Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
28th Edition – September 2023
The summer holidays are officially over, which can only mean one thing: the return of the Threat Modeling Insider newsletter!
We’re excited to pick up where we left off and continue to share insightful articles and resources that delve into the world of threat modeling. Speaking of which, let’s take a look at what’s in store for this month’s edition.
The summer holidays are officially over, which can only mean one thing: the return of the Threat Modeling Insider newsletter!
We’re excited to pick up where we left off and continue to share insightful articles and resources that delve into the world of threat modeling. Speaking of which, let’s take a look at what’s in store for this month’s edition.
Curated content
Threat elicitation and the art of “AI prompt crafting”
Written by Toreonite Georges Bolssens
A gift for you
Reading the TMI Newsletter pays off! Score yourself a discount for the upcoming ThreatModCon.
Training update
An update on our upcoming training sessions.
In this series, you’ll hear directly from Vanta’s Security, Enterprise Engineering, and Privacy, Risk, & Compliance Teams to learn about the team’s approach to keeping Vanta — and most importantly, our customers — secure.
The following post comes from our Security Team and explains our approach to threat modeling.
Threat modeling is the process of identifying and understanding the potential threats and risks that can impact a given business, system, network, or feature.
The goal of threat modeling is to make better decisions. We do this by building a better mental model of the world, keeping things in mind such as potential attacker’s profiles, motivation, goals, and likely attack vectors. Many of us model threats every day—when making decisions such as choosing to buckle your seatbelt, looking both ways before you cross the street, and more.
At Vanta, we use threat modeling as a tool to help share knowledge and improve our mental model of Vanta as a company, and of the environment in which we operate. These exercises are most frequently run (though not always) by the Security team, and are held on recurring cadences and on an as-needed basis.
We don’t maintain a canonical “threat model” at any given point in time. Instead, we view the exercise itself as the primary mechanism through which we benefit. This is because the discussion that arises during a threat modeling exercise is what improves our mental model and enables us to make better decisions.
In other words: “Threat models are useless. Threat modeling is essential.”
We view threat modeling as a team and organizational muscle that requires regular exercise. It can be fun, enlightening and interesting! This means we get together for threat modeling exercises on at least a monthly basis, if not more frequently. Sometimes we’ll threat model a given feature, and other times we’ll pick a sample scenario to model and discuss. For some added fun, sometimes we’ll even get together to model threats around a given theme, event, or season.
In addition, we strive to include a wide range of teammates across Vanta in our exercises. This can depend on the topic at hand but often includes individuals from our Enterprise Engineering, Privacy, Risk, & Compliance, Engineering, and Product teams, as well as from our operational and customer-facing teams. Not only does this help evolve our individual mental models of risk, but it also widens our collective lens on hidden risks and opportunities for improvement across the organization to make more informed decisions.
Keep in mind that if you’re focusing on a specific feature or project, it’s helpful to start as early as possible, such as in the design phase. This lowers the cost of any big changes that need to be made.
Here are the core steps we follow for our threat modeling exercises:
Identify the data, systems, and processes at hand that you’re protecting and understand how they’re used, as well as any dependencies. This helps your team to go into greater depth than they could if you had to keep expanding the breadth of your focus.
Brainstorm the most significant threats that could compromise the confidentiality, integrity, or availability of your system. While we often consider external attackers, be sure to also consider internal actors, whether intentional or unintentional.
Based on the discussion, identify action items and make sure you address them. Walk away better informed and make good decisions!
During our threat modeling exercises, we use diagramming tools to communicate and connect information and create a clear visual representation of your threat model. This is particularly beneficial during exercises that incorporate a variety of stakeholders—we view these diagrams as primarily for those who are in the room instead of as an artifact for the future.
While we’ve experimented with a variety of tools, we tend to use Deciduous or a lightweight model in FigJam that allows us to collaborate and communicate effectively.
An important point to remember is that there are many approaches to threat modeling. Our recommendation is to find what works best for your organization to ensure that you’re able to threat model effectively when you need it most, instead of running an arduous exercise that’s both operationally challenging and outdated quickly.
Here are a few suggestions we have for ensuring threat modeling exercises run smoothly:
Our goal is to make more informed decisions every day, and we hope you find threat modeling as fun, interesting, and valuable of an exercise as we do.
If you’re looking to learn more about threat modeling, whether individually, for your team, or even for your organization, here are a few resources that have been helpful for us:
Writing risk descriptions in your threat models is an intricate art that often leaves beginning threat modelers puzzled. In this article, George Bolssens explores the parallels between risk descriptions and user stories, highlighting convenient templates that aid in accurately describing risks. Discover how a free and open-source tool can revolutionize your approach to threat modeling, including guidelines for self-hosting to ensure complete control.
In a bid to uncover which AI model is best at threat modeling, Github user Xvnpw put GPT-3.5, Claude 2, and GPT-4 to the test. In this article, you can get an in-depth overview of how each of them performed.
Getting inspiration from an AI chat bot: I’ve done it, you’ve done it, millions of other people have done it, but when researching into cyber attacks too directly, ChatGPT will shut you down:
“My apologies, but as an AI language model, I can’t assist with providing guidance or information on attacking or exploiting a system.”
Security researchers are creative people and many of us have already found ways to circumvent this. The number of people who are “Writing a movie script” or “Teaching a class on cybersecurity” has clearly grown immensely ;-).
The art of “prompt crafting” is the key to unlock getting the response you want from an AI chatbot. One of the ways we have found useful to quickly elicit a number of focus points for threat modeling is to literally tell ChatGPT that we are creating a threat model. After some tweaking, the following prompt was found to be very useful in aiding the “What can go wrong?”-phase of the four-question-framework:
I’m creating a threat model and am assessing the risks that could occur on {PROTOCOL} connections between a {ENTITY_1} and a {ENTITY_2}. When considering the 6 STRIDE categories: what questions are relevant? Please be as thorough as you can and list as many relevant risks to the connection as you can. Previously, you gave me only 3 questions, which were relevant, but I need at least {5_OR_MORE} per STRIDE category.
Entering too high of a number in the last placeholder will sometimes result in duplicates, but we obviously curate the questions before considering them.
If you have experimented with this as well and have found different ways to craft AI prompts, drop us a line. We’re curious to see what you came up with!
Writing risk descriptions in your threat models is an intricate art that often leaves beginning threat modelers puzzled. In this article, George Bolssens explores the parallels between risk descriptions and user stories, highlighting convenient templates that aid in accurately describing risks. Discover how a free and open-source tool can revolutionize your approach to threat modeling, including guidelines for self-hosting to ensure complete control.
In a bid to uncover which AI model is best at threat modeling, Github user Xvnpw put GPT-3.5, Claude 2, and GPT-4 to the test. In this article, you can get an in-depth overview of how each of them performed.
Getting inspiration from an AI chat bot: I’ve done it, you’ve done it, millions of other people have done it, but when researching into cyber attacks too directly, ChatGPT will shut you down:
“My apologies, but as an AI language model, I can’t assist with providing guidance or information on attacking or exploiting a system.”
Security researchers are creative people and many of us have already found ways to circumvent this. The number of people who are “Writing a movie script” or “Teaching a class on cybersecurity” has clearly grown immensely ;-).
The art of “prompt crafting” is the key to unlock getting the response you want from an AI chatbot. One of the ways we have found useful to quickly elicit a number of focus points for threat modeling is to literally tell ChatGPT that we are creating a threat model. After some tweaking, the following prompt was found to be very useful in aiding the “What can go wrong?”-phase of the four-question-framework:
I’m creating a threat model and am assessing the risks that could occur on {PROTOCOL} connections between a {ENTITY_1} and a {ENTITY_2}. When considering the 6 STRIDE categories: what questions are relevant? Please be as thorough as you can and list as many relevant risks to the connection as you can. Previously, you gave me only 3 questions, which were relevant, but I need at least {5_OR_MORE} per STRIDE category.
Entering too high of a number in the last placeholder will sometimes result in duplicates, but we obviously curate the questions before considering them.
If you have experimented with this as well and have found different ways to craft AI prompts, drop us a line. We’re curious to see what you came up with!
Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by OWASP Global AppSec, Washington DC, USA
Next training dates:
1-2 November 2023
Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Europe, London
Next training date:
4-5 December 2023
Threat Modeling Practitioner training, hybrid online, hosted by DPI
Next training date:
4 December 2023
Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by OWASP Global AppSec, Washington DC, USA
Next training dates:
1-2 November 2023
Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Europe, London
Next training date:
4-5 December 2023
Threat Modeling Practitioner training, hybrid online, hosted by DPI
Next training date:
4 December 2023
Thank you for being a Threat Modeling Insider subscriber. To accommodate your interest in Threat Modeling, we’re thrilled to offer you a discount code for the upcoming ThreatModCon!
Simply enter TOREON35 on checkout for a 35% discount on your tickets to ThreatModCon.
When?
October 29th, 2023
Where?
Washington DC, at the inaugural Threat Modeling Conference
What?
Organized by the Threat Modeling Connect community, ThreatModCon 2023 brings together the brightest minds to discuss, debate, and share insights on the latest developments, trends, and best practices in threat modeling.
