There are hundreds (if not thousands) of adversary groups out there, and it’s understandable if defenders sometimes feel like resistance is futile. Good news: you don’t have to defend against all of them! Even better news: there’s a simple way you can prioritize what adversaries you focus on and how you defend against them–threat modeling. This presentation will present a simple, practical threat modeling approach that any analyst or defender can use to get started figuring out what threats matter to their organization.
The presentation will start by acknowledging the many approaches to threat modeling that others have created, and then discuss why there’s confusion around it. The presentation will then explain four simple steps and practical actions that anyone can take to get started with threat modeling: know your organization, know your adversaries, match those up, and take action. The audience will leave with an understanding of how threat modeling can help any team prioritize what threats they care about and use that to improve their organization’s defenses.
Dev Dives: Streamline document processing with UiPath Studio Web
Resistance Isn't Futile: A Practical Approach to Threat Modeling
1. Resistance Isn’t Futile:
A Practical Approach to Prioritizing
Defenses with Threat Modeling
Katie Nickels
Shmoocon
2. § Intel Team at Red Canary...for almost a month!
§ Former MITRE ATT&CK Threat Intel Lead
§ Chocolate, CrossFit, Cyber Threat Intelligence
Katie Nickels
PRINCIPAL INTELLIGENCE ANALYST
RED CANARY
@LiketheCoins
whoami
4. A BETTER WAY TO DEAL WITH THREATS
Threat Modeling can
help us prioritize
5. § STRIDE
§ Spoofing identity
§ Tampering with data
§ Repudiation
§ Information disclosure
§ Denial of service
§ Elevation of privilege
§ OCTAVE, LINDDUN
Research on Threat Modeling
https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)
https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
6. § Process for Attack Simulation and Threat Analysis (PASTA)
1. Define objectives
2. Define technical scope
3. Application decomposition
4. Threat analysis
5. Vulnerability & weaknesses analysis
6. Attack modeling
7. Risk & impact analysis
Research on Threat Modeling
https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
8. § Adding in a threat intelligence perspective
Our Threat Modeling Definition
Us Them
Threat Modeling
9. 1. Know your organization
2. Know your threats
3. Prioritize and match them up
4. Make it actionable
A Simple Process to Start
10. § Go talk to people
§ Find network maps (hint: they’re wrong)
§ Imagine worst-case scenarios
§ Retail: your website going down on Black Friday
§ Financial: your customers not trusting their balances
1. Know Your Organization
12. § Look at past activity
§ Read open sources
§ Make an RSS feed
§ Talk to your peers
§ ISACs, Slack groups, email distros, social media, cons
2. Know Your Threats
14. § Remember you can’t track all threats
§ Consider threats that have affected your industry
§ Think about what threats are likely to affect what you have
3. Prioritize and Match Them Up
17. § Think about what the threats have done in the past
§ Build out your model based on malware, tools, and TTPs
§ Make recommendations to improve defenses
§ Do this for each “you-to-them” connection
§ e.g. FIN7 → Windows
4. Make it Actionable
24. § Threat modeling can be simple or complex
§ Adding in a threat intel perspective helps prioritize
§ Focusing on threats we care about drives better outcomes
Takeaways
25. § https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)
§ https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
§ https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
§ https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
§ RSS feed suggestions: https://medium.com/katies-five-cents/ a-top-10-reading-list-if-youre-getting-
started-in-cyber-threat-intelligence-c11a18fc9798
§ Training on making defensive recommendations (Module 5):
https://attack.mitre.org/resources/training/cti/
§ Video on using ATT&CK Navigator: https://www.youtube.com/watch?v=pcclNdwG8Vs
§ https://mitre-attack.github.io/attack-navigator/enterprise/
§ Mind Mapping software: https://coggle.it/
References
26. Thank you!
Subscribe to our blog for the upcoming
Threat Detection Report and more.
REDCANARY.COM/BLOG
@LiketheCoins
@RedCanaryCo