Sherrod DeGrippo πŸ“¬ Profile picture
Aug 26 β€’ 16 tweets β€’ 4 min read
A lot of talk about threat modeling lately. Let me give you some idea of why I hate it and think threat modeling is bullshit. I'll also tell you what I think is better. I'm going to use $BIGCO as my example. Here's a long thread.
#infosec #blueteam #malware #skincare
πŸ”œπŸ§΅
First, you constantly hear the snarky refrain "my threat model is not your threat model" from people trying to sound important. They don't have a "threat model". They have a superiority complex in their head about potential "threats" πŸ™„ It's silly. Show me your threat model. πŸ”œπŸ§΅
Oh, you don't actually have it written down and it's not based on data, but based on just general things you're worried about? All in your head? πŸ†—πŸ†’ Sounds like your idea of a "threat model" and mine really are pretty different.
πŸ”œπŸ§΅
For starters, a threat model is written down and reviewed by subject matter experts. But we don't even have that as an agreed upon standard in this industry. You know this by the number of people who say "my threat model" and obviously just have vague notions, not docs πŸ”œπŸ§΅
Let's now talk $BiGCO. Me and their CISO Chet are old buddies. We've had a lot of steak dinners together. For the record he has never said anything inappropriate to me and does not exist. πŸ”œπŸ§΅
Chet calls me up ☎️
Chet: Sherrod, it's Chet! I need to build a threat model for my board cause I am the CISO! But I don't wanna do it, do it for me and make it show we should spend mega bucks on APT threat stuff. Spies and Russians and all that are after us, right!?
πŸ”œπŸ§΅
Sherrod: Hey Chet, miss you, bud. Listen, we have the actual data on the number of APT campaigns you've received in the past 12 months. We have sent you intel briefs on them, briefed your global sec leads and broken them down by actor attribution. πŸ”œπŸ§΅
Chet: I dunno, I must've been on the golf course. 🍹So we can use this data for a threat model?
Sherrod: Well, it's less of a "model" and more of a real world data picture of actual attacks you have been targeted with, so it's better. πŸ”œπŸ§΅
Chet: Well, the whole goal is to get my board to give me big bucks to spend on security and get more vendor swag.
Sherrod:Ok, dude. I can show who in your org was targeted by APT and what departments have been attacked most πŸ”œπŸ§΅
Chet: Great, love you, babe. Can you also make it say we are gonna get ransomware? They love that! They open their wallets for it!
Me: Uhh, well, we can look at the actual initial access payloads you've been targeted with. I have the numbers. Those lead to ransomware a lot.πŸ”œπŸ§΅
Chet: Yeah! Do it!
Me: I can also show you the names of the people in your org that are targeted the most. Then you can tell the board you need to spend more money on protecting those specific people. It's more intelligent resource allocation and spend. πŸ”œπŸ§΅
Chet: I love it!
Me: So let me just get all the reports I've already sent you πŸ™„ and put them together in a nice package you can show to your board with real data of the attacks for past 12 months, combined with employees targeted, actor attrib data, and the payloads.
πŸ”œπŸ§΅
Chet: This is why you are a badass, Sherrod! Make it happen and then take me out for dinner soon! πŸ₯ƒ
Me: Yeah, you got it. I'll also send the dinner invite to your SOC lead and IR team. You love me but they actually get me.
Chet: Love those hacker types! Yeah!
Me: 😐
πŸ”œπŸ§΅
Using actual threat data to present a threat profile or summary is a much better path than a "model". Threat models are undefined and not an agreed upon standard in the industry. Showing the real data is much more actionable and valuable.
πŸ”œπŸ§΅
The entire point of these exercises is to create smart resource allocation. Where to put dollars, time, people, energy when securing the organization. It's intended as decision-making data. For Chet and his security team to make good decisions (Chet usually makesπŸŒπŸ»β€β™‚οΈdecisions)
πŸ”œπŸ§΅
An exception is a situation where someone like @gepeto42 is building from the ground up and cannot use real org data. This requires pulling from other non-primary sources and does need a model or estimates.
This thread isn't comprehensive, it's twitter.
Thanks to @chetdorn πŸ§΅πŸ”š

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Sherrod DeGrippo πŸ“¬

Sherrod DeGrippo πŸ“¬ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @sherrod_im

Aug 19
The day after I got back from DEFCON, my dad texted me and said β€œI’m driving up tomorrowβ€œ. He lives in Florida. This is what he has been up to. Prepare yourself for the most dad thread you have ever seen. πŸ‘πŸͺ£βš οΈπŸ†—πŸ”œ
He got here and within about 20 minutes he went to work. He randomly asked me to bring him a bucket. πŸͺ£ πŸ”œ
He did not like anything about my HVAC system. Had to change the filters immediately. πŸͺ£ πŸ”œ
Read 8 tweets
Apr 29
It's friday. Here is a 🧡 on communication choices that I think have paid off for me. 1/❓ πŸ”œ
I avoid saying "yeah" when asked a question. I try to say "yes" and another affirmative statement. "Yes, definitely!" "Yes, I think so" "Yes, let's do it" "Yes, that's right" "Yes, I want to" and the old Office favorite "Yes, absolutely I do" πŸ”œ
When I thank someone, I try to say why. "Thank you for your help" "Thanks for getting back to me" "Thanks for sending this" "Thanks, I appreciate your comments" "Thank you for the report". It's not in every situation, but when I can, it's better. πŸ”œ
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(