SlideShare a Scribd company logo
Resistance Isn’t Futile:
A Practical Approach to Prioritizing
Defenses with Threat Modeling
Katie Nickels
Shmoocon
§ Intel Team at Red Canary...for almost a month!
§ Former MITRE ATT&CK Threat Intel Lead
§ Chocolate, CrossFit, Cyber Threat Intelligence
Katie Nickels
PRINCIPAL INTELLIGENCE ANALYST
RED CANARY
@LiketheCoins
whoami
Resistance
seems futile
A BETTER WAY TO DEAL WITH THREATS
Threat Modeling can
help us prioritize
§ STRIDE
§ Spoofing identity
§ Tampering with data
§ Repudiation
§ Information disclosure
§ Denial of service
§ Elevation of privilege
§ OCTAVE, LINDDUN
Research on Threat Modeling
https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)
https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
§ Process for Attack Simulation and Threat Analysis (PASTA)
1. Define objectives
2. Define technical scope
3. Application decomposition
4. Threat analysis
5. Vulnerability & weaknesses analysis
6. Attack modeling
7. Risk & impact analysis
Research on Threat Modeling
https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
...that’s a lot
CTI
§ Adding in a threat intelligence perspective
Our Threat Modeling Definition
Us Them
Threat Modeling
1. Know your organization
2. Know your threats
3. Prioritize and match them up
4. Make it actionable
A Simple Process to Start
§ Go talk to people
§ Find network maps (hint: they’re wrong)
§ Imagine worst-case scenarios
§ Retail: your website going down on Black Friday
§ Financial: your customers not trusting their balances
1. Know Your Organization
1. Know Your Organization
§ Look at past activity
§ Read open sources
§ Make an RSS feed
§ Talk to your peers
§ ISACs, Slack groups, email distros, social media, cons
2. Know Your Threats
2. Know Your Threats
§ Remember you can’t track all threats
§ Consider threats that have affected your industry
§ Think about what threats are likely to affect what you have
3. Prioritize and Match Them Up
3. Prioritize and Match Them Up
*Info is notional - DIY!
§ Think about what the threats have done in the past
§ Build out your model based on malware, tools, and TTPs
§ Make recommendations to improve defenses
§ Do this for each “you-to-them” connection
§ e.g. FIN7 → Windows
4. Make it Actionable
FIN7
https://mitre-attack.github.io/attack-navigator/enterprise/
Cobalt Group
TA505
Spearphishing
Attachment
§ Start somewhere and iterate
§ Your first model won’t be perfect
§ It doesn’t have to be
Rinse and Repeat
Resistance
isn’t futile
§ Threat modeling can be simple or complex
§ Adding in a threat intel perspective helps prioritize
§ Focusing on threats we care about drives better outcomes
Takeaways
§ https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)
§ https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
§ https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
§ https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
§ RSS feed suggestions: https://medium.com/katies-five-cents/ a-top-10-reading-list-if-youre-getting-
started-in-cyber-threat-intelligence-c11a18fc9798
§ Training on making defensive recommendations (Module 5):
https://attack.mitre.org/resources/training/cti/
§ Video on using ATT&CK Navigator: https://www.youtube.com/watch?v=pcclNdwG8Vs
§ https://mitre-attack.github.io/attack-navigator/enterprise/
§ Mind Mapping software: https://coggle.it/
References
Thank you!
Subscribe to our blog for the upcoming
Threat Detection Report and more.
REDCANARY.COM/BLOG
@LiketheCoins
@RedCanaryCo

More Related Content

What's hot

MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
3 Hkcert Trend
3  Hkcert Trend3  Hkcert Trend
3 Hkcert Trend
SC Leung
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
Infosec
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
jeffmcjunkin
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
ENOInstitute
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE - ATT&CKcon
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
Cybereason
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 

What's hot (20)

MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
3 Hkcert Trend
3  Hkcert Trend3  Hkcert Trend
3 Hkcert Trend
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 

Similar to Resistance Isn't Futile: A Practical Approach to Threat Modeling

Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
centralohioissa
 
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptxRethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Inflectra
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star Wars
Adam Shostack
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017
Laura Bell
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
Faisal Yahya
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshop
Ty Sbano
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
OWASP EEE
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
Nadia BENCHIKHA
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for Nonprofits
Community IT Innovators
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
Izar Tarandach
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
Major Hayden
 

Similar to Resistance Isn't Futile: A Practical Approach to Threat Modeling (20)

Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptxRethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star Wars
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshop
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for Nonprofits
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 

Recently uploaded

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 

Recently uploaded (20)

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 

Resistance Isn't Futile: A Practical Approach to Threat Modeling

  • 1. Resistance Isn’t Futile: A Practical Approach to Prioritizing Defenses with Threat Modeling Katie Nickels Shmoocon
  • 2. § Intel Team at Red Canary...for almost a month! § Former MITRE ATT&CK Threat Intel Lead § Chocolate, CrossFit, Cyber Threat Intelligence Katie Nickels PRINCIPAL INTELLIGENCE ANALYST RED CANARY @LiketheCoins whoami
  • 4. A BETTER WAY TO DEAL WITH THREATS Threat Modeling can help us prioritize
  • 5. § STRIDE § Spoofing identity § Tampering with data § Repudiation § Information disclosure § Denial of service § Elevation of privilege § OCTAVE, LINDDUN Research on Threat Modeling https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
  • 6. § Process for Attack Simulation and Threat Analysis (PASTA) 1. Define objectives 2. Define technical scope 3. Application decomposition 4. Threat analysis 5. Vulnerability & weaknesses analysis 6. Attack modeling 7. Risk & impact analysis Research on Threat Modeling https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
  • 8. § Adding in a threat intelligence perspective Our Threat Modeling Definition Us Them Threat Modeling
  • 9. 1. Know your organization 2. Know your threats 3. Prioritize and match them up 4. Make it actionable A Simple Process to Start
  • 10. § Go talk to people § Find network maps (hint: they’re wrong) § Imagine worst-case scenarios § Retail: your website going down on Black Friday § Financial: your customers not trusting their balances 1. Know Your Organization
  • 11. 1. Know Your Organization
  • 12. § Look at past activity § Read open sources § Make an RSS feed § Talk to your peers § ISACs, Slack groups, email distros, social media, cons 2. Know Your Threats
  • 13. 2. Know Your Threats
  • 14. § Remember you can’t track all threats § Consider threats that have affected your industry § Think about what threats are likely to affect what you have 3. Prioritize and Match Them Up
  • 15. 3. Prioritize and Match Them Up
  • 17. § Think about what the threats have done in the past § Build out your model based on malware, tools, and TTPs § Make recommendations to improve defenses § Do this for each “you-to-them” connection § e.g. FIN7 → Windows 4. Make it Actionable
  • 20. TA505
  • 22. § Start somewhere and iterate § Your first model won’t be perfect § It doesn’t have to be Rinse and Repeat
  • 24. § Threat modeling can be simple or complex § Adding in a threat intel perspective helps prioritize § Focusing on threats we care about drives better outcomes Takeaways
  • 25. § https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) § https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 § https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html § https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1 § RSS feed suggestions: https://medium.com/katies-five-cents/ a-top-10-reading-list-if-youre-getting- started-in-cyber-threat-intelligence-c11a18fc9798 § Training on making defensive recommendations (Module 5): https://attack.mitre.org/resources/training/cti/ § Video on using ATT&CK Navigator: https://www.youtube.com/watch?v=pcclNdwG8Vs § https://mitre-attack.github.io/attack-navigator/enterprise/ § Mind Mapping software: https://coggle.it/ References
  • 26. Thank you! Subscribe to our blog for the upcoming Threat Detection Report and more. REDCANARY.COM/BLOG @LiketheCoins @RedCanaryCo