Threat Modeling Insider – March 2024

Threat Modeling Insider Newsletter

33rd Edition – March 2024

Welcome!

We’re back once again with another packed edition of our Threat Modeling Insider! This month’s edition features a whitepaper created by Adam Shostack, focussing on the threats that are inherent to a system. Our curated content features an article from Forbes on thinking like an attacker, and a Microsoft Azure article discussing the advancement of threat modeling for large distributed systems, focussing on enhancing system resiliency.

But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:

Threat Modeling Insider edition

Welcome!

Threat Modeling Insider edition

We’re back once again with another packed edition of our Threat Modeling Insider! This month’s edition features a whitepaper created by Adam Shostack, focussing on the threats that are inherent to a system. Our curated content features an article from Forbes on thinking like an attacker, and a Microsoft Azure article discussing the advancement of threat modeling for large distributed systems, focussing on enhancing system resiliency.

But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:

On this edition

Tips & tricks
Threat Modeling Hackathon is back!

Training update
An update on our upcoming training sessions.

WHITEPAPER

Inherent Threats - Clarifying a property of threats, are they inherent to the system?

In his brand-new whitepaper, “Inherent Threats“, Adam focuses on the threats that are inherent to a system. As he considers the things that can go wrong with a system and what to do about them, an important aspect of threats starts to emerge. Some threats are easily fixed, but others are not, leading to frustration and confusion. The same questions are being asked, but strangely different answers are being reached. 

To assist cybersecurity professionals in being specific about why they’re receiving these different answers, it’s crucial to understand whether threats are inherent to the system. For instance, a money-moving app could be misused to transfer funds to the wrong place, at the wrong time, or in the incorrect amount. Adam’s whitepaper illuminates why some threats are easy to address and why others are not, along with the strategies that can aid in tackling these complex mitigations. 

He delves deep into assessing threats across a spectrum and the tradeoffs inherent to defense, but for the moment, he concentrates on the inherent-essential relationship. When a threat is tied to the essence of a system, protective measures cannot be perfect or complete, leading to an increase in detective and responsive controls as a proportion of investments. 

Understanding these tradeoffs enhances threat modeling in two significant ways. First, it leads to more in-depth threat modeling as efforts are made to specify answers to “what are we going to do about it?” Second, it aids in considering inherent threats when scaling threat modeling across hundreds or thousands of systems, allowing for prioritization of what gets attention first.  We encourage checking out the complete whitepaper.

CURATED CONTENT

Handpicked for you

Toreon Blog: Threat Modeling Playbook - Part 3 Train your people to threat model

Thinking Like An Attacker - Another Look at Enterprise Security​

In a series of blogs, we unravel the complexities of executing a successful threat modeling strategy through our Threat Modeling Playbook. Part three focusses on identifying the relevant people, training them, and adopting the right mindset.

We talk about identifying the relevant stakeholders for threat modeling, focus on the creation of a threat model specialist role, highlight the importance of appropriate training to support threat modeling, and how to create and nurture a positive threat modeling culture in which threat modeling can flourish.

The Forbes Tech Council article underscores the significance of adopting an attacker’s mindset in enterprise security, emphasizing the role of threat modeling. This approach not only anticipates attack patterns but also employs threat modeling to structure defenses effectively. By understanding how attackers view systems, security professionals can prioritize threats strategically, leading to a proactive security stance that mitigates risks and enhances the overall security posture.

For more insights, you can read the full article on Forbes’ website.

Advancing Resiliency Threat Modeling for large distributed systems

The article from Microsoft Azure discusses the advancement of threat modeling for large distributed systems, focusing on enhancing system resiliency. It emphasizes the importance of understanding potential threats to such systems and the methodologies employed to predict and mitigate these threats.

The piece highlights Microsoft’s approach to threat modeling, which involves a comprehensive analysis of system vulnerabilities and the implementation of strategic defenses to protect against potential attacks, thereby ensuring the security and reliability of large-scale distributed systems.

Thinking Like An Attacker - Another Look at Enterprise Security​

The Forbes Tech Council article underscores the significance of adopting an attacker’s mindset in enterprise security, emphasizing the role of threat modeling. This approach not only anticipates attack patterns but also employs threat modeling to structure defenses effectively. By understanding how attackers view systems, security professionals can prioritize threats strategically, leading to a proactive security stance that mitigates risks and enhances the overall security posture.

For more insights, you can read the full article on Forbes’ website.

Advancing Resiliency Threat Modeling for large distributed systems​

The article from Microsoft Azure discusses the advancement of threat modeling for large distributed systems, focusing on enhancing system resiliency. It emphasizes the importance of understanding potential threats to such systems and the methodologies employed to predict and mitigate these threats.

The piece highlights Microsoft’s approach to threat modeling, which involves a comprehensive analysis of system vulnerabilities and the implementation of strategic defenses to protect against potential attacks, thereby ensuring the security and reliability of large-scale distributed systems.

TIPS & TRICKS

Threat Modeling Hackathon is back!

Threat Modeling Hackathon is Threat Modeling Connect’s premier hackathon launched in 2023 and quickly becomes one of the industry’s leading virtual hackathons focusing on threat modeling.

This three-week program offers you the opportunity to collaborate with a team of 4-5 threat modelers in your time zone (or the nearest one) to solve a secure software design challenge. With the guidance of mentors, such as our own Toreonites and Threat Modeling experts Steven Wierckx & George Bolssens, and engaging workshops, you’ll tackle the challenge through robust threat modeling exercises, identify potential security risks, and propose innovative solutions. 

Book your spot: ThreatModCon 2024

Upcoming trainings & events

Book a seat in our upcoming trainings & events

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Asia, Singapore

Next training date:
16-17 April 2024

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by BruCON Spring training, Belgium

Next training dates:
17-18 April 2024

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on:
13 May 2024

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Asia, Singapore

Next training date:
16-17 April 2024

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by BruCON Spring training, Belgium

Next training dates:
17-18 April 2024

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on:
13 May 2024

Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.

Start typing and press Enter to search

Shopping Cart