Amateur Security Archaeologists, trying not to break things.
If you’ve known me for a while, you know I love talking about MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). I probably have an unhealthy addiction to discussing it, but I do think it is helpful to understand why it is both cool and has limits. So let’s discuss!
Continue reading
If you are landing here after reading earlier posts, you might be thinking “this is great, but what I REALLY need is to avoid being the next <insert bad breach company here>. Well, our friends at OWASP (Open Web Application Security Project) are an organization that focuses on improving the security of software. Like any good David Letterman fan, they are famous for their Top 10 list of web application threats, and have followed that up with an API version! Threat modeling for software applications are essential not only to the end customers, but with the sheer complexity of today’s typical environments, the legal ramifications of a breach or attack can spell disaster for the hosting company, the software vendor, business partners, ecosystem partners, and the end users alike. It should be no surprise then that OWASP has its own approach to application threat modeling.
Continue readingTo be clear, I don’t want you to raze the Amazon Rainforest here. What I am referring to for this blog post is another visualization technique. Where as DFDs focused on understanding the flow of information through your systems, Attack Trees are another graphical representation to uncover how an attacker might exploit weaknesses in a system to achieve specific malicious objectives.
We’ve talked about Microsoft’s view of threat modeling, but this next one might appeal to folks with a background in software that doesn’t crash – sorry, I jest, i jest! (or do I?) Well in this useful method, we’re all about understanding the flow of data across our systems. We’re talking Data Flow Diagrams (DFDs) used in software engineering and systems analysis.
Continue reading
As you can see in the previous post, the “know yourself” side of the Threat Modeling process is extensive and covers all but one of the steps. While some may be tempted to deal only in knowing the adversary, you must grasp on your organization’s own policies, capabilities, and design to model most effectively. These efforts also feed related activities, such as project planning and roadmap development, business strategy, risk management, and procurement & staffing. Several externally focused frameworks and methodologies map adversary behaviors and their impacts to the environment and should be selected to compliment the skills and capabilities of your organization. Each offers different areas of focus, fidelity, and processes that can be adapted to your organization’s needs.
Continue reading
Mike© 2024 Raiders of the Lost ARP
Theme by Anders Noren — Up ↑
