Learning threat modelling
Hi everyone, I just landed in this site looking for resources about threat modelling.
I have been a few years in the industry working as a pen tester and a few months ago I changed roles.My new role is in red teaming and my boss is obsessed with threat modelling.
I am hoping you can help me with two questions I have. I do not have a software dev background is this really important for threat modelling and why is my boss so into TM? The second questions is about where or what resources I can use for threat modelling.Most of the resources I find in internet are related to software and not intrusions which is what I do in my current role.
Please, can someone help me here?
I will try to answer your questions in the same order.
1. You do not need a software dev background for the threat modelling, but it helps. For example if you are modelling threats to internet exposed application in contrast to a corporate intrusion. Keep in mind that a corporate intrusion may also include the exploitation of internally exposed applications in the inner network so it may help. Why does your boss is so obsessed with threat modelling? Have you asked him?
2. There are many resources available for threat modelling. Have a look at the following for resources.
https://github.com › hysnsec › awes...
hysnsec/awesome-threat-modelling - GitHub
I suspect your boss is interested in showing customers the threat model and TTPs used in your intrusion emulation assuming as you said that your work as a red teamer. Based on my experience customers many times are not able to understand how you managed to get them compromised.Many of them are still looking at vulnerabilities in systems but do not understand the full intrusion cycle and where the gaps are beyond the vulnerable system. As you know an intrusion always involved much more than a vulnerability.
The sort of threat modelling I recommend you is operational threat modelling, if you look in Google you can find specific resources suck as the kill chain concept and Mitre ATT&CK
Do you need software dev experience? No, if its operational threat modelling and yes if it is application design.
The cyber security agency of Singapore recently released a guide to cyber threat modelling that aligns very well with your role and your request.
STRIDE-LM and Mitre ATT&CK 😉
Somehow the link above does not seem to work.
I attached a copy to this message.