{"id":3099,"date":"2022-06-19T22:11:41","date_gmt":"2022-06-19T20:11:41","guid":{"rendered":"https:\/\/archive.brucon.org\/2024\/?page_id=3099"},"modified":"2023-12-28T22:31:42","modified_gmt":"2023-12-28T20:31:42","slug":"agile-whiteboard-hacking-aka-hands-on-threat-modeling","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2024\/brucon-2024-training\/agile-whiteboard-hacking-aka-hands-on-threat-modeling\/","title":{"rendered":"Agile Whiteboard Hacking \u2013 aka Hands-on Threat Modeling"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]<\/p>\n<h2>Course Description<\/h2>\n<p><span style=\"font-weight: 400\">You will be challenged with hands-on threat modeling exercises based on real-world projects. You will get insight into our practical industry experience, helping you to become a Threat Modeling Practitioner. We included an exercise on MITRE ATT&amp;CK, and we focus on embedding threat modeling in Agile and DevOps practices.\u00a0<\/span><span style=\"font-weight: 400\">We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The level of this training is Beginner\/Intermediate. Participants who are new to threat modeling are advised to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training).<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">As highly skilled professionals with years of experience under our belts, we&#8217;re intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\">Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:<\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Diagram techniques applied on a travel booking service\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat model a cloud-based update service for an IoT kiosk<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Create an attack tree against a nuclear research facility<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Create a SOC Risk Based Alerting system with MITRE ATT&amp;CK<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Mitigate threats in a payment service build with microservices and S3 buckets\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Apply data protection by design and default on a loyalty app<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Apply the OWASP Threat Modeling Playbook on agile development<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat modeling the CI\/CD pipeline<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Battle for control over &#8220;Zwarte Wind&#8221;, an offshore wind turbine park<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">After each hands-on exercise, the results are discussed, and students receive a documented solution. All participants get our Threat Modeling Playbook to improve you threat modeling practice, and a one-year access to our online threat modeling learning platform.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback. One month after the training we organize an online review session with all the participants.<\/span>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>Course contents<\/h2>\n<h4><span style=\"font-weight: 400\">Threat modeling introduction<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat modeling in a secure development lifecycle<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">What is threat modeling?<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Why perform threat modeling?<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat modeling stages<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Different threat modeling methodologies<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Document a threat model<\/span><\/li>\n<\/ul>\n<h4><span style=\"font-weight: 400\">Diagrams \u2013 what are you building?<\/span><\/h4>\n<ul>\n<li><span style=\"font-weight: 400\">Understanding context<\/span><\/li>\n<li><span style=\"font-weight: 400\">Doomsday scenarios<\/span><\/li>\n<li><span style=\"font-weight: 400\">Data flow diagrams<\/span><\/li>\n<li><span style=\"font-weight: 400\">Trust boundaries<\/span><\/li>\n<li><span style=\"font-weight: 400\">Sequence and state diagrams<\/span><\/li>\n<li><span style=\"font-weight: 400\">Advanced diagrams<\/span><\/li>\n<li><b>Hands-on: Diagram techniques applied on a travel booking service\u00a0<\/b><\/li>\n<\/ul>\n<h4><span style=\"font-weight: 400\">Identifying threats \u2013 what can go wrong?<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">STRIDE introduction<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">STRIDE threats<\/span><\/li>\n<\/ul>\n<p><b>Hands-on: Threat model a cloud-based update service for an IoT kiosk<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Attack trees<\/span><\/li>\n<\/ul>\n<p><b>Hands-on: Create an attack tree against a nuclear research facility<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Attack libraries<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">MITRE ATT&amp;CK<\/span><\/li>\n<\/ul>\n<p><b>Hands-on: Create a SOC Risk Based Alerting system with MITRE ATT&amp;CK<\/b><\/p>\n<p><span style=\"color: #451818;font-size: 24px;letter-spacing: 0.05em;text-transform: uppercase\">Addressing each threat<\/span><br \/>\n<b><\/b><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">How to address threats<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Mitigation patterns<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Value of standard mitigations<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Setting priorities through risk calculation<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Risk management<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat agents<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The mitigation process<\/span><\/li>\n<\/ul>\n<p><b>Hands-on: Mitigate threats in a payment service build with microservices and S3 buckets\u00a0<\/b><\/p>\n<h4><span style=\"font-weight: 400\">Threat modeling and compliance<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">How to marry threat modeling with compliance<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">GDPR and Privacy by design<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Privacy threats<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">LINDUNN and Mitigating privacy threats<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat modeling medical devices\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat modeling Industrial Control Systems (IEC 62443)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat Assessment and Remediation Analysis for automotive (TARA, SAE 21434)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Mapping threat modeling on compliance frameworks<\/span><\/li>\n<\/ul>\n<p><b>Hands-on: Apply data protection by design and default on a loyalty app<\/b><\/p>\n<h4><span style=\"font-weight: 400\">Advanced threat modeling<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Typical steps and variations<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Validation threat models<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Effective threat model workshops<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Communicating threat models<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Agile and DevOps threat modeling<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Improving your practice with the Threat Modeling Playbook<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Scaling up threat modeling<\/span><\/li>\n<\/ul>\n<p><b>Hands-on: Apply the OWASP Threat Modeling Playbook on agile development<\/b><\/p>\n<p><b>Hands-on: Threat modeling the CI\/CD pipeline<\/b><\/p>\n<h4><span style=\"font-weight: 400\">Threat modeling resources<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Open-Source tools<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Commercial tools<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">General tools<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat modeling tools compared<\/span><\/li>\n<\/ul>\n<h4><span style=\"font-weight: 400\">Examination<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Hands-on examination<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Grading and certification<\/span><\/li>\n<\/ul>\n<p><b>Battle for control over &#8220;Zwarte Wind&#8221;, an offshore wind turbine park<\/b><\/p>\n<p><span style=\"font-weight: 400\">Red team versus Blue team battle for control over an offshore wind turbine park<\/span><\/p>\n<h4><span style=\"font-weight: 400\">Review session (online session after 1 month)<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Hand-in of your own threat model<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Individual feedback on your threat model<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Review session<\/span><\/li>\n<\/ul>\n<h4><span style=\"font-weight: 400\">the top 3 takeaways your students will learn:<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Cover the 4 main steps of creating and updating an effective threat model<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use threat modeling as part of the secure design of systems and to scope pen-testing more efficiently<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use threat modeling to learn, model and communicate with security and development teams and build bridges between them.<\/span><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][vc_column][vc_column_text]<\/p>\n<h3><span style=\"font-weight: 400\">Why should people attend your course?<\/span><\/h3>\n<p><span style=\"font-weight: 400\">This whiteboard training starts where other threat modeling trainings stop. We embed over a decade of real-world experience with threat modeling in a training filled with hands-on exercises that are fun, while at the same time participants understand how to create effective threat models.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Who Should Take This Course:<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Toreon&#8217;s threat modeling training targets software developers, architects, product managers, incident responders, and security professionals. If creating or updating a threat model is essential to your line of work, then this course is for you.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Student Requirements<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Students should have a basic understanding of security concepts. Are you new to threat Modeling? Our\u00a0self-paced Threat Modeling Introduction training is a prerequisite and included\u00a0in this course.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">What Students Should Bring<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Bring your own tablet or laptop to get access to our learning platform with all the handouts and solutions.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">What Students Will Be Provided With<\/span><\/h3>\n<p><span style=\"font-weight: 400\">Your bonus training package includes:<\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Following a successful evaluation of your own threat model: Threat Modeling Expert certificate<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">One year of access to our threat modeling e-learning platform<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Presentation handouts<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Tailored use case worksheets<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Detailed use case solution descriptions<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat model documentation template<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Template for calculating identified threat risk severity<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat modeling playbook<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">STRIDE mapped on compliance standards<\/span><\/li>\n<\/ul>\n<h4><span style=\"font-weight: 400\">We plan 9 hands-on exercises:<\/span><\/h4>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Diagram techniques applied on a travel booking service\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat model a cloud-based update service for an IoT kiosk<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Create an attack tree against a nuclear research facility<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Create a SOC Risk Based Alerting system with MITRE ATT&amp;CK<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Mitigate threats in a payment service build with microservices and S3 buckets\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Apply data protection by design and default on a loyalty app<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Apply the OWASP Threat Modeling Playbook on agile development<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Threat modeling the CI\/CD pipeline<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Battle for control over &#8220;Zwarte Wind&#8221;, an offshore wind turbine park<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">At least 60% of the training will be exercises.<\/span>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;5\/6&#8243;][vc_column_text]<\/p>\n<h2>Trainers Biography<\/h2>\n<p><strong>Sebastien Deleersnyder<\/strong> <span style=\"font-weight: 400\">, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master&#8217;s degree in Software Engineering from the University of Ghent, and has extensive experience in the development and training of secure software. He is the founder of the Belgian chapter of OWASP and a former member of the OWASP Foundation Board. In 2022, Seba was honored as the Cyber Security Personality of the Year by the Cyber Security Coalition in Belgium, where he currently serves as the chair of the new AppSec focus group. Through his leadership on OWASP projects such as OWASP SAMM, Seba has made a significant impact in improving global security. He is currently focused on adapting application security models to the evolving landscape of DevOps and raising awareness of the importance of threat modeling among a wider audience.<\/span><\/p>\n<p>LinkedIn :\u00a0<a href=\"https:\/\/www.linkedin.com\/in\/sebadele\/\"><span style=\"font-weight: 400\">https:\/\/www.linkedin.com\/in\/sebadele\/<\/span><\/a><\/p>\n<p>Twitter:\u00a0<a href=\"https:\/\/twitter.com\/sebadele\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">https:\/\/twitter.com\/sebadele<\/span><\/a><span style=\"font-weight: 400\">\u00a0<\/span>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/6&#8243; css=&#8221;.vc_custom_1597411551164{padding-top: 50% !important;}&#8221;][vc_single_image image=&#8221;1400&#8243;][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<style type=\"text\/css\">.thegem-button-6a2d860f22bef220 .gem-button svg {fill: #ffffff;}.thegem-button-6a2d860f22bef220 .gem-button:hover svg {fill: #ffffff;}<\/style><div class=\"gem-button-container gem-button-position-fullwidth thegem-button-6a2d860f22bef220    \"  ><a class=\"gem-button gem-button-size-giant gem-button-style-flat gem-button-text-weight-normal\" data-ll-effect=\"drop-right-without-wrap\" style=\"border-radius: 3px;background-color: #b43836;color: #ffffff;\" onmouseleave=\"this.style.backgroundColor='#b43836';this.style.color='#ffffff';\" onmouseenter=\"this.style.backgroundColor='#ef5047';this.style.color='#ffffff';\" href=\"https:\/\/brucon-0x10-spring-training.eventbrite.co.uk\" target=\"_self\">Buy training ticket<\/a><\/div> [\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_empty_space][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_column_text] Course Description You will be challenged with hands-on threat modeling exercises based on real-world projects. You will get insight into our practical industry experience, helping you to become a Threat Modeling Practitioner. We included an exercise on MITRE ATT&amp;CK, and we focus on embedding threat modeling in Agile and DevOps practices.\u00a0We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park&#8230;.<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":75,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-3099","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/pages\/3099","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/comments?post=3099"}],"version-history":[{"count":10,"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/pages\/3099\/revisions"}],"predecessor-version":[{"id":3655,"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/pages\/3099\/revisions\/3655"}],"up":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/pages\/75"}],"wp:attachment":[{"href":"https:\/\/archive.brucon.org\/2024\/wp-json\/wp\/v2\/media?parent=3099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}