A door with no locks? Let’s talk about threat modeling

Transcript

1. @bantera13 / 2025 Threat Modeling A door with no locks?

   … Let’s talk about

2. What? Why? When? (the power of threat modeling) Who’s in

   the room? (roles in threat modeling) Jargon 101 (understanding key concepts) What could go wrong? (four-question framework) Wrap-Up (final advice) Q&A Time! 01 02 03 04 05 06

3. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

   Meet my friends Walter Fielding Jr & Anna Crowley > They took a rushed decision they would soon regret

4. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

   Yey! This mansion looks amazing …also very old but, we can fi x, right?

5. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

   … RIGHT?

6. Meet Barbara Teruggi barbara-teruggi @bantera13.bsky.social > Security Architect > Proud

   music addict > Amateur rock climber > Professional over thinker A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

7. 01 (the power of threat modeling) What? Why? When?

8. WHAT is Threat Modeling? A DOOR WITH NO LOCKS? LET’S

   TALK ABOUT THREAT MODELING “Threat modeling is the measure twice cut once in cybersecurity” Adam Shostack

9. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

   > Proactive & structured analysis of a system or software design > Identify, assess, prioritize & mitigate potential threats > Reduce likelihood & impact of a security incident

10. WHY is Threat Modeling important? A DOOR WITH NO LOCKS?

    LET’S TALK ABOUT THREAT MODELING

11. WHY is Threat Modeling important? A DOOR WITH NO LOCKS?

    LET’S TALK ABOUT THREAT MODELING

12. WHEN to perform Threat Modeling? A DOOR WITH NO LOCKS?

    LET’S TALK ABOUT THREAT MODELING > DESIGN New application/system design phase (S-SDLC) > INCREMENT New features, or major changes (which trigger a security review) > OPERATE/MONITORING Regularly to existing applications/systems (health check) > INCIDENT MANAGEMENT After a security incident (partial/total re-design)

13. WHEN to perform Threat Modeling? A DOOR WITH NO LOCKS?

    LET’S TALK ABOUT THREAT MODELING > DESIGN New application/system design phase (S-SDLC) > INCREMENT New features, or major changes (which trigger a security review) > OPERATE/MONITORING Regularly to existing applications/systems (health check) > INCIDENT MANAGEMENT After a security incident (partial/total re-design)

14. WHEN to perform Threat Modeling? A DOOR WITH NO LOCKS?

    LET’S TALK ABOUT THREAT MODELING > DESIGN New application/system design phase (S-SDLC) > INCREMENT New features, or major changes (which trigger a security review) > OPERATE/MONITORING Regularly to existing applications/systems (health check) > INCIDENT MANAGEMENT After a security incident (partial/total re-design)

15. 02 (roles in threat modeling) Who’s in the room?

16. Unless you’re the architect, mason, inspector, plumber, carpenter, designer, all

    at once, good luck fixing a whole mansion by yourself :) A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

17. Key Roles in Threat Modeling A DOOR WITH NO LOCKS?

    LET’S TALK ABOUT THREAT MODELING ROLE WHY INVOLVED? Security Expert Identifies threats, defines security controls Architect Designs secure architecture and mitigations Product Owner Ensures the design meets the business goals Developer Implements security best practices in software QA Tester / Pentester Identify vulnerabilities via functional & security testing UX Designer Designs secure, intuitive user flows and interactions Subject Matter Experts Cloud architects, Platform engineers, System or DB administrators, etc. Their expertise helps better identify threats and design countermeasures.

18. RACI Model Simple way to figure out who does what

    in a project, like in a role play game (RPG) > The Doer (Responsible), who actually gets the work done. > The Leader (Accountable), makes the final call and owns the result. > The Advisor (Consulted), gives input before decisions are made. > The Observer (Informed), just needs to be kept in the loop. Basically, it prevents people from stepping on each other’s toes (or dropping the ball). A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

19. 03 (understanding key concepts) Jargon 101

20. Walter learns the cost of a bargain, …one bill at

    a time. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

21. KEY Concepts A DOOR WITH NO LOCKS? LET’S TALK ABOUT

    THREAT MODELING THREAT Event or condition that takes advantage of a vulnerability to cause harm VULNERABILITY Flaw or weakness that could be exploited to compromise security RISK Potential for loss and damage when the threat becomes a reality Door could fall inviting anyone in Rotten wood & rusty hinges Any goods, privacy & your sleep

22. STRIDE Methodology A DOOR WITH NO LOCKS? LET’S TALK ABOUT

    THREAT MODELING SPOOFING Impersonating another user or system TAMPERING Modifying data or code during transmission REPUDIATION Denying an action that occurred, without a trace to proof it INFORMATION DISCLOSURE Exposing sensitive data to unauthorized users DENIAL OF SERVICE (DoS) Disrupting or denying access to a service to legitimate users ELEVATION OF PRIVILEGE Gaining higher access than allowed > Method to identify and classify potential security threats into six categories

23. Threat Modeling Approaches A DOOR WITH NO LOCKS? LET’S TALK

    ABOUT THREAT MODELING APPROACH FOCUS OUR DIGITAL HOUSE Asset-Centric (What do we protect?) Identify critical assets that must stay secure Protect user accounts from unauthorized access Attacker-Centric (What does the attacker want?) What is the attacker profile and motivation? Cybercriminal looking for fi nancial gain by compromising user accounts Software-Centric (Where is the problem?) Find security flaws in software logic or code Weaknesses in the design of one or more components of the login module

24. 04 (four-question framework) What could go wrong?

25. This is where we rewrite The Money Pit—no chaos, just

    a solid home A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

26. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

    Four-Question Framework Meet Adam Shostack’s

27. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

    Q1 What are we working on?

28. Project Scoping Collect information about the project > Project type:

    New application, new feature on existing application, re-assessment of existing application > Application type: Web, Mobile, Desktop > Description: What functionalities does the application or feature cover? > Technologies: Used languages and frameworks, tools, versions > Server infrastructure: Is the application running on-premise or in private or public cloud? > Internet facing components: What components are exposed to public internet or in a DMZ? > Compliance requirements: Regulations and certifications that the application needs to be compliant with > Data specifications: Data types and security requirements (Confidentiality, Integrity, Availability) > Assets: Any component, processes or information (data) we want to PROTECT A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

29. Graphic Representation of the project DATA FLOW DIAGRAM (most used)

    A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING Note: Architecture or Sequence diagrams are also helpful in many cases External Entities Processes / Multiple Processes Data Stores Data Flows Trust Boundaries
30. None
31. None
32. None
33. None
34. None

35. Existing or planned security controls > Important to assess likelihood

    & impact of threats > Help determine residual risks > Also need to be tested A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING Brute Force Prevention Rate limiting, account lockout policies Comprehensive Logging All security related events are logged. Strong Password Policies Password complexity requirements, secure password management logic MFA OTP Controls Audience, limited attempts, OTP expiration, OTP anti re- usage control, etc Secure Communication HTTPS, TLS 1.3 used for encryption Network Security Network segmentation, WAF, Network firewalls, IDS/IPS, etc

36. Q2 What could go wrong? A DOOR WITH NO LOCKS?

    LET’S TALK ABOUT THREAT MODELING

37. Threat enumeration A DOOR WITH NO LOCKS? LET’S TALK ABOUT

    THREAT MODELING ID Threat Affected Component STRIDE Category References Description T01 Inducing account lockout Authentication Service - Login request fl ow Denial of Service CAPEC-2 OWASP A07:2021 An attacker may overload the login endpoint, leading to account lockouts T02 MFA Code Theft MFA Service Spoo fi ng CAPEC-151 OWASP A07:2021 An attacker steals MFA code, and is able to authenticate as a legitimate user. T03 Sensitive Data Exposure in Logs Audit Service - Log Auth events fl ow Information Disclosure CAPEC-215 OWASP A04:2021 If authentication details are logged, an attacker could retrieve them. T04 Misleading Investment Walter & Anna - buying a house fl ow Spoo fi ng CAPEC-416 (Manipulate Human Behavior) Con-artist pretending to be an old lady in distress induces the couple to buy a mansion in ruins > Identify threats by analyzing components, data flows, and trust boundaries > Categorize threats using the STRIDE methodology > Map threats to attack libraries and resources such as MITRE, OWASP, etc CAPEC-151 OWASP A07:2021

38. Risk analysis A DOOR WITH NO LOCKS? LET’S TALK ABOUT

    THREAT MODELING ID Threat STRIDE Category Likelihood Impact Risk Score Risk Justi fi cation T01 Excessive Failed Login Attempts Denial of Service Low Medium Medium Rate limiting and account lockout policies prevent excessive failed attempts T02 MFA Code Theft Spoo fi ng Medium High High Strong OTP management controls reduce the chance of misuse, phishing remains a concern T03 Sensitive Data Exposure in Logs Information Disclosure Low Medium Medium Comprehensive logging reduces the risk of log data exposure T04 Misleading Investment Spoo fi ng High High High Walter & Anna are in such a rush to find a new place that they blindly trust the con-artist > Assess likelihood (exploitability) and impact for each threat > Calculate risk scores using likelihood and impact > Justify risk levels based on existing security controls

39. Q3 What are we going to do about it? A

    DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

40. Risk Management A DOOR WITH NO LOCKS? LET’S TALK ABOUT

    THREAT MODELING ACTION T02 - MFA Code Theft AVOID Remove the threat by eliminating the risk Do not implement MFA at all. (Increasing the risk of credential-based attacks) ACCEPT Acknowledge the risk, prepare contingency plans and monitor the risk Continue using email-based MFA despite the phishing risk TRANSFER Shift the responsibility for the risk to a third party Educate end-users into security awareness, tell them not to share their credentials with anyone except your website or application and check for excessive permissions granted to applications (oauth-based attacks) MITIGATE Reduce the risk's impact or likelihood Implement TOTP using authenticator apps (e.g. Duo, Google Authenticator, Veridium…) > Evaluate threats and determine most effective strategy to reduce the risk of exploitation

41. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

    ID Threat STRIDE Category Mitigation Strategies Testing Approach References T01 Excessive Failed Login Attempts Denial of Service Implement rate-limiting, CAPTCHA, and IP-based blocking Simulate brute-force attacks using Hydra. OWASP Rate Limiting Guide T02 MFA code Theft Spoo fi ng Use TOTP instead of SMS/Email OTP (authenticator apps)* Test using phishing and code replay attacks. OWASP MFA Testing T03 Sensitive Data Exposure in Logs Information Disclosure Mask sensitive fields, enforce log access controls Use log analysis tools to scan for exposed credentials OWASP Logging Guide T04 Misleading Investment Spoo fi ng Bring an architect to check on the house before making a final decision Check lights, open a faucet… The Money Pit Movie > Define countermeasures or changes to the design according to risk management strategies > Define test plans to ensure secure implementation > Refer to best practices for mitigation/testing Risk Treatment Note: You can also offer different factors to your user so they get to select the preferred one, and have alternatives in case they lose access to one of the factors

42. Q4 Did we do a good job? A DOOR WITH

    NO LOCKS? LET’S TALK ABOUT THREAT MODELING (This is actually from another movie, where things could have also gone wrong)

43. Checkpoints During the design phase (after Q3) > Ensure the

    final design aligns with the initial plan or update documentation > Validate with stakeholders that the final design meets functional expectations > Determine if iteration is needed and repeat the process Testing phase > Verify that all security controls have been implemented > Execute security tests and check for missed issues > Determine if iteration is needed and repeat the process After deployment phase > Re-Run security tests and check for missed issues > Conduct a retrospective to document challenges, solutions, and lessons learned > Determine if iteration is needed and repeat the process A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

44. Checkpoints During the design phase (after Q3) > Ensure the

    final design aligns with the initial plan or update documentation > Validate with stakeholders that the final design meets functional expectations > Determine if iteration is needed and repeat the process Testing phase > Verify that all security controls have been implemented > Execute security tests and check for missed issues > Determine if iteration is needed and repeat the process After deployment phase > Re-Run security tests and check for missed issues > Conduct a retrospective to document challenges, solutions, and lessons learned > Determine if iteration is needed and repeat the process A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

45. 05 (final advice) Wrap-Up

46. Because it’s not always fun when fiction becomes reality …

    … lets work together to make sure we get our happy ending :) A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

47. But… how can I start? Buy the winter coat in

    summer > Start with an existing production app that isn’t changing soon. > Dedicate time between sprints and involve your team. Practice makes better > Learning by doing beats staying in theory too long. > Start small, create a habit, it’ll pay out in the long run. Repeat & recycle > Threat modeling is a cycle—keep models updated. > Develop security patterns, reuse them, and save time. Sharing is caring > Join cybersecurity local communities, attend workshops and talks. > Share your experiences and learn from others. A DOOR WITH NO LOCKS? LET’S TALK ABOUT THREAT MODELING

48. Thank 06 You!