Full Report
Dominic is currently in the air somewhere over the Atlantic, returning from a long trip that included BlackHat, DefCon and lastly Metricon6, where he spoke on a threat model approach that he has picked up and fleshed out. He has promised a full(er) write-up on his glorious return, however in the meantime his slides are below. An updated copy of the CTM tool is on the CTM page, as is the demonstration dashboard (a nifty spreadsheet-from-the-deep that interactively provides various views on your threat model).
Analysis Summary
Based on the context provided, the article is primarily an announcement about Dominic's presentation on a fleshed-out **Threat Model Approach** at Metricon6, and points to the availability of his **CTM tool** and a **demonstration dashboard**.
Since the actual content of the threat modeling slides or detailed write-up is not present, the recommendations must focus on the *practice* of threat modeling itself, leveraging the existence of the mentioned tools as foundational elements for implementation.
# Best Practices: Adopting a Corporate Threat Modeling Program
## Overview
These practices focus on the strategic and tactical implementation of a structured Threat Modeling program, as implied by the announcement of a dedicated "Threat Model Approach" and associated tooling (CTM). The goal is to proactively identify, analyze, and mitigate security risks within systems and applications throughout the development lifecycle.
## Key Recommendations
### Immediate Actions
1. **Acquire and Review Core Documentation:** Download the available presentation slides (if accessible via the provided link structure) to understand the specific framework Dominic presented. *(Note: Assume the presentation *is* the primary guidance available right now.)*
2. **Locate and Download Tooling:** Immediately download the **updated CTM tool** from the specified CTM page link to familiarize the team with the organization's proprietary or recommended modeling utility.
3. **Evaluate Demonstration Output:** Review the **demonstration dashboard** (spreadsheet) to understand how the threat model outputs are intended to be visualized, prioritized, and consumed by stakeholders.
### Short-term Improvements (1-3 months)
1. **Pilot Threat Model Implementation:** Select one critical or newly developing application/service and perform a complete threat model exercise using the CTM tool, following the principles outlined in the presentation.
2. **Establish Modeling Cadence:** Define when threat modeling activities must occur (e.g., before design sign-off, after significant architectural changes) and integrate this requirement into the Software Development Life Cycle (SDLC).
3. **Stakeholder Training:** Conduct initial workshops for development leads and architects on the *specific* threat modeling *approach* presented (e.g., data flow diagramming, decomposition, threat identification methodology).
### Long-term Strategy (3+ months)
1. **Full Program Integration:** Mandate threat modeling as a required security gate for all Tier 1 and Tier 2 systems before production deployment.
2. **Tool Standardization:** Fully integrate the CTM tool (or integrate findings from the CTM process) into existing risk management systems for tracking remediation efforts over time.
3. **Metrics Development:** Develop metrics based on the dashboard output to track Mean Time To Remediate (MTTR) threats identified via modeling, demonstrating return on investment (ROI) for the security effort.
## Implementation Guidance
### For Small Organizations
- **Focus on Simplicity:** Start by mapping only high-level data flows for the top 2-3 most critical business processes. Do not over-engineer the initial model documentation.
- **Leverage Existing Tools:** Use the CTM tool as the foundational element, avoiding the immediate need for complex enterprise suites. Utilize the demonstration dashboard format for simple tracking.
### For Medium Organizations
- **Process Definition:** Formalize the roles responsible for creating (Security Architect/Lead Engineer) and verifying (Security Team) the threat models.
- **Tool Adoption:** Roll out the CTM tool across 50% of new projects and begin gathering baseline metrics on discovered vulnerabilities.
### For Large Enterprises
- **Automation Integration:** Investigate methods to automate aspects of data gathering for the threat model (e.g., auto-generating initial diagrams based on infrastructure-as-code definitions) to decrease manual effort.
- **Governance and Review Boards:** Establish a formal Threat Modeling Review Board responsible for escalating complex risk acceptance decisions identified through the modeling process.
## Configuration Examples
*(Note: As the actual presentation content or configuration files are not provided, this section points to the necessary inputs for the available tool.)*
1. **CTM Tool Initial Setup:** Configure the CTM tool with organizational boundaries, standard asset lists, and trust levels relevant to the current architecture before commencing a model exercise.
2. **Dashboard Configuration:** Ensure the demonstration dashboard is configured to filter results based on the criticality defined within the threat model (e.g., filtering to only display High/Critical threats mapped against customer PII).
## Compliance Alignment
Threat Modeling directly supports adherence to major security frameworks by providing systematic risk analysis documentation:
- **NIST SP 800-30 (Risk Management Guide):** Supports the initial scoping and identification phases of risk assessment.
- **ISO/IEC 27001 (Annex A.12.1.2 Security Requirements Analysis):** Provides evidence that security requirements have been analyzed and addressed during system design.
- **CIS Critical Security Controls (Control 16: Application Software Security):** Validates that security controls are appropriately designed before deployment.
## Common Pitfalls to Avoid
- **Modeling in Isolation:** Do not let security teams perform threat modeling without direct input from the developers and architects who built the system.
- **Analysis Paralysis:** Avoid striving for a "perfect" threat model. The goal is actionable risk reduction, not exhaustive documentation of theoretical exploits. Capture high-impact items and move on.
- **Treating Models as One-Offs:** Failing to revisit or update the threat model when underlying architecture, components, or regulatory requirements change.
## Resources
- **Threat Modeling Approach Documentation:** The specific slides presented by Dominic at Metricon6 (the conceptual guide).
- **CTM Tool:** Utilize the updated Corperate Threat Modeling (CTM) tool provided by SensePost for standardized analysis.
- **Visualization Aid:** Use the provided interactive **demonstration dashboard** (spreadsheet analysis tool) for visualizing and communicating threat assessment results.