►
Description
Presenter: Nicole Schwartz
Slides: https://docs.google.com/presentation/d/1hZAVqMY8btQtpG0nc90WTolJ1AVVZoDsFluz4MMHfXY/edit#slide=id.g29a70c6c35_0_68
A
Alrighty,
so
this
is
very
introductory
level
threat
modeling
if
you've
ever
done
threat
modeling
before
you
probably
know
all
this.
A
So
what
exactly
is
it
when
I
say
threat,
modeling,
well,
you're
working
to
according
to
owasp,
identify,
communicate
and
understand
threats
when
protecting
something
of
value,
and
actually
it
came
from
1999.
There
were
some
people
at
microsoft
who
the
original
form
of
threat.
Modeling
was
called
attack,
trees
which
actually
is
still
used
today,
and
they
wrote
up
like
an
internal
blog
post,
telling
everybody
like
here's,
how
we
should
look
at
the
threats
to
our
products
and
kind
of
advance
past
you
know
just
attack
trees
and
that
actually
became
what's
called
the
stride
methodology.
A
So,
if
you're
into
history,
this
is
actually
a
kind
of
a
fun
dive
to
see
where
it
all
came
from.
You
can
blame
microsoft.
I
guess-
and
actually
you
probably
throughout
model
all
the
time.
Do
you
go
camping?
Do
you
decide
to
like
go
outside
and
eat
somewhere
on
a
porch?
Well,
you
probably
look
at
the
weather.
You
probably
lock
the
doors
when
you
leave
the
house.
A
Well,
why
do
you
look
at
the
weather
you're
trying
to
assess
if
you
need
to
mitigate
anything
like
rain,
by
bringing
an
umbrella,
or
why
do
you
lock
the
doors
I
mean,
depending
where
you
live,
you're,
probably
trying
to
discourage
people
from
just
wandering
in
and
taking?
Maybe
your
you
know:
nintendo
switch
or
giant
tv
when
you're
posting
images
online.
I
know
some
people
are
much
more
cautious
than
others.
A
Do
you
worry
about
geo
tagging
or
the
exif
data
that
says
where
exactly
you
are?
Do
you
actually
make
sure
that
the
people
in
the
picture
consent
to
it
are
you?
You
know
posting
a
picture
in
front
of
the
eiffel
tower
while
you're
away
or
do
you
wait
until
you
get
back
home?
A
Do
you
post
a
picture
that
has
like
your
work
badge
that
says
where
you
work?
Some
people
do
because
their
threat
model
says
they
don't
care
and
some
people
don't
by
the
way,
never
post
a
picture
of
your
boarding
pass
until
you're
done
flying
and
even
when
you're
done
flying
it's
maybe
not
the
best
plan,
there's
a
great
blog
online,
just
google
it!
A
That's
been
around
forever
right,
but
now
is
much
better
than
never.
So,
even
if
you
do
have
something
that's
already
designed
if
you're
making
some
kind
of
change
or
addition
or
even
if
you're,
just
suddenly
responsible
for
it,
you
can
certainly
still
do
a
threat
model
unless
you're
going
to
decommission
it,
but
just
yeah
don't
bother
so
why
threat
model
poop
happens.
A
It's
I.
I
think
it's
the
nicest
thing
I
can
say
about
that.
You
can't
fix
something
that
you
don't
know
about.
You
can't
protect
things
that
you
don't
know
if
you
have
and
why
not
design
something.
A
little
bit
safer
or
a
little
bit
less
likely
to
get
abused
and
criminals,
script,
kitties,
pranksters,
showdown,
safari,
goers
and
bounty
hunters,
which
we
do
pay
money
to
here.
They
have
time
and
they
have
motivation,
especially
the
bounty
hunters.
Like
we
hand
them
money,
so
I
mean
money
is
motivator
right,
also
notice.
I
said
criminals,
not
hackers.
A
A
A
A
You
really
could
just
doodle
something
on
a
piece
of
paper
or
a
white
pad
like
it
doesn't
actually
have
to
be
technically
logically,
perfect.
Again,
your
goal
is
to
say:
where
is
the
boundary
of
a
system?
Where
does
this
container
connect
to
another
container?
Where
does
this
container
connect
to
a
user?
Is
it
going
through
anything?
A
So,
however,
you
want
to
represent
that
you
can
also
scope
it
down
as
small
as
possible,
so
instead
of
becoming
really
overwhelmed,
if
you're,
just
adding
one
part
of
an
api
just
start
with
your
one,
new
additional
api
call
follow
it
up
to
what
does
that
connect
through?
How
does
it
authorize
what
data
points?
Does
it
see
start
there?
You
can
always
keep
adding
to
it
later.
A
The
next
thing
is
classify
everything
we
actually
have
classifications
based
on
color
here
at
get
lab.
So
if
you
haven't
read
that
I
have
a
link
to
it
in
the
slides
and
you
should
really
take
into
account
not
just
data
but
resources
is
there
cpu
that
we
allow
users
to
use?
Is
there
storage
that
we
let
people
use
so
for
those
of
you
who
don't
know,
I
used
to
work
at
rackspace,
and
you
know
if
you
let
people
have
a
free
account
and
I'm
sure
aws
has
this
problem
as
well.
A
They
might
decide
to
store
stolen
movies,
and
you
know
it
takes
up
a
lot
of
space
and
it's
really
not
giving
you
value
and
it's
not
kind
of
the
intended
use.
So
what
is
it
that
could
be
used
or
abused
data
and
resource
wise
and
then
the
next
part
is
what
are
the
threats
and
there's
actually
fun
decks
of
cards
that
you
can
use
for
this?
That's
one
of
the
threat,
modeling
methodologies.
A
A
A
And
once
you
kind
of
know
where
someone
is
vaguely,
you
can
start
pinning
them
down
or
if
you
get
their
email
address,
because
they
changed
email
addresses
to
hide
from
you,
you
can
start
sending
them
harassing
emails
again.
So
there's
all
different
people
may
go
after
individual
users.
They
may
go
after
you
as
a
company.
They
may
go
after
a
company
of
users
because
there's
something
interesting
in
there.
A
So,
finally,
you
have
identified
kind
of
who
is
trying
to
get
at
what
and
you
have
a
you
know,
little
diagram
of
where
that
all
is
what
ways
can
you
put
in
mitigations?
Can
you
limit
calls?
A
So
does
everyone
remember
the
apple
ipad,
gen
1?
There
was
an
api
flaw
where
you
could
just
iterate
through
numerically
to
get
basically
every
apple,
user's,
email
address
and
phone
number
that
wasn't
great
limited.
So
can
you
put
in
a
raid
limit?
Can
you
put
an
authorization
like
it
doesn't
have
to
be
super
fancy
protect
against
zero
day?
Sometimes
it's
just.
How
can
we
make
sure
that
this
is
only
usable
in
certain
circumstances?
A
This
is
actually
most
common
in
mobile
apps
mobile
apps,
usually
don't
authorize
their
apis
at
all.
They
assume.
If
it's
coming
from
the
mobile
app,
it
obviously
can
be
trusted.
They
obviously
don't
know
about
burp
suite
and
proxies,
and
once
you
kind
of
say,
I'm
going
to
mitigate
by
doing
this,
have
somebody
on
the
team
be
the
criminal
or
the
antagonist
and
be
like
well,
okay,
if
you
put
in
a
firewall
there,
I'm
going
to
try
and
spoof
or
whatever
and
just
did
you
actually
solve
the
problem.
A
So
what
are
the
frameworks
out
there?
There's
like
over
a
dozen,
I
think
the
most
commonly
known
are
stride
cvss,
I'm
sure
we're
all
familiar
with
that
one.
I
personally
like
the
htmm,
because
that
uses
personas
and
it
says
what
are
these
personas
going
to
go
after
because
you
classify
the
targets
and
how
are
they
most
likely
or
what
tools
or
methods
are
they
gonna
use?
Microsoft
has
a
bunch
of
stuff
out
there
that
came
from
stride
that
you
can
look
at.
A
There
are
like
advanced
versions
of
or
more
complex
versions
of,
and
there's
also
a
couple
like
vast
and
trike,
who
are
not
only
a
methodology
but
they're
also
a
tool.
So
if
you
want
to
learn
something
that
has
its
own
built-in
tool,
that's
a
good
place
to
start
and
for
everyone
who
hasn't
seen
this
xkcd
comic
50
billion
competing
standards.
I'm
sure
there's
going
to
be
more
of
these
choices.
A
We
could
even
invent
our
own
if
we
wanted
to
all
right.
So
we
had
talked
about
tools.
Here's
again,
I
said
vast
and
trike
were
their
own
tools.
So
here's
a
bunch
of
tools,
a
lot
of
them-
are
open
source
and
free,
there's,
also
companies
that
will
sell
you
them
for
boatloads
of
money.
So
do
whatever
you
want
to
do
os
threat
dragon
will
work
on
for
free
on
a
github
repo.
A
All
of
my
projects
in
github
are
food
based
and
beer
based.
So
it
wasn't
able
to
come
up
with
anything,
but
I
tried
all
right,
so
you
picked
some
kind
of
formal
method
or
not.
You
picked
a
tool
or
you're
just
using
pen
and
paper,
because
that's
totally
valid
you
created
a
network
diagram.
A
You
now
have
tons
of
ideas
on
a
whiteboard
somewhere
or
notecards-
that's
great,
but
like
does
it
that
there
are
so
many
it's
kind
of
like
looking
at
the
vulnerability
list.
When
you
run
you
know,
50
billion
death
scans,
it's
early,
it's
important
to
start
early,
so
you
can
decide
which
ones
of
these
you
want
to
go
after
did
we
waste
our
time
by
coming
up
with
all
of
those?
A
A
If
you
don't
know
what
the
most
likely
risk
is
cvss,
if
you
actually
dig
into
some
of
them,
will
explain
some
of
them.
Also,
the
verizon
breach
report
and
similar
reports
will
tell
you
over
the
past
year
what
the
most
common
attacks
on
the
internet
are.
So
what's
most
common,
what's
most
valuable,
then
you
can
do
like
a
rice
or
roi
start
there
don't
try
and
eat
the
entire
element.
A
A
What
are
we
trying
to
do
in
this
particular
case,
I'm
going
to
say
we're
going
to
try
and
stay
alive
with
the
pet
cat.
What
valuables
do
we
have?
Well,
I
have
blood
and
skin
and
I
want
to
keep
them
working
the
threat,
kitty
claws
and
teeth
if
you've
ever
had
a
kitten.
You
totally
know
how
this
goes
mitigation.
A
I
can
trim
the
kitty's
nails
right.
I
could
put
those
little
plastic
cappies
on
the
cat's
nails.
I
could
hide
in
another
room
and
close
the
door
from
the
cat.
Did
that
fix
it?
Well,
if
I
hide
the
other
room,
I
don't
get
to
play
with
the
cat,
so
that
was
kind
of
a
dumb
one,
but
during
the
ideation
phase
you
kind
of
come
up
with
everything
the
other
two
could
fix
it.
A
That's
challenge
so
I
think
the
easiest
roi
get
the
clippers
clip
glue,
clip
cat's,
no
longer
going
to
kill
you
and
remove
all
your
blood
by
the
way
the
doggy
removed
all
my
flesh,
so
cats
dogs,
dangerous,
you
know,
watch
out,
and
then
this
is
based
on
the
oatmeal.
If
you've
never
read
the
oatmeal,
he
has
a
book
called
your
cat
is
trying
to
kill
you.
That's
where
the
example
came
from.