08-13, 12:15–12:45 (US/Pacific), Talks (Virtual)
The talk will mainly focus on different frameworks of Threat Modelling and how threat modelling can be more efficient. Learning from the past experiences and common mistakes which organizations make while doing threat modelling.
Detailed Outline will be as follows:
- What is Threat Modelling?
-
Why is Threat Modeling necessary?
3.Common Threat Modelling Frameworks:
All the mentioned frameworks will be explained in detail with actionable scenarios and how to measure violations and propose mitigations
STRIDE
PASTA
VAST
TRIKE -
How to plan Threat Modelling?
- What NOT to do when doing threat modelling?
- How to handle the results of threat modelling to not make it overwhelming to different stakeholders?
For eg:
In STRIDE, I'll give an overview and then walkthrough real life scenarios how
1. Explanantion of the framwork
2. Example:
2.1. Spoofing Identity refers to violation of authentication
Can be potrayed by misconfigured VPN configurations (in detail)
2.2 Tampering with data refers to Integrity
Having mutable logs and super admin having toxic right to change them (in detail)
2.3 Non Repudiation
Multiple users using same set of credentials causing non-repudiation and making logs useless because actions can't be backtracked to the user performing it (in details)
etc
I will give examples from actual threat modellings I have done but remove all the organisation related information and make them generic, then what scenarios look like in organisations.
Sarthak(S4T4N) is a Security Engineer passionate about everything InfoSec. He is always looking for new topics to learn. Suffering from Volunteeristis. You can always find him working with conferences behind the curtains. Right now, He is struggling to write 100 words about himself because he is habitual to writing 50 words bios.