Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Resistance Isn't Futile: A Practical Approach to Threat Modeling

There are hundreds (if not thousands) of adversary groups out there, and it’s understandable if defenders sometimes feel like resistance is futile. Good news: you don’t have to defend against all of them! Even better news: there’s a simple way you can prioritize what adversaries you focus on and how you defend against them–threat modeling. This presentation will present a simple, practical threat modeling approach that any analyst or defender can use to get started figuring out what threats matter to their organization.

The presentation will start by acknowledging the many approaches to threat modeling that others have created, and then discuss why there’s confusion around it. The presentation will then explain four simple steps and practical actions that anyone can take to get started with threat modeling: know your organization, know your adversaries, match those up, and take action. The audience will leave with an understanding of how threat modeling can help any team prioritize what threats they care about and use that to improve their organization’s defenses.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Resistance Isn't Futile: A Practical Approach to Threat Modeling

  1. 1. Resistance Isn’t Futile: A Practical Approach to Prioritizing Defenses with Threat Modeling Katie Nickels Shmoocon
  2. 2. § Intel Team at Red Canary...for almost a month! § Former MITRE ATT&CK Threat Intel Lead § Chocolate, CrossFit, Cyber Threat Intelligence Katie Nickels PRINCIPAL INTELLIGENCE ANALYST RED CANARY @LiketheCoins whoami
  3. 3. Resistance seems futile
  4. 4. A BETTER WAY TO DEAL WITH THREATS Threat Modeling can help us prioritize
  5. 5. § STRIDE § Spoofing identity § Tampering with data § Repudiation § Information disclosure § Denial of service § Elevation of privilege § OCTAVE, LINDDUN Research on Threat Modeling https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
  6. 6. § Process for Attack Simulation and Threat Analysis (PASTA) 1. Define objectives 2. Define technical scope 3. Application decomposition 4. Threat analysis 5. Vulnerability & weaknesses analysis 6. Attack modeling 7. Risk & impact analysis Research on Threat Modeling https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
  7. 7. ...that’s a lot CTI
  8. 8. § Adding in a threat intelligence perspective Our Threat Modeling Definition Us Them Threat Modeling
  9. 9. 1. Know your organization 2. Know your threats 3. Prioritize and match them up 4. Make it actionable A Simple Process to Start
  10. 10. § Go talk to people § Find network maps (hint: they’re wrong) § Imagine worst-case scenarios § Retail: your website going down on Black Friday § Financial: your customers not trusting their balances 1. Know Your Organization
  11. 11. 1. Know Your Organization
  12. 12. § Look at past activity § Read open sources § Make an RSS feed § Talk to your peers § ISACs, Slack groups, email distros, social media, cons 2. Know Your Threats
  13. 13. 2. Know Your Threats
  14. 14. § Remember you can’t track all threats § Consider threats that have affected your industry § Think about what threats are likely to affect what you have 3. Prioritize and Match Them Up
  15. 15. 3. Prioritize and Match Them Up
  16. 16. *Info is notional - DIY!
  17. 17. § Think about what the threats have done in the past § Build out your model based on malware, tools, and TTPs § Make recommendations to improve defenses § Do this for each “you-to-them” connection § e.g. FIN7 → Windows 4. Make it Actionable
  18. 18. FIN7 https://mitre-attack.github.io/attack-navigator/enterprise/
  19. 19. Cobalt Group
  20. 20. TA505
  21. 21. Spearphishing Attachment
  22. 22. § Start somewhere and iterate § Your first model won’t be perfect § It doesn’t have to be Rinse and Repeat
  23. 23. Resistance isn’t futile
  24. 24. § Threat modeling can be simple or complex § Adding in a threat intel perspective helps prioritize § Focusing on threats we care about drives better outcomes Takeaways
  25. 25. § https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) § https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 § https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html § https://www.slideshare.net/marco_morana/owasp-app-seceu2011version1 § RSS feed suggestions: https://medium.com/katies-five-cents/ a-top-10-reading-list-if-youre-getting- started-in-cyber-threat-intelligence-c11a18fc9798 § Training on making defensive recommendations (Module 5): https://attack.mitre.org/resources/training/cti/ § Video on using ATT&CK Navigator: https://www.youtube.com/watch?v=pcclNdwG8Vs § https://mitre-attack.github.io/attack-navigator/enterprise/ § Mind Mapping software: https://coggle.it/ References
  26. 26. Thank you! Subscribe to our blog for the upcoming Threat Detection Report and more. REDCANARY.COM/BLOG @LiketheCoins @RedCanaryCo

×