A Cat, a Dog, and a Roast Turkey: Whats in your Threat Model?

A Cat, a Dog, and a Roast Turkey: Whats in your Threat Model?

Duration: one day

Abstract

What do the most effective red teams, blue teams, and engineers all have in common? Threat modeling. Two words wildly used, mostly misunderstood, and almost guaranteed to strike instantaneous yawns in most of the cyber/security field and community (when sadly, it is likely the most powerful non-deterministic tool available.)


Attendees of this training workshop will leave prepared to address the needs of each of the three constituents previously mentioned.

  • Red team? Threat modeling is the place to start to enumerate the attack surface.
  • Blue team? Threat modeling is the place to determine what type of attackers you will most likely be facing.
  • Software Engineer/Developer? Threat modeling is the place to start securing your project from the ground up.


This is an engaging hands on training with active participation. Attendees will work through the flow of creating threat models to facilitate ownership, perspective, and informed direction regardless of your station or mission. Student sourced options and live scenarios are encouraged; current examples we’re using today include substrate level concerns and threats to multi-tenancy like SPECTRE/MELTDOWN (previously considered conspiracy theory), Nation States, a cat, dog, and a roast turkey, and coaching on how to use 0day in a FUD-free manner."

Course Outline

1. Into the deep end
- A quick threat model - perform a threat assessment of an abstracted situation
- There once was a dog, a cat, and a roast turkey
- Class participation identifying threats
- Review threats identified
- Red team’s focus
- Blue team’s focus
- Software engineer’s focus
2. Why would a red team threat model?
- Red team concepts
- Intuition
- Is it enough? Will you be more fruitful in pwnage from threat modeling?
- Adding structure: Asset based threat modeling
- Planning testing and attacks
- Threat model as part of your reporting
3. Threats and Blue teams
- Defender’s concepts
- Attacker personas and your model
- How does an attackers persona matter to your threat model
- The media vs reality
- Different approaches based on specific attacks
- Attackers are fluid
- Targeted vs. Opportunistic
4. Software Engineers and Developers
- Who’s got time to threat model?
- Software based threat modeling
- Diagrams and data flows
- How do they work?!
- Whiteboard/napkin time
- Agile workflows/Living Document
- Monolithic software is dead, and so are their threat models
5. Packaging the concepts up
- What the heck is a STRIDE?
- What can each group learn from the other?
- How can the techniques be more fluid based on your scenario?
- Recent media and the lack of a threat model
- efail
- SPECTRE/MELTDOWN
- Nation States
- 0day threats
- Class participation: A new threat model - We are all doomed
- Armed with new concepts and skills, let’s tackle something new
6. Further information
- Read more books
- People to follow
- Closing it out

Prerequisites:

Bring a laptop, tablet, or something to take notes on. Anyone interested in utilising threat modeling for building, breaking, or defending are welcome!