Difference between revisions of "Threat Modeling Workshop"

From Hackerspace.gr
Jump to: navigation, search
(Created page with "{{Event |logo=Lock.png |what=Threat Modeling Workshop |tagline=Threat Modeling Assessment and Risk Analysis Workshop |eventowner=S |who=S |url= |from=2018/04/11 07:00:00 PM |...")
 
 
Line 24: Line 24:
  
 
We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs.
 
We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs.
 +
 +
Presentation: https://cryptpad.fr/slide/#/1/view/5+2BFrnLlfCzSJ-u+GF-Yg/up4wWgV0LqXtB7Jqv+aOHNlsjYwCSS5okFUyFX--9L0/present/
  
 
A preliminary boilerplate for the exercises is published below.
 
A preliminary boilerplate for the exercises is published below.

Latest revision as of 21:16, 10 April 2018

Lock.png
Starts Organizer
Wed 11 Apr 2018 19:00 S
Ends Event Owner
Wed 11 Apr 2018 22:00 S

Threat Modeling Assessment and Risk Analysis Workshop



Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:

1. What do I want to protect?

2. Who do I want to protect it from?

3. How bad are the consequences if I fail?

4. How likely is it that I will need to protect it?

5. How much trouble am I willing to go through to try to prevent potential consequences?

We are going to do a series of exercises in creating Threat Models working as a team at first and then in pairs.

Presentation: https://cryptpad.fr/slide/#/1/view/5+2BFrnLlfCzSJ-u+GF-Yg/up4wWgV0LqXtB7Jqv+aOHNlsjYwCSS5okFUyFX--9L0/present/

A preliminary boilerplate for the exercises is published below.

Threat Modeling Assessment and Risk analysis

Create a Threat Model that covers Batman's risks

Threat Modeling Assessment

Based on https://ssd.eff.org/en/module/assessing-your-risks

1. Define Assets (any piece of data or a device that needs to be protected)

     1. Ast1
     2. Ast2
     3. Ast3

2. Define Adversaries

      * Adv1
      * Adv2
      * Adv3
      Define their Capabilities (Threats)
          * Adv1
               * Adv1 Thr1
               * Adv1 Tht2
               * Adv1 Thr3
          * Adv2
               * Adv2 Thr1
          * Adv3
               * Adv3 Thr1

3. Define consequences (severity) of failure

     1. Ast1 Svrt = 50%
     2. Ast2 Svrt = 50%
     3. Ast3 Svrt = 50%

4. Define likelihood of threat occurrence (Risk)

  * Ast1
       * Ast1 Adv1 Thr1 = 50%
       * Ast1 Adv1 Thr2 = 50%
       * Ast1 Adv1 Thr3 = 50%
       * Ast1 Adv2 Thr1 = 50%
       * Ast1 Adv3 Thr2 = 50%
  * Ast2
       * Ast2 Adv1 Thr1 = 50%
       * Ast2 Adv1 Thr2 = 50%
       * Ast2 Adv1 Thr3 = 50%
       * Ast2 Adv2 Thr1 = 50%
       * Ast2 Adv3 Thr2 = 50%
  * Ast3
       * Ast3 Adv1 Thr1 = 50%
       * Ast3 Adv1 Thr2 = 50%
       * Ast3 Adv1 Thr3 = 50%
       * Ast3 Adv2 Thr1 = 50%
       * Ast3 Adv3 Thr2 = 50%

5. Define available resources

     * Res1 = 50%
     * Res2 = 50%
     * Res3 = 50%
     * ResAll = sum(Res*) / ResN

Risk Analysis (Optional for Workshop)

Estimate the chance that threats might succeed (Risk analysis)

     Ast1
          Ast1 Adv1 Thr1 * ResAll * Ast1 Svrt = 12.5%
          Ast1 Adv1 Thr2 * ResAll * Ast1 Svrt = 12.5%
          Ast1 Adv1 Thr3 * ResAll * Ast1 Svrt = 12.5%
          Ast1 Adv2 Thr1 * ResAll * Ast1 Svrt = 12.5%
          Ast1 Adv3 Thr2 * ResAll * Ast1 Svrt = 12.5%
     Ast2
          Ast2 Adv1 Thr1 * ResAll * Ast2 Svrt = 12.5%
          Ast2 Adv1 Thr2 * ResAll * Ast2 Svrt = 12.5%
          Ast2 Adv1 Thr3 * ResAll * Ast2 Svrt = 12.5%
          Ast2 Adv2 Thr1 * ResAll * Ast2 Svrt = 12.5%
          Ast2 Adv3 Thr2 * ResAll * Ast2 Svrt = 12.5%
     Ast3
          Ast3 Adv1 Thr1 * ResAll * Ast3 Svrt = 12.5%
          Ast3 Adv1 Thr2 * ResAll * Ast3 Svrt = 12.5%
          Ast3 Adv1 Thr3 * ResAll * Ast3 Svrt = 12.5%
          Ast3 Adv2 Thr1 * ResAll * Ast3 Svrt = 12.5%
          Ast3 Adv3 Thr2 * ResAll * Ast3 Svrt = 12.5%

Results

Divide ResAll by the Sum results from Risk analysis (possible use of thresholds). Multiply the result with each entire in Risk analysis. Sort the output. The result is the resource allocation in order of priority.