KN
Uploaded byKatie Nickels
996 views

Resistance Isn't Futile: A Practical Approach to Threat Modeling

The document discusses a practical approach to threat modeling for prioritizing defenses against cyber threats. It emphasizes the importance of understanding organizational context, identifying relevant threats, and making actionable defenses based on threat intelligence. The process involves defining objectives, analyzing threats, and iterating on model improvements to enhance security outcomes.

Embed presentation

Resistance Isn’t Futile: A Practical Approach to Prioritizing Defenses with Threat Modeling Katie Nickels Shmoocon
§ Intel Team at Red Canary...for almost a month! § Former MITRE ATT&CK Threat Intel Lead § Chocolate, CrossFit, Cyber Threat Intelligence Katie Nickels PRINCIPAL INTELLIGENCE ANALYST RED CANARY @LiketheCoins whoami
Resistance seems futile
A BETTER WAY TO DEAL WITH THREATS Threat Modeling can help us prioritize
§ STRIDE § Spoofing identity § Tampering with data § Repudiation § Information disclosure § Denial of service § Elevation of privilege § OCTAVE, LINDDUN Research on Threat Modeling https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
§ Process for Attack Simulation and Threat Analysis (PASTA) 1. Define objectives 2. Define technical scope 3. Application decomposition 4. Threat analysis 5. Vulnerability & weaknesses analysis 6. Attack modeling 7. Risk & impact analysis Research on Threat Modeling https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
...that’s a lot CTI
§ Adding in a threat intelligence perspective Our Threat Modeling Definition Us Them Threat Modeling
1. Know your organization 2. Know your threats 3. Prioritize and match them up 4. Make it actionable A Simple Process to Start
§ Go talk to people § Find network maps (hint: they’re wrong) § Imagine worst-case scenarios § Retail: your website going down on Black Friday § Financial: your customers not trusting their balances 1. Know Your Organization
1. Know Your Organization
§ Look at past activity § Read open sources § Make an RSS feed § Talk to your peers § ISACs, Slack groups, email distros, social media, cons 2. Know Your Threats
2. Know Your Threats
§ Remember you can’t track all threats § Consider threats that have affected your industry § Think about what threats are likely to affect what you have 3. Prioritize and Match Them Up
3. Prioritize and Match Them Up
*Info is notional - DIY!
§ Think about what the threats have done in the past § Build out your model based on malware, tools, and TTPs § Make recommendations to improve defenses § Do this for each “you-to-them” connection § e.g. FIN7 → Windows 4. Make it Actionable
FIN7 https://mitre-attack.github.io/attack-navigator/enterprise/
Cobalt Group
TA505
Spearphishing Attachment
§ Start somewhere and iterate § Your first model won’t be perfect § It doesn’t have to be Rinse and Repeat
Resistance isn’t futile
§ Threat modeling can be simple or complex § Adding in a threat intel perspective helps prioritize § Focusing on threats we care about drives better outcomes Takeaways
§ https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) § https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 § https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html § https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1 § RSS feed suggestions: https://medium.com/katies-five-cents/ a-top-10-reading-list-if-youre-getting- started-in-cyber-threat-intelligence-c11a18fc9798 § Training on making defensive recommendations (Module 5): https://attack.mitre.org/resources/training/cti/ § Video on using ATT&CK Navigator: https://www.youtube.com/watch?v=pcclNdwG8Vs § https://mitre-attack.github.io/attack-navigator/enterprise/ § Mind Mapping software: https://coggle.it/ References
Thank you! Subscribe to our blog for the upcoming Threat Detection Report and more. REDCANARY.COM/BLOG @LiketheCoins @RedCanaryCo

More Related Content

PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
PDF
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
byGert-Jan Bruggink
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
PDF
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
PDF
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
PDF
Security Testing for Test Professionals
byTechWell
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
byGert-Jan Bruggink
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
Security Testing for Test Professionals
byTechWell
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 

What's hot

PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PPT
3 Hkcert Trend
bySC Leung
 
PDF
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
byMITRE - ATT&CKcon
 
PDF
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
PPTX
Red Team Operations: Attack and Think Like a Criminal
byInfosec
 
PDF
Building a Threat Hunting Practice in the Cloud
byProtectWise
 
PDF
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
byOutpost24
 
PDF
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
PPTX
Cyber Threat Hunting: Identify and Hunt Down Intruders
byInfosec
 
PDF
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
PDF
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
PPTX
Cyber Threat Hunting Training (CCTHP)
byENOInstitute
 
PDF
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
byMITRE - ATT&CKcon
 
PDF
Threat Hunting
bySplunk
 
PDF
Threat Hunting 102: Beyond the Basics
byCybereason
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PPTX
What is Threat Hunting? - Panda Security
byPanda Security
 
PPTX
The Diamond Model for Intrusion Analysis - Threat Intelligence
byThreatConnect
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
3 Hkcert Trend
bySC Leung
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
byMITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
Red Team Operations: Attack and Think Like a Criminal
byInfosec
 
Building a Threat Hunting Practice in the Cloud
byProtectWise
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
byOutpost24
 
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
byInfosec
 
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
Cyber Threat Hunting Training (CCTHP)
byENOInstitute
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
byMITRE - ATT&CKcon
 
Threat Hunting
bySplunk
 
Threat Hunting 102: Beyond the Basics
byCybereason
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
What is Threat Hunting? - Panda Security
byPanda Security
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
byThreatConnect
 

Similar to Resistance Isn't Futile: A Practical Approach to Threat Modeling

PDF
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
PDF
Hunting for cyber threats targeting weapon systems
byFidelis Cybersecurity
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PDF
Practical Threat Modeling - WorldParty 2k23 HackMadrid.pdf
byJuan Vicente Herrera Ruiz de Alejo
 
PDF
ch_2_Threat_Modeling_Risk_assessment.pdf
bygajendra903637
 
PDF
SecurityOperations
byAntonio (Tony) Robinson
 
PPT
Reorganizing Federal IT to Address Today's Threats
byLumension
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PPTX
Cyber Threats Awareness, Prevention, and Defense - DigitDefence
byyams12611
 
PDF
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
byOpenDNS
 
PPT
13734729.ppt
byAmitPandey388410
 
PPTX
Robert Lentz - CSO Perspectives Roadshow 2016
byCSO_Presentations
 
PPTX
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
byAnthony Melfi
 
PPTX
Security-Invest Where it Matters Most
byInnoTech
 
PPTX
CTI_introduction_recording final.pptx
byipalmer489
 
PDF
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
byTony Martin-Vegue
 
PDF
Threat Modeling Basics with Examples
bySanjeev Kumar Jaiswal
 
PPTX
Threat Modelling and managed risks for medical devices
byFrédéric Sagez
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
byCODE BLUE
 
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
Hunting for cyber threats targeting weapon systems
byFidelis Cybersecurity
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Practical Threat Modeling - WorldParty 2k23 HackMadrid.pdf
byJuan Vicente Herrera Ruiz de Alejo
 
ch_2_Threat_Modeling_Risk_assessment.pdf
bygajendra903637
 
SecurityOperations
byAntonio (Tony) Robinson
 
Reorganizing Federal IT to Address Today's Threats
byLumension
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Cyber Threats Awareness, Prevention, and Defense - DigitDefence
byyams12611
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
byOpenDNS
 
13734729.ppt
byAmitPandey388410
 
Robert Lentz - CSO Perspectives Roadshow 2016
byCSO_Presentations
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
byAnthony Melfi
 
Security-Invest Where it Matters Most
byInnoTech
 
CTI_introduction_recording final.pptx
byipalmer489
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
byTony Martin-Vegue
 
Threat Modeling Basics with Examples
bySanjeev Kumar Jaiswal
 
Threat Modelling and managed risks for medical devices
byFrédéric Sagez
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
byCODE BLUE
 

Recently uploaded

PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
December Patch Tuesday
byIvanti
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
software-security-intro in information security.ppt
byismaeelsahib032
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
December Patch Tuesday
byIvanti
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 

Resistance Isn't Futile: A Practical Approach to Threat Modeling

  • 1.
    Resistance Isn’t Futile: APractical Approach to Prioritizing Defenses with Threat Modeling Katie Nickels Shmoocon
  • 2.
    § Intel Teamat Red Canary...for almost a month! § Former MITRE ATT&CK Threat Intel Lead § Chocolate, CrossFit, Cyber Threat Intelligence Katie Nickels PRINCIPAL INTELLIGENCE ANALYST RED CANARY @LiketheCoins whoami
  • 3.
  • 4.
    A BETTER WAYTO DEAL WITH THREATS Threat Modeling can help us prioritize
  • 5.
    § STRIDE § Spoofingidentity § Tampering with data § Repudiation § Information disclosure § Denial of service § Elevation of privilege § OCTAVE, LINDDUN Research on Threat Modeling https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
  • 6.
    § Process forAttack Simulation and Threat Analysis (PASTA) 1. Define objectives 2. Define technical scope 3. Application decomposition 4. Threat analysis 5. Vulnerability & weaknesses analysis 6. Attack modeling 7. Risk & impact analysis Research on Threat Modeling https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
  • 7.
  • 8.
    § Adding ina threat intelligence perspective Our Threat Modeling Definition Us Them Threat Modeling
  • 9.
    1. Know yourorganization 2. Know your threats 3. Prioritize and match them up 4. Make it actionable A Simple Process to Start
  • 10.
    § Go talkto people § Find network maps (hint: they’re wrong) § Imagine worst-case scenarios § Retail: your website going down on Black Friday § Financial: your customers not trusting their balances 1. Know Your Organization
  • 11.
    1. Know YourOrganization
  • 12.
    § Look atpast activity § Read open sources § Make an RSS feed § Talk to your peers § ISACs, Slack groups, email distros, social media, cons 2. Know Your Threats
  • 13.
    2. Know YourThreats
  • 14.
    § Remember youcan’t track all threats § Consider threats that have affected your industry § Think about what threats are likely to affect what you have 3. Prioritize and Match Them Up
  • 15.
    3. Prioritize andMatch Them Up
  • 16.
  • 17.
    § Think aboutwhat the threats have done in the past § Build out your model based on malware, tools, and TTPs § Make recommendations to improve defenses § Do this for each “you-to-them” connection § e.g. FIN7 → Windows 4. Make it Actionable
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
    § Start somewhereand iterate § Your first model won’t be perfect § It doesn’t have to be Rinse and Repeat
  • 23.
  • 24.
    § Threat modelingcan be simple or complex § Adding in a threat intel perspective helps prioritize § Focusing on threats we care about drives better outcomes Takeaways
  • 25.
    § https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) § https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 §https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html § https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1 § RSS feed suggestions: https://medium.com/katies-five-cents/ a-top-10-reading-list-if-youre-getting- started-in-cyber-threat-intelligence-c11a18fc9798 § Training on making defensive recommendations (Module 5): https://attack.mitre.org/resources/training/cti/ § Video on using ATT&CK Navigator: https://www.youtube.com/watch?v=pcclNdwG8Vs § https://mitre-attack.github.io/attack-navigator/enterprise/ § Mind Mapping software: https://coggle.it/ References
  • 26.
    Thank you! Subscribe toour blog for the upcoming Threat Detection Report and more. REDCANARY.COM/BLOG @LiketheCoins @RedCanaryCo