A lot of talk about threat modeling lately. Let me give you some idea of why I hate it and think threat modeling is bullshit. I'll also tell you what I think is better. I'm going to use $BIGCO as my example. Here's a long thread. #infosec#blueteam#malware#skincare
ππ§΅
First, you constantly hear the snarky refrain "my threat model is not your threat model" from people trying to sound important. They don't have a "threat model". They have a superiority complex in their head about potential "threats" π It's silly. Show me your threat model. ππ§΅
Oh, you don't actually have it written down and it's not based on data, but based on just general things you're worried about? All in your head? ππ Sounds like your idea of a "threat model" and mine really are pretty different.
ππ§΅
For starters, a threat model is written down and reviewed by subject matter experts. But we don't even have that as an agreed upon standard in this industry. You know this by the number of people who say "my threat model" and obviously just have vague notions, not docs ππ§΅
Let's now talk $BiGCO. Me and their CISO Chet are old buddies. We've had a lot of steak dinners together. For the record he has never said anything inappropriate to me and does not exist. ππ§΅
Chet calls me up βοΈ
Chet: Sherrod, it's Chet! I need to build a threat model for my board cause I am the CISO! But I don't wanna do it, do it for me and make it show we should spend mega bucks on APT threat stuff. Spies and Russians and all that are after us, right!?
ππ§΅
Sherrod: Hey Chet, miss you, bud. Listen, we have the actual data on the number of APT campaigns you've received in the past 12 months. We have sent you intel briefs on them, briefed your global sec leads and broken them down by actor attribution. ππ§΅
Chet: I dunno, I must've been on the golf course. πΉSo we can use this data for a threat model?
Sherrod: Well, it's less of a "model" and more of a real world data picture of actual attacks you have been targeted with, so it's better. ππ§΅
Chet: Well, the whole goal is to get my board to give me big bucks to spend on security and get more vendor swag.
Sherrod:Ok, dude. I can show who in your org was targeted by APT and what departments have been attacked most ππ§΅
Chet: Great, love you, babe. Can you also make it say we are gonna get ransomware? They love that! They open their wallets for it!
Me: Uhh, well, we can look at the actual initial access payloads you've been targeted with. I have the numbers. Those lead to ransomware a lot.ππ§΅
Chet: Yeah! Do it!
Me: I can also show you the names of the people in your org that are targeted the most. Then you can tell the board you need to spend more money on protecting those specific people. It's more intelligent resource allocation and spend. ππ§΅
Chet: I love it!
Me: So let me just get all the reports I've already sent you π and put them together in a nice package you can show to your board with real data of the attacks for past 12 months, combined with employees targeted, actor attrib data, and the payloads.
ππ§΅
Chet: This is why you are a badass, Sherrod! Make it happen and then take me out for dinner soon! π₯
Me: Yeah, you got it. I'll also send the dinner invite to your SOC lead and IR team. You love me but they actually get me.
Chet: Love those hacker types! Yeah!
Me: π
ππ§΅
Using actual threat data to present a threat profile or summary is a much better path than a "model". Threat models are undefined and not an agreed upon standard in the industry. Showing the real data is much more actionable and valuable.
ππ§΅
The entire point of these exercises is to create smart resource allocation. Where to put dollars, time, people, energy when securing the organization. It's intended as decision-making data. For Chet and his security team to make good decisions (Chet usually makesππ»ββοΈdecisions)
ππ§΅
An exception is a situation where someone like @gepeto42 is building from the ground up and cannot use real org data. This requires pulling from other non-primary sources and does need a model or estimates.
This thread isn't comprehensive, it's twitter.
Thanks to @chetdorn π§΅π
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
The day after I got back from DEFCON, my dad texted me and said βIβm driving up tomorrowβ. He lives in Florida. This is what he has been up to. Prepare yourself for the most dad thread you have ever seen. ππͺ£β οΈππ
He got here and within about 20 minutes he went to work. He randomly asked me to bring him a bucket. πͺ£ π
He did not like anything about my HVAC system. Had to change the filters immediately. πͺ£ π
It's friday. Here is a 𧡠on communication choices that I think have paid off for me. 1/β π
I avoid saying "yeah" when asked a question. I try to say "yes" and another affirmative statement. "Yes, definitely!" "Yes, I think so" "Yes, let's do it" "Yes, that's right" "Yes, I want to" and the old Office favorite "Yes, absolutely I do" π
When I thank someone, I try to say why. "Thank you for your help" "Thanks for getting back to me" "Thanks for sending this" "Thanks, I appreciate your comments" "Thank you for the report". It's not in every situation, but when I can, it's better. π