Threat Modeling

Process for Securing assets
IDENTIFY KEY THREATS
Software for threat modeling
Sources of Info, Standards
How-to's

Process for Securing assets

Idea general: What are my key assets? Do I know where they are?

Look at high risks
Identify treatments
Identify easy wins, high cost, biggest impact, most difficult to achieve (User resistance level) - use Essential 8 https://www.upguard.com/blog/essential-eight
Address high risk areas

(And defining what those are)

Example flow for a KYC business

IDENTIFY KEY THREATS

What has happened to me?

i.e. RW - Si alguna vez pasó, puede ser un riesgo
Ataques web recientes o detecciones relevantes

What has happened to those in my industry?
What is happening in general?

Vulnerabilidades o bugs de vendors (Si utilizo Cisco, un CVE reciente puede ser un riesgo)

Based on my key assets, what worries me the most?

Software for threat modeling

OWASP Threat Dragon

OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. Threat Dragon follows the values and principles of the threat modeling manifesto. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces.

owasp.org

Draw.io

Sources of Info, Standards

NIST 800-30 "Guide for conducting Risk Assessments"

nvlpubs.nist.gov

NIST 800-154 "Guide for data-centric Threat modeling"

csrc.nist.gov

OWASP Web application threat modeling

Threat Modeling Process

Author: Larry Conklin Contributor(s): Victoria Drake This document describes a structured approach to application threat modeling that enables you to identify, quantify, and address the security risks associated with an application. Threat modeling looks at a system from a potential attacker's perspective, as opposed to a defender's viewpoint.

owasp.org

How-to's

Artículo

Threat Modeling Guide

Cyber attacks come in many forms, and defending against these attacks can sometimes be challenging. We worry about national cyberspace security, network security, application security, data security, and everything in-between. What makes it difficult for the security professional is that the attacker can get in a thousand and one ways, and each potential entry point has to be secured.

www.comparitech.com

Walkthrough: Creating a Threat Model for a Web Application

J.D. Meier, Alex Mackman, Blaine Wastell This walkthrough shows you how a development team put threat modeling into practice. It describes how the team created a threat model for an Internet-facing Web application during the early stages of application design. The walkthrough describes what the team learned during the modeling process.

www.guidanceshare.com

Walkthrough: Creating a Threat Model for a Web Application

Enterprise Threat Model Technical Report

URL Original - Guide to Cyber Threat Modelling - Feb 2021.pdf1269.8KB

PDF Uploaded - pr_18-1613-ngci-enterprise-threat-model-technical-report.pdf1751.1KB

Threat Modeling

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. Improving Web Application Security: Threats and Countermeasures J.D.

docs.microsoft.com

Threat Modeling for Cloud Infrastructures

tsapps.nist.gov

Caso real de uso de STRIDE/DREAD para Telcom

files.iota.org

Enterprise threat modeling technical report example - Usar de guía

www.mitre.org

Cyber Threat modeling - Survey of different frameworks