize to your need Overview of Threat Modeling101 ● Threat Modeling Primer ● Threat Modeling Approaches (Pros vs. Cons)
  • 2. Whoami Education ● Penn State University - B.S. Information Science and Technology ● Norwich University - Masters of Science Information Assurance Certifications ● CISSP, SSCP, CEH, CCSK, CPT
  • 3. Independent, personal opinion, not a representation of my current employer or specifically of any past employees Disclaimer “A man person convinced against his their will, is of the same opinion still” - Ben Franklin
  • 5. What is Threat Modeling?
  • 6. Basis of Security Context Reputati on 1. Confidentiality = Authorized 2. Integrity = Tamper Proof 3. Availability = Accessible 4. ...Reputation?
  • 7. 1. Actor - The subject, but can be a hacker, malware, employee, etc. 2. Threat - An actor who is regarding as a danger or a menace 3. Vulnerability - A specific weakness in protections or controls 4. Impact - How bad could it be 5. Likelihood - What is the probability of it occurring Threat Modeling Key Terms
  • 8. When do I threat model? 1. Scope Defined a. Significant Changes b. New Features c. Business Critical Feature Enhancements 2. Time Defined a. Align with SDLC b. Project timing, resource availability Anytime
  • 9. When do I stop? 1. Lacks value or actionable outputs 2. Resource constraints 3. ...People stop caring or doesn’t add value Risks have been mitigated or goals have been achieved
  • 10. Who do I involve? 1. Product Owners 2. Architects 3. Business Leaders 4. Developers 5. Testers 6. Etc. It depends on the scope of the threat model and your goals
  • 11. What framework should I use? NAME PROS CONS STRIDE / DREAD Business Oriented Simple (Impact vs. likelihood) Usability Adoption OCTAVE, OCTAVE-Allegro Organization / Practice focused Flexible (large vs. small org) Time Consuming Not for ad-hoc TRIKE Tool driven Flexibility Time Consuming Maintenance? PASTA Risk Centric Incorporates other security activities Time Consuming Scalability FMEA Business focused Simple business engagement Time Consuming Limited validity in Isolation Pick any, just try to start smart
  • 12. Can’t I just use tools? 1. Can require Data Flow Diagrams a. You create Data Flow or Architecture Diagrams 2. Cost (Direct vs. Indirect) a. Tools can be free and open source b. Windows only!? (e.g. Microsoft Threat Modeling tool 2016) 3. Potential for missing the business intelligence You can always partner or purchase tools to assist, but don’t forget about the culture
  • 13. Threat Modeling Thematics 1. Data Driven a. Architecture / Data Flow Diagram 2. SME Involvement 3. Actionable Artifact 4. Taxonomy Determine how to add maximum value with minimal overhead
  • 14. Threat Modeling 101 Takeaways 1. Threat Modeling is valuable in communicating risk a. Be focused and “Don’t try to boil the ocean” 2. Find what works for your organization a. Culture is key 3. Don’t try to over engineer or make it too complex a. Keep in mind sustainability
  • 15. Threat Modeling 201 Advanced TM in a DevOps world (aka Hacker Stories)
  • 16. HACKER STORIES! Pros 1. Agile/DevOps Friendly 2. Requires Semi-Defined Requirement 3. Requires less SMEs 4. Time-Boxed AKA ● VAST, Rapid TM, Misuse/Abuse Cases, Tactical TM HACKER STORIES are Product Management friendly
  • 17. What is In-Scope? 1. High Risk changes (contextual to the business) 2. New Tech, New Supplier, New API 3. Architect doesn’t have a “trusted” blueprint 4. Authentication Changes Out of Scope 1. Repeat changes using existing controls 2. Content Changes 3. Threat model already exists and are nominal changes HACKER STORIES are Product Management and Engineering friendly
  • 18. How do I understand the business? 1. Assets a. Keys to the Kingdom (Credentials, Information, People) b. Data Processing Systems (Financial, Intelligence, Movement) c. Physical (Currency, Goods, People) 2. What are the goals of the organization a. Overall Mission b. Annual / Quarterly Goals Understand how your company makes profit
  • 19. What about existing security controls? 1. Capabilities / Services Matrix a. What already in place? i. Secure SDLC ii. IDS/IPS iii. FIM iv. Authentication/Authorization b. What is in the pipeline? i. RASP / Next Gen Firewalls ii. vSOC Focus on actionable risks, not capabilities already established
  • 20. High Level Post-It Completion Who - Well defined persona ○ Malicious Hacker ○ Casual Security Researcher ○ Internal Threat What/How - Attack Pattern /Goal ○ Steal Money/Data ○ Upload Malware Any Where - Location of opportunity ○ Environment ○ Internal/External ○ Cloud vs Data Center When - Likelihood ○ Timing ○ Environment
  • 21. Hacker Persona 1. How can I impact the business? 2. What do I have to do, to cause damage? 3. What are the benefits for me? Hacker GOALS. 4. How easy it to exploit the vulnerability? Put on your HACKER GOGGLES and think about what you could do, but keep it grounded.
  • 22. Definition of done? 1. Controls get built-in a. Code/Feature delivered 2. Manual or automated code review to validate 3. Manual or automated dynamic testing to validate 4. Introduce Test Cases within QA Trust, but verify
  • 23. Downsides to Hacker Stories? 1. Not as comprehensive as traditional threat modeling 2. Lacks visual documentation, but doesn’t have to 3. Quick pivots 4. Experience/Knowledge/Wisdom Internally you need to be processing other frameworks for Hacker Stories to work
  • 24. Example 1 - https://www.dayofshecurity.com/
  • 25. Threat Modeling 201 Hacker Stories Takeaways 1. Extremely customizable and meets the intent of threat modeling 2. Threat Modeling doesn’t have to be exhaustive a. Don’t start with the “Doomsday” conversation 3. Add significant value with low overhead a. You business may appreciate your efforts “Absorb what is useful, discard what is useless and add what is specifically your own” - Bruce Lee
  • 26. Continuing Education ● http://safecode.org ○ A non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. ● https://www.owasp.org ○ A worldwide not-for-profit charitable organization focused on improving the security of software. ● https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx ○ Microsoft has been a pioneer in the Secure SDL and Threat Modeling space. “Absorb what is useful, discard what is useless and add what is specifically your own” - Bruce Lee
  • 27. Threat Modeling 301 - BYOTM (Bring Your Own Threat Model)
  • 28. Example Breakdown - What is the project/feature? Set CONTEXT 1. Ask Simple Questions a. Who b. What c. Where d. When e. Why Security CONTEXT 1. What is at risk a. Who b. What c. Where d. When e. Why Let’s whiteboard together!
  • 29. Contact Me 1. Twitter - @tysbano 2. Linkedin - https://www.linkedin.com/in/tysbano/ 3. Articles - https://techbeacon.com/contributors/ty-sbano 4. Website - http://www.tysbano.com 1. Instagram - https://www.instagram.com/takoyakity/ a. Nothing to do with security, I just enjoy photography

Editor's Notes

  1. Image from www.futuristmovies.com
  2. Confidentiality - Is about if they are authorized, (Need to Know / Least Privilege) (e.g. Email being sent to you with no digital signature nor encrypted) Availability - Is about who can access and how they can access (e.g. Email sent from me to you) Integrity - is the data tamper resistant (e.g. Email forwarding a message, but modifying the body) Reputation - Also known as the business risk
  3. STRIDE - Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege DREAD - Damage Reproducibility Exploitability Affected Users, Discoverability OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation PASTA - Process for Attack Simulation and Threat Analysis VAST - Visual, Agile and Simple Threat Modeling FMEA - Failure Mode Effective Anlaysis
  4. https://login.squarespace.com/api/1/login/oauth/provider/authorize?client_id=qNgYXXcY8Fa8M&redirect_uri=https%3A%2F%2Fmatt-torbin.squarespace.com%2Fauth%2Foauth%2Fconnect%3FdestinationUrl%3Dhttps%253A%252F%252Fmatt-torbin.squarespace.com%252Fconfig%252F%253FframeUrl%253D%252F&state=1%3A1528822012%3AkivISrfUMxOn3qO8sCEZCI%2Bi2%2FnNXV%2BqSSDffKJuvy0%3D&overrideLocale=en-US&options=%7B%22isCloseVisible%22%3Afalse%2C%22isCreateAccountViewActive%22%3Afalse%2C%22thirdPartyAuthenticationMethods%22%3A%5B%22FACEBOOK%22%2C%22GOOGLE%22%2C%22TWITTER%22%5D%7D#/