Threat Modeling 101
1 like•11,189 views
The document discusses the fundamentals of threat modeling, emphasizing the importance of security as a primary concern during the development process. It highlights key concepts such as confidentiality, integrity, and availability, while also outlining various attack vectors and potential threats posed by different types of attackers. Additionally, it provides practical examples, using storytelling techniques like the Batman scenario to illustrate threat modeling principles.
Threat Modeling 101
- 1. Threat Modeling 101 Safety First DAN HARDIKER | CTO | @ADAPTAVIST | @DHARDIKER
- 7. What is Security about?
- 9. STORYTELLING
- 10. KEY CONCEPTS
- 11. KEY CONCEPTS
- 12. KEY CONCEPTS
- 14. ‣ Confidentiality ‣ Integrity KEY CONCEPTS
- 15. ‣ Confidentiality ‣ Integrity ‣ Availability KEY CONCEPTS
- 16. ‣ Confidentiality ‣ Integrity ‣ Availability KEY CONCEPTS https://www.pinterest.co.uk/pin/256423772505109414/
- 21. ASSETS
- 22. ASSETS
- 23. ASSETS
- 24. ASSETS
- 25. ASSETS
- 26. ASSETS
- 27. ASSETS
- 28. ATTACKERS
- 33. ATTACK VECTORS
- 34. ATTACK VECTORS
- 35. ATTACK VECTORS
- 36. ATTACK VECTORS
- 37. ATTACK VECTORS
- 38. ATTACK VECTORS
- 39. ATTACK VECTORS
- 40. ATTACK VECTORS
- 41. ATTACK VECTORS
- 42. The consideration of unwanted access to assets by attackers using attack vectors. THREAT MAP
- 44. Bruce Wayne / Batman’s Threat Model
- 45. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED
- 46. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER
- 47. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 48. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 49. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 50. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 51. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 52. Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 53. CONTROLS Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS
- 54. CONTROLS Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS ENCRYPTION
- 55. CONTROLS Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS ENCRYPTION HIDE LOCATION
- 56. CONTROLS Bruce Wayne / Batman’s Threat Model ASSETS @ E-MAILS TEXTS BAT CAVE ALFRED ATTACKERS POLICE PRESS JOURNALISTS THE JOKER LOW RISK MED RISK HIGH RISK VECTORS ENCRYPTION HIDE LOCATION SECURITY SYSTEM
- 57. My First Models Generic / Server / Cloud
- 59. GENERIC ORGANISATION DIGITAL ASSETS PHYSICAL ASSETS
- 60. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS DOCUMENTS
- 61. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS DOCUMENTS LAPTOPS SERVERS PHONES
- 62. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES
- 63. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE)
- 64. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) VULNERABILITY SCANNERS
- 65. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) WEB CRAWLERS VULNERABILITY SCANNERS
- 66. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) WEB CRAWLERS VULNERABILITY SCANNERS
- 67. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS
- 68. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES
- 69. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES
- 70. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES CORPORATE ESPIONAGE
- 71. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES CORPORATE ESPIONAGE DATA HARVESTING
- 72. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES CORPORATE ESPIONAGE DATA HARVESTING RANSOMWARE
- 73. GENERIC ORGANISATION DIGITAL ASSETS @ E-MAILS SLACK PHYSICAL ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION DOCUMENTS LAPTOPS SERVERS PHONES STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES CORPORATE ESPIONAGE DATA HARVESTING RANSOMWARE BOTNETS
- 74. SERVER APP
- 78. SERVER APP ASSETS VERSION CONTROL CI / CD RELEASE REPOSITORY
- 79. SERVER APP ASSETS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 80. SERVER APP ASSETS ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 81. SERVER APP ASSETS @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 82. SERVER APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERS STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 83. SERVER APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY
- 84. SERVER APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY MALWARE PAYLOAD
- 85. SERVER APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES DATA HARVESTING @ MAILING LIST ANALYTICS VERSION CONTROL CI / CD MARKETPLACE RELEASE REPOSITORY MALWARE PAYLOAD
- 86. CLOUD APP
- 87. CLOUD APP ASSETS
- 88. CLOUD APP ASSETS INFRA AS CODE PIPELINE
- 89. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE
- 90. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE DATABASES
- 91. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE DATABASES EXECUTION ENVIRONMENTS
- 92. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE DATABASES EXECUTION ENVIRONMENTS DEV / TEST ENVIRONMENTS
- 93. CLOUD APP ASSETS ARTIFACT REPOSITORIES INFRA AS CODE PIPELINE BACKUPS / DRDATABASES EXECUTION ENVIRONMENTS DEV / TEST ENVIRONMENTS
- 94. CLOUD APP ASSETS UNTARGETED ATTACKERS TARGETED ATTACKERSMOTIVATION STAFF (INCOMPETENCE) STAFF (ESPIONAGE) NATION STATE WEB CRAWLERS VULNERABILITY SCANNERS SCRIPT KIDDIES DATA HARVESTING ARTIFACT REPOSITORIES MALWARE PAYLOAD INFRA AS CODE PIPELINE BACKUPS / DRDATABASES EXECUTION ENVIRONMENTS DEV / TEST ENVIRONMENTS
- 95. If you only remember 3 things … … things I said while you were sleeping
- 96. 3 THINGS TO REMEMBER
- 97. 1. Security is not an after thought. It’s Job Zero! 3 THINGS TO REMEMBER
- 98. 1. Security is not an after thought. It’s Job Zero! 2. Threat Model as part of User Stories. 3 THINGS TO REMEMBER
- 99. 1. Security is not an after thought. It’s Job Zero! 2. Threat Model as part of User Stories. 3. Ignorant humans are your biggest threat. 3 THINGS TO REMEMBER
- 102. ‣ Ars Technica ‣ Schneier on Security ‣ The Hacker News ‣ OWASP FURTHER READING
- 105. DAN HARDIKER | CTO | @ADAPTAVIST | @DHARDIKER Thank you!