SlideShare a Scribd company logo

Threat Modelling | 2023

K
KharimMchatta

In this session we took the candidates through how to threat model when it comes to cybersecurity audits

Technology
1 of 17
HACK IT CONSULTANCY We secure what matters the most to you
Who am i • Mchatta Kharim • CEO at HACK IT Consultancy • Half a decade of experience in cybersecurity and digital forensics • My experience revolves around various industries including financial institutions, education institution, government institutions, non-profit organizations, telecommunication, research institutes, publication institutes etc Kenya • Public Speaking • Training • CTF Competition • Mentor Tanzania • Public Speaking • Training • CTF Competition • Digital Forensics • Penetration Testing • Curriculum Creation • Public Speaking Egypt • Public Speaking • Public Speaking Morocco Rwanda • Public Speaking Nigeria • Penetration testing Ghana • Penetration testing • Public speaking South Africa • Penetration testing Benin Uganda • Public Speaking Experience in Africa
Experience in USA & Europe • Penetration Testing US Department of Defense United States of America UK • Author at eForensics Magazine • Author at PenTest Magazine • Penetration testing ( Research Institute) Poland Germany • Subject Matter Expert (DW Swahili)
CYBERSECURITY IN DIGITAL TRANSFORMATION Todays talk will be around: What is threat Modelling - Business Perspective (Blue teaming) - Attackers Perspective (Red teaming) Key takeaway of threat modelling Reasons why we threat model
THREAT MODELLING Definitions: What is threat modelling a. The business perspective (Blue teaming perspective) b. The Attackers perspective (Red teaming perspective) In threat modelling there are two perspective that people need to understand depending on the occupation that you are in
THREAT MODELLING (BUSINESS PERSPECTIVE) PROTECTING PC Servers Applications Organization People Assets Hackers Virus/worms Firewall Threats Threat modelling from a business perspective is the process of
THREAT MODELLING (BRUCEWAYNE/BATMAN) BATMAN’S ASSETS Batman Cave Alfred Email Cell Phone ATTACKERS Police Joker Journalist VECTOR’S Low Risk Med Risk High Risk
BATMAN’S ASSETS Batman Cave Alfred Email Cell Phone ATTACKERS Police Joker Journalist CONTROLS THREAT MODELLING (BRUCEWAYNE/BATMAN)
THREAT MODELLING (REALWORLD SCENARIO) Application A Application B Internal Web Server Third party Web Server Milk company Tea company From the two companies who is going to spend a lot of resources to secure their application, and why?
THREAT MODELLING (ATTACKER’S PERSPECTIVE) Threat modelling from a business perspective is the process of ASSETS ATTACKERS Firewall Server Credentials Admin Panel Hidden Directories Databases Hackers
THREAT MODELLING (ATTACKER’S PERSPECTIVE) Threat modelling helps attackers identify shortest route to the end goal THREAT MODELLING 1. Understand your target - Understand your target business model and what are their assets 2. What are your objective - identify what is your end goal, is it to see what less privileged users can do in the system etc 3. List of tasks to do - You must have a checklist of things that you want must do 4. Attack vectors to cover What attack vectors are going to be used is is authentication, non authentication, Social Eng. etc 5. Hinderance of attack vector what is going to make your attacks not to be successful, is it firewalls, filtering mechanisms, IDPS, scripting disabled, enumeration disabled, changing of administrative url etc Mmmhh!!! I guess this threat modelling staff isn’t bad after all
THREAT MODELLING (ATTACKER’S PERSPECTIVE) This is one of the ways on which an attacker would approach their target. Rookie Website Access Admin Panel Credentials Password guessing Authentication Attacks Check for technology used Check if there is existence of WAF Check for filtering mechanism Hidden Directories Look for misconfiguration Backup files, Config files etc Non - Authentication Attacks
THREAT MODELLING (OUTCOME FROM BUSINESS) a. Identifying assets owned by the company b. What threats are the assets exposed to c. Helps to identify which assets need more emphasis on security d. Increase asset security Business Outcome of threat modelling
THREAT MODELLING (OUTCOME FROM BUSINESS) Attackers Outcome of threat modelling a. Find the shortest route to the target b. Efficiency and precise in their attacks c. Saves time for the attacker
“If you don’t invest in cybersecurity, you will be dead” Stephen Kwame – MD of SIC Insurance CYBERSECURITY IN DIGITAL TRANSFORMATION
ANY QUESTION?
Author: Kharim Mchatta Email: info@hackitconsultacy.com Website: www.h4k-it.com LinkedIn: hack it consultancy Instagram: @hackitconsultancy

Recommended

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022
KharimMchatta
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021
KharimMchatta
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
BAINIDA
 
Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023
KharimMchatta
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
 
EthicalHacking_AakashTakale
EthicalHacking_AakashTakaleEthicalHacking_AakashTakale
EthicalHacking_AakashTakaleAakash Takale
 
penetration penetration testingtesting mod.ppt
penetration penetration testingtesting mod.pptpenetration penetration testingtesting mod.ppt
penetration penetration testingtesting mod.ppt
johnwesley758817
 

Recommended

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022
KharimMchatta
 
Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021Enhancing Cyber threat hunting for your team | 2021
Enhancing Cyber threat hunting for your team | 2021
KharimMchatta
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
BAINIDA
 
Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023Importance of cybersecurity in digital transformation | 2023
Importance of cybersecurity in digital transformation | 2023
KharimMchatta
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
 
EthicalHacking_AakashTakale
EthicalHacking_AakashTakaleEthicalHacking_AakashTakale
EthicalHacking_AakashTakaleAakash Takale
 
penetration penetration testingtesting mod.ppt
penetration penetration testingtesting mod.pptpenetration penetration testingtesting mod.ppt
penetration penetration testingtesting mod.ppt
johnwesley758817
 
A Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical HackingA Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical Hacking
Srashti Jain
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
BAINIDA
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
North Texas Chapter of the ISSA
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
Jorge Orchilles
 
A Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdfA Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdf
uzair
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
Abhilash Ak
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
Security Innovation
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
BeyondTrust
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
Lesson plan ethical hacking
Lesson plan ethical hackingLesson plan ethical hacking
Lesson plan ethical hacking
Nigam Dave
 
Why_TG
Why_TGWhy_TG
Why_TGTOP GUN
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1
Saurabh Upadhyay
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Michael Gough
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
Mark Arena
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Cyber threat in Africa | 2023
Cyber threat in Africa | 2023Cyber threat in Africa | 2023
Cyber threat in Africa | 2023
KharimMchatta
 
AI in Cybersecurity | 2023
AI in Cybersecurity | 2023AI in Cybersecurity | 2023
AI in Cybersecurity | 2023
KharimMchatta
 

More Related Content

Similar to Threat Modelling | 2023

A Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical HackingA Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical Hacking
Srashti Jain
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
BAINIDA
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
North Texas Chapter of the ISSA
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
Jorge Orchilles
 
A Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdfA Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdf
uzair
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
Abhilash Ak
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
Security Innovation
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
BeyondTrust
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
Lesson plan ethical hacking
Lesson plan ethical hackingLesson plan ethical hacking
Lesson plan ethical hacking
Nigam Dave
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1
Saurabh Upadhyay
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Michael Gough
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
Mark Arena
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 

Similar to Threat Modelling | 2023 (20)

A Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical HackingA Deep Introduction to Ethical Hacking
A Deep Introduction to Ethical Hacking
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
A Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdfA Beginner’s Guide to Ethical Hacking.pdf
A Beginner’s Guide to Ethical Hacking.pdf
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Lesson plan ethical hacking
Lesson plan ethical hackingLesson plan ethical hacking
Lesson plan ethical hacking
 
Why_TG
Why_TGWhy_TG
Why_TG
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 

More from KharimMchatta

Cyber threat in Africa | 2023
Cyber threat in Africa | 2023Cyber threat in Africa | 2023
Cyber threat in Africa | 2023
KharimMchatta
 
AI in Cybersecurity | 2023
AI in Cybersecurity | 2023AI in Cybersecurity | 2023
AI in Cybersecurity | 2023
KharimMchatta
 
Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021
KharimMchatta
 
Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022
KharimMchatta
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022
KharimMchatta
 
Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022
KharimMchatta
 
Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022
KharimMchatta
 
Application penetration testing | 2021
Application penetration testing | 2021Application penetration testing | 2021
Application penetration testing | 2021
KharimMchatta
 
Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021
KharimMchatta
 
Threat Modelling in Penetration Testing | 2021
Threat Modelling in Penetration Testing | 2021Threat Modelling in Penetration Testing | 2021
Threat Modelling in Penetration Testing | 2021
KharimMchatta
 
Careers in cybersecurity | 2021
Careers in cybersecurity | 2021Careers in cybersecurity | 2021
Careers in cybersecurity | 2021
KharimMchatta
 

More from KharimMchatta (11)

Cyber threat in Africa | 2023
Cyber threat in Africa | 2023Cyber threat in Africa | 2023
Cyber threat in Africa | 2023
 
AI in Cybersecurity | 2023
AI in Cybersecurity | 2023AI in Cybersecurity | 2023
AI in Cybersecurity | 2023
 
Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021Cybersecurity for Beginners | 2021
Cybersecurity for Beginners | 2021
 
Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022Cybersecurity in the blue economy | 2022
Cybersecurity in the blue economy | 2022
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022
 
Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022Landing a job in cybersecurity | 2022
Landing a job in cybersecurity | 2022
 
Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022Cybersecurity and Digital Forensics | 2022
Cybersecurity and Digital Forensics | 2022
 
Application penetration testing | 2021
Application penetration testing | 2021Application penetration testing | 2021
Application penetration testing | 2021
 
Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021Cybercrime's accelerated by covid 19 | 2021
Cybercrime's accelerated by covid 19 | 2021
 
Threat Modelling in Penetration Testing | 2021
Threat Modelling in Penetration Testing | 2021Threat Modelling in Penetration Testing | 2021
Threat Modelling in Penetration Testing | 2021
 
Careers in cybersecurity | 2021
Careers in cybersecurity | 2021Careers in cybersecurity | 2021
Careers in cybersecurity | 2021
 

Recently uploaded

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 

Recently uploaded (20)

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 

Threat Modelling | 2023

  • 1. HACK IT CONSULTANCY We secure what matters the most to you
  • 2. Who am i • Mchatta Kharim • CEO at HACK IT Consultancy • Half a decade of experience in cybersecurity and digital forensics • My experience revolves around various industries including financial institutions, education institution, government institutions, non-profit organizations, telecommunication, research institutes, publication institutes etc Kenya • Public Speaking • Training • CTF Competition • Mentor Tanzania • Public Speaking • Training • CTF Competition • Digital Forensics • Penetration Testing • Curriculum Creation • Public Speaking Egypt • Public Speaking • Public Speaking Morocco Rwanda • Public Speaking Nigeria • Penetration testing Ghana • Penetration testing • Public speaking South Africa • Penetration testing Benin Uganda • Public Speaking Experience in Africa
  • 3. Experience in USA & Europe • Penetration Testing US Department of Defense United States of America UK • Author at eForensics Magazine • Author at PenTest Magazine • Penetration testing ( Research Institute) Poland Germany • Subject Matter Expert (DW Swahili)
  • 4. CYBERSECURITY IN DIGITAL TRANSFORMATION Todays talk will be around: What is threat Modelling - Business Perspective (Blue teaming) - Attackers Perspective (Red teaming) Key takeaway of threat modelling Reasons why we threat model
  • 5. THREAT MODELLING Definitions: What is threat modelling a. The business perspective (Blue teaming perspective) b. The Attackers perspective (Red teaming perspective) In threat modelling there are two perspective that people need to understand depending on the occupation that you are in
  • 6. THREAT MODELLING (BUSINESS PERSPECTIVE) PROTECTING PC Servers Applications Organization People Assets Hackers Virus/worms Firewall Threats Threat modelling from a business perspective is the process of
  • 7. THREAT MODELLING (BRUCEWAYNE/BATMAN) BATMAN’S ASSETS Batman Cave Alfred Email Cell Phone ATTACKERS Police Joker Journalist VECTOR’S Low Risk Med Risk High Risk
  • 8. BATMAN’S ASSETS Batman Cave Alfred Email Cell Phone ATTACKERS Police Joker Journalist CONTROLS THREAT MODELLING (BRUCEWAYNE/BATMAN)
  • 9. THREAT MODELLING (REALWORLD SCENARIO) Application A Application B Internal Web Server Third party Web Server Milk company Tea company From the two companies who is going to spend a lot of resources to secure their application, and why?
  • 10. THREAT MODELLING (ATTACKER’S PERSPECTIVE) Threat modelling from a business perspective is the process of ASSETS ATTACKERS Firewall Server Credentials Admin Panel Hidden Directories Databases Hackers
  • 11. THREAT MODELLING (ATTACKER’S PERSPECTIVE) Threat modelling helps attackers identify shortest route to the end goal THREAT MODELLING 1. Understand your target - Understand your target business model and what are their assets 2. What are your objective - identify what is your end goal, is it to see what less privileged users can do in the system etc 3. List of tasks to do - You must have a checklist of things that you want must do 4. Attack vectors to cover What attack vectors are going to be used is is authentication, non authentication, Social Eng. etc 5. Hinderance of attack vector what is going to make your attacks not to be successful, is it firewalls, filtering mechanisms, IDPS, scripting disabled, enumeration disabled, changing of administrative url etc Mmmhh!!! I guess this threat modelling staff isn’t bad after all
  • 12. THREAT MODELLING (ATTACKER’S PERSPECTIVE) This is one of the ways on which an attacker would approach their target. Rookie Website Access Admin Panel Credentials Password guessing Authentication Attacks Check for technology used Check if there is existence of WAF Check for filtering mechanism Hidden Directories Look for misconfiguration Backup files, Config files etc Non - Authentication Attacks
  • 13. THREAT MODELLING (OUTCOME FROM BUSINESS) a. Identifying assets owned by the company b. What threats are the assets exposed to c. Helps to identify which assets need more emphasis on security d. Increase asset security Business Outcome of threat modelling
  • 14. THREAT MODELLING (OUTCOME FROM BUSINESS) Attackers Outcome of threat modelling a. Find the shortest route to the target b. Efficiency and precise in their attacks c. Saves time for the attacker
  • 15. “If you don’t invest in cybersecurity, you will be dead” Stephen Kwame – MD of SIC Insurance CYBERSECURITY IN DIGITAL TRANSFORMATION
  • 17. Author: Kharim Mchatta Email: info@hackitconsultacy.com Website: www.h4k-it.com LinkedIn: hack it consultancy Instagram: @hackitconsultancy