The Art Of Threat Modelling - Paul Spruce

So a little bit about myself. I've worked about 20 plus years in the IT telco industry. Um predominantly engineering background and um I continually now promote stuff about secure by design which I'm very passionate about and outside work. I live in Auri National Park, formerly owned Snowia. I had a monstrous drive to get down here today. It's about 7 hours while I was here. I'm a proud military veteran. I'm an average ultr runner in my spare time and I'm also the co-host of a podcast which celebrates military veterans. But today is not about me. Today is about moment. So a really really high level of the agenda. We're going to talk about the what, the why, and the how. a really

really high level of actually how how more importantly um we can leverage our own operational data um in enhancing threat modeling output and because it can be quite a dull boring subject we're going to have some bit fun along the way but we all threaten right yeah okay just by show hands who has done threat holding or heard the term model for brilliant okay so we have some different variants of experience so some of you okay I will apologize now this may be um some information you already know right for others it's going to be a new topic which is going to enlighten your brain to go actually I want to go forward and I want to dram

But what is threat modeling? So in its simplest form, threat modeling is about highlighting a threat against a thing and then putting stuff in place to stop that threat from happening. Right? And when I refer to a thing here, I mean like an asset. When I refer to an asset in our environment, in our in our profession, this could be anything from a device, an application, an environment, a network, an infrastructure. Okay, so that's what it is. You highlight your threat first, think about what could go wrong and then apply a control or mitigation to stop that potential pattern. Why do we do it though? Okay, so apart from the obvious, it makes sense. All

right, think about it like insurance. Okay, stick with me. So throughout our lives, everyone in here has probably got car insurance at one point, home insurance, travel insurance, life insurance. Now, we get these not because we want to crash our car, not because we want our house to fall down or holiday to get cancelled or even to hurt ourselves, but we get these to ensure that we have the right things in place if those things would happen. And that's kind of like we're putting the right things in place to stop if those things were to happen. So how completed this is where the art comes into it, right? So art in general could be anything from finger paintings

doing school. All right, right the way through to the all art, right? There's all different interpretations of it and what the pastel necklaces that you get from young folk coming home from nursery which you have put on the fridge for years and years and years. All right to seeing that amazing painting in L. Now today what I will say is I'm not going to discuss any framework. All right? I'm not going to go into any frameworks, any particular vendor sort of structure and how because there are plenty and when I mean by plenty there are loads right loads of different ones you've probably heard them before what I am going to show you discuss is covering

the three main focus points that all attributed different frameworks are out there in life states the So these are the three. We identify the asset, we identify the threats and then we provide mitigations. So when we identify the asset, this is what we're looking at. This is where we define our scope. Okay, what we actually want into tech, right? How far do we go? We don't want to end up down the rabbit hole having tea with a matter Alice in Wonderland because that happens. All right, we break it out. What happens if this happens? what happens if this at this point stage one is where you really clearly need to define what you need to

look at. But this also includes where am I at this point? Where are we? Where are the vulnerabilities, right? What controls do I already have in place? Right? Might be a good start. You start building a picture here. The second is identifying threats. Okay, I now know what I need to model. I now know the history behind it. Exactly what we're going to do. What could go wrong? What in the side? What spanner in the works could happen here? And if we can, what do I then need to put in place to stop that happening or prevent that happen or minimize the blur? So that in mind we're going to carry out the next time.

So using those stages of how identify the assets highlighting threats provide indication I've been thinking long and hard about this about what do I do for 5 minutes right do I do on an application probably not do I do it on a new cloud infrastructure no what about entering a building five minutes but there's been a thing that's been plaguing the world over for years and that's what us as a collective today are trying to threaten. How does T cross the road? So today we are going to threaten how Lucky here and also notice here. Okay. How we get her across the road. Now, it's an important fact that Cookie yearns to be across that road, right?

She is stuck in an oppressive barnyard where she hates it and through the fence she can see that glorious field of high grass and corn and she earned and yearns and she actually deserves to be over there. And it's our job today. It's our mission today to ensure that that happens and we can do that by providing a threat. Okay. So, utilizing those three things, asset, threats, and mitigations, we're now going to do that. So, we're going to identify the asset cookie. It's a chicken. Okay. We already know what we want to do. We want to get cookie from one side of the road to the other. Okay. It's not bad. We know their mission is to get across that lush green

grass. Great. What's the weaknesses about Cookie then? Well, it might surprise you, but Cli doesn't have any road sense. Doesn't read the highway code. Has no situation awareness. She's a chicken. All right? She can't fly, right? But you ever seen the the Rocky movie? She's pretty fast. All right. She can dart head down straight across the road. So we now understand the asset right we have chicken kicking kicking what's making it all agree cool then thinking about it now shout out what particular threats we may encounter getting clucky across the road >> boxes yeah someone say bomber anything else >> cars brilliant Yes. >> Yes. Way down. >> So, we have the road itself. All right.

Windy bending road. It's in a dip pole. All right. We have cars. All right. Cars go up and down the road all the time. We have boxes. All right. They're going to be laying in weight. We also have environmental facing the pothole because if it rains those water cookies are not the best. She hates rain. All right. You ever seen a chicken in the rain? They don't bloody move. They just sit there like that because they don't like rain. So, we now know what we want to. We now know the potential threats to that. So, I'm going to quickly flick up some litigations we could put in place. So, we could put a crossing. Hedgehogs have

them. Why can't chickens have them? Right. So, that alleviates the whole thing. We could put barriers in place along the roadside to protect the chicken just aimlessly wandering into the road. If the chicken is successful successful and gets across the road, cookies some boxes over there. So, we're going to give Clucky a lightweight suit of armor. All right. Now, all you got in your head lock chicken, right? Lightweight suit of armor. Do you not like the rain? Going to give her an umbrella as well because what we don't want is half get across the road. It starts raining. Right. So, what we've done there really really quickly is right. We understood the asset. We highlighted and threatened

with communication degree. Yeah. Not bases great. But how do we actually make that even better? How can we properly ensure that Flucky gets across the road safely? We do this by leveraging our operational data. So what do I mean by that? Who here works within security operations in some way, shape or form? Okay. Who here works in architecture or design in some way, shape or form? Okay. You guys actually talk to each other. All right. And this is why I mean this is fundamentally important that operations and design security talk to each other. Right? And this is the thing that I'll be banging my drum on for as long as I can speak about it. right is

the fact that if you guys know in operations what's happening and we can identify that in design makes sense to talk to each other right and this is about using leveraging operational data but what data again only three steps make it really easy threat intelligence instant data and threat actors of interest so what I mean by threat intelligence right is threat intelligence the landscape in general. All right, let's go down a step and go actually it could be threat landscape of the industry that you work in. Okay, you can even go down a step further which is where I want you all to be which is the intelligence specifically against your business. Okay, you could utilize that

instant data. Now this is absolute golden concrete evidence that threat you highlighted has happened before. All right? So take away the stuff that you did from your Post reviews your controls that you put in place or other teams right utilize that for your mitigations and then actors of interest. So if you have a list of threat actors that specifically either target your industry or your business, how can you align those to that threat model? And then if you get all three, all right, you have an absolute gold ticket. So you have intelligence that says that threat can happen. You have an actor that is consistently attacking you but also uses that and it ties in with

your intelligence and you've got past incident data to say this has happened. All right, so we need to pin our back. So with that in mind, how does it help? Well, it gives us real time dynamic updates. The use of intelligence gives us dynamic updates on our thread level. So if once you've done a Dremel it happens and some new thing comes into play you can use that intelligence to go actually we may need to revisit our thread. It allows us to enhance our threat prioritization. At the end of a threat model you can have 20 30 50 threats utilizing these three key data sets can actually prioritize the threat. Not score it but prioritize it. Actually,

this threat down here takes all those green boxes exactly up here and it allows you to allocate your defenses, your your resources effectively. It gives us a bit of understanding of motivations and tactics. And again, this is where I talk about operations talking design. Design can feed into threat hunting things. We then can say, "Actually, they wouldn't go around that way. They could go around this way." And you go, "Oh no, okay. They've now found X, Y, and Z. Okay, datadriven insights. We're actually using empirical data here. So, it's concrete evidence that things like happened before. This this takes away that subjectivity, the finger in the air, job. It gives you an objective look on a threat

and creates that amazing thing that we all need in security is that continuous feedback loop. Design talks operations, operations, talking design, talking risk. in the room. All right, that's how it helps. So now stage to the how we're going to add operational data threats road car box weather. Does this operational data now and I'm going to give you some operational data in a second. Does this enhance the threat level? Does this expose any more vulnerabilities? But even better than that, does it challenge our original thinking around it? So Intel what we know about this road is it's extremely busy in the morning. 912 absolutely ram us with cars. We know that on the opposite side of the

field there's long grass covered brilliant. But the field is split into two. On the left hand side, it's open, but we have that pesky little box that sits there waiting in the left hand side of the field. In the right hand side of the field, it's fenced off. Okay. Only and it can't allow medium to large animals in. Little animals can get in, don't worry. And we know it's going to rain from about 9 onwards. whole day passed into day. Unfortunately, the last three chickens that attempted this journey were squashed by a car. The P from that was to put a bridge in place. Due to costs and restraints, the business decided not to put it in place.

When they had got over the boxes had a go as well and the act of interest, as we know, or the car or the box. So what's that now do having known that information bearing flag know the threats we know everything else adding this information what's that do for our mitigations so it actually adds a little bit more so now we know we have a clear window when we could potentially cross the road unscathed so we're going to go walk in the afternoon we're going to put barriers up they're still in place but cars actually we're going to put crossing signs up all right to slow these cars down we're going going to direct the chicken

to the right hand side of the field to ensure that she gets to where she needs to get to. Still going to give her the suit of armor because why not? All right, we're going to put some elective pads on cuz the weather comes in and it's foggy, cars can still see. Still going to give her the umbrella, but you got across the field. Well done, everyone. All right. So, in conclusion, okay, this has been a little bit fun, granted, but this just shows that one, you can literally threat model any anything. Okay? Two, it's not as big and scary as you think. All right? Three, it's a team game. Thanks for your participation. Much appreciated. All

right? And it's vital in what we do and what we actually need to do to secure our digital assets. Whether that is from an application, a device, an infrastructure, or whether that's helping cookie get across the road. All right, we all here need to be on our game very much every single day in whatever we do. But we need to ensure that secure by design and designing securely at the inception of the idea starts with amongst many things threat. And if you're not talking between your operational theme and design team, please start doing it. You want to come see me how you can start and approach that because operation guys are very stressful. design guys very dusty bring

out dark you know I can make that bridge happen I can tell a little intricacy of how you can go and do that and I've got 20 seconds left is amazing thank you for your time please connect with me on there all right come and see me today come and say hello by the way um I've been Paul and you guys have been excellent