Adam Shostack presented on lessons learned from threat modeling. He discussed common traps to avoid, such as thinking threat modeling is easy or only for specialists. He outlined a simple approach using four questions: what are we working on, what can go wrong, what are we going to do about it, and how will we know if we're successful. Shostack also discussed the STRIDE mnemonic for categorizing threats and provided examples of mitigations for each category. His top ten lessons emphasized that anyone can threat model with the right skills and techniques.

1. Threat Modeling
Lessons from
StarWars
Adam Shostack
Presented
March 2021

2. About Adam Shostack
https://associates.shostack.org

3. Why Are We Here Today?
• Engineermore secure systems
• Structured, systematicand comprehensiveapproach
• Engineera consistent& predictable lack of surprise
• Works for you (as people, organization and ecosystem)

4. What Is Threat Modeling?

5. Agenda
–A simpleapproach to threat modeling
–Top 10 lessons

6. (Some history and)
A simple approach to
threatmodeling

7. 4 Questions

8. Web App
Customer
DB
Our App
Content
creation
What Are We Working On?

9. What Can Go Wrong?
Remember STRIDE

10. Spoofing
ByLegoEnvy,http://www.eurobricks.com/forum/index.php?showtopic=64532

11. Tampering
tp://pinlac.com/LegoDSTractorBeam.html

12. Repudiation
Repudiation
BySebHflickr.com/photos/88048956@N04/8531040850/

13. Information Disclosure

14. Photoby SimonLiu flickr.com/photos/si-mocs/6999508124/

15. Denial of Service
Model byNathanSawaya
http://brickartist.com/gallery/han-solo-in-carbonite/

16. Elevation of Privilege
flickr.com/photos/prodiffusion/

17. STRIDE Mnemonic
• Spoofing
• Tampering
• Repudiation
• InformationDisclosure
• Denialof Service
• Elevation of Privileges
…Helps us be structured in how we thinkabout threats

18. 4 Questions

19. What Are We Going To Do About
It?
Threat Property Mitigation approach
Spoofing Authentication  Passwords, multi-factor authN
 Digital signatures
Tampering Integrity  Permissions/ACLs
 Digital signatures
Repudiation Non-Repudiation
(Accountability)
 Secure logging and auditing
 Digital Signatures
Information Disclosure Confidentiality  Encryption
 Permissions/ACLS
Denial of Service Availability  Permissions/ACLs
 Filtering
 Quotas
Elevation of privilege Authorization  Permissions/ACLs
 Input validation

20. TOP TEN LESSONS

22. Trap #1: “Search your feelings!”
• “ThinkLikeAn Attacker”
• Serious work is helped by structure
Fix
Trap

23. Trap #2: “You’re Never Done Threat
Modeling”
Model
Identify
Threats
Mitigate
Validate
Model
Identify
Threats
Mitigate
Validate

24. Trap #3: “The Way To Threat Model
Is…”
• Too much focus on specifics of how
– Use this framework (STRIDE)
– With this diagram type
• Focus on helpingpeople find good threats
• Focus on differentskills, systems
– Developers
– Operations
Fix
Trap

25. Model
Identify
Threats
Mitigate
Validate
Trap Fix: Building blocks
Trap #3: Monolithic Processes

26. Security mavens Experts in other areas
Trap #3: “The Way To Threat Model
Is…”
Software
Systems

27. Trap #4: Threat Modeling as One Skill
• “I should learn tothreatmodel”
• Thinkof threatmodeling
– Likesoftwaredevelopment
– Techniques&repertoire
• Technique: DFDs,STRIDE,Attacktrees
• Repertoire:
– Tools:Firesheep,Hydra,Kali
– Books:Cuckoo'sEggtoCountdowntoZeroDay
• Allused toanalogize& reason about newsystems
Trap
Fix

28. Trap #5: “Threat Modeling is Easy”
• Thinkingyour first threatmodel will be easy
• “Driving is easy”
• Onceyou learn
• 40,000 US deaths peryear
• Planto work, build muscle
Trap
Fix

29. Trap #6: Threat Modeling is for
Specialists
• ThinkingTM is for specialists
• Make it likeversion control:
– Every developer, most sysadmins know some
– Some orgs have fulltime people managing trees
• This is a stretch goal for threatmodeling
Trap
Fix

30. Trap #7: The Wrong Focus
• Start from your assets
• Start by thinkingaboutyour attackers
• Threat modeling should focus on findingthreats
• Remember trap #3: “The way to threatmodel is”
• Startingfrom assets or attackers work for some people
Trap
Fix

31. Trap #8: Straining Against The Supply
Chain
• Trying to do it all
– Cost & feasibilityof fixeschanges
– Threats are “easy” to address at different parts
• SoC chipmakercan ship trusted boot
• Developers can addlogging, not seeonsite logs
• Thinkabout an alliance along your supply chain
– Security Operations Guide
– Non-requirements
Trap
Fix

32. Requirements
Threats Mitigations
Requirements drivethreats
Threats driverequirements
No mitigation?
Simplify requirements
Threats need mitigation
Mitigations can be bypassed
Trap #9: Laser-Like Focus on
Threats
Interplay of attacks, mitigations and requirements

33. Trap #10: Threat Model at the Wrong
Time
“Sir, we’veanalyzed their attack
pattern, and …
there is a danger”

34. Summary
• Anyone can threat model, and everyone should…soon!
• The skills, techniquesand repertoire can all be learned
• There are many traps
• Threat modeling can be the most effectiveway to drive security throughyour
product, service or system

35. “All models are wrong,
some models are useful”
— George Box, FRS

36. Thank you!

37. Questions?
https://associates.shostack.or
g

38. Resources
• adam.shostack.org/blog
• Threatmodelingbook.com
• Threatmodelingmanifesto.org
• TM channel at OWASP slack
– https://owasp.org/slack/invite
• https://www.linkedin.com/learning/instructors/adam-shostack
• adam@shostack.org
https://associates.shostack.or
g

39. Thank you!
• Star Wars: Episodes IV-VI
• Great CreativeCommons Lego brick art:
– Lego Envy,http://www.eurobricks.com/forum/index.php?showtopic=64532
– http://pinlac.com/LegoDSTractorBeam.html
– Seb H http://www.flickr.com/photos/88048956@N04/8531040850/
– Simon Liu http://www.flickr.com/photos/si-mocs/6999508124/
– KaitanTylerguy http://www.flickr.com/photos/kaitan/3326772088/
– NathanSawaya,http://brickartist.com/gallery/han-solo-in-carbonite/
– http://www.flickr.com/photos/prodiffusion/