Reminder
Threat Modeling: The sooner the better, never too late.
We all have different understanding of threat models, different use cases and different customers. Different != wrong.
Description of session
Discussion on:
- What is the current state of threat modeling?
- Are there any new and exciting things happening?
- What is needed for the future?
Discussion
Question to start conversation:
Since Adam’s book has there been any tools released that truly aid in threat modeling?
There are a few tools in beta, or which support documentation; however, do they supporting the process at all?
Threat models aiding playbook creation
- Improvement is something not covered by existing tools
- How can we add impact as a project?
Examples of current to ‘future state’ of threat modeling
*disclaimer - no endorsement given for these.
- User story mapping / abuse stories (attack centric)
- Asset centric/ value driven approach (Avi douglan)
- Hybrid approaches (- Rapid Threat Modeling process (open source tool by Geoff Hill - link in references)
- LINDDUN
- Using DREAD not just to support rating of threats but support rating of mitigations to determine what should be done.
Tools:
- Irius risk (beta)
- PyTM
- Tutamantic (beta)
- Microsoft TM tool
- ThreatSpec (in dev)
It’s clear that since Adam’s book was published, there has been significant movement on methodologies for threat modeling.
Why don’t companies threat model?
Is the future of threat modeling that it actually just happens continuously?
- How do we shift left?
- Frame in terms of financials (cost of fixing earlier etc)
- How do we get involved in scoping conversations?
- How do we communicate the value?
- How do we communicate the likelihood and impact of the threats that have been found?
- We should get rid of “Threat Modellers” - it should become part of the ways of working of the technology teams, part of the architectural process, design reviews etc.
The business cares about the following:
- The likelihood and impact - what’s the tagline ‘what’s the risk that I’m mitigating here (or not)?’
- The business case is valuable - how does this increase revenues, decrease costs?
- How do we utilise our risk teams as customers of the threat modelling process to support the conversation to the business?
- Utilise a narrative - facts/ inputs that tell a story -> utilise graphs and examples to support the request.
Outcomes/Deliverables
- Reverse attack tree examples - a useful way of using attack trees (Tash to deliver)
- A good threat tool/ methodology is something that can be re-used / has examples and is consumable
- We need to be better at communicating with technical and business stakeholders in communicating the value of threat modeling
- Do we create a value statement?
- Do we need a unified language for communicating threats?
- We need guidelines or examples on how to keep an up to date TM (Cases studies of implementing the TM process in an organisation)
User Stories specific (thanks Phil Winstanley):
A great way to explain threats to anyone in the organisation and make it accessible to someone of any background in the business. It’s about addressing the culture and mindset around threat modeling primarily, utilising successes to drive adoption.
Not just threat modeling the technology, but threat modeling people and processes too.
User story example
As a [Threat Actor] I wish to [Activity] against [High Value Asset] By [Technique]
As a Defender I can mitigate this threat by [Mitigation1] [Mitigation2] [Mitigation3]
I can test [Mitigation1] is Successful By [Test1]
Further example:
As a [Threat Actor] I wish to [Activity] against [High Value Asset] By [Technique] I measure its risk by [DREAD]
As a Defender I can mitigate this threat by [Mitigation1] I measure its effectiveness by [DREAD after Applied] [Mitigation2] I measure its effectiveness by [DREAD after Applied] [Mitigation3] I measure its effectiveness by [DREAD after Applied]
I can test [Mitigation1] is Successful By [Test1]
Identified Questions
- How do agile methodologies impact the future of threat modeling?
References
- Rapid TM (creative commons) https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs/blob/master/README.md
- Irius risk (proprietary) https://continuumsecurity.net/threat-modeling-tool/
- PyTM https://github.com/izar/pytm
Value of a threat model
- Secure by Design
- Secure by Default
- Secure in Deployment
The goal of threat modeling is to provide the input needed for ‘the business’ to make a well informed decision on risks. This means it needs to be provided in a language everyone can understand.