Performed threat models on critical infrastructure to discover potential threats and driving recommendations for remediation of risk (risk management). Additionally, supported development of a threat modeling methodology and threat modeling training material for the client’s existing cybersecurity staff to perform threat models.
Roles and Responsibilities:
- Threat Modeling Lead – As co-lead to threat modeling, I performed threat models of critical assets both under the purview of the threat modeling author (lead), performed threat models independently, and served as a SME to other employees that were onboarded to the threat modeling practice.
- Threat Modeling Development – Supported development of a custom threat modeling methodology based on DREAD and SOARR quantifications.
- Systems Development Lifecycle (SDLC) Integration – Threat modeling was woven into the client’s SDLC process which allowed threat modeling to be another “phase gate” that an application must pass through before it can be promoted to production. This allowed the client to have us evaluate an application for threats and give the application owner an opportunity to apply mitigations and/or accept threats prior to the application being released (risk acceptance).
- Adversarial Emulation/”Thinking Like an Attacker” – Performing threat models required creating “threat scenarios” in which the specific attack patterns (TTPs – tactics, techniques, and procedures) that were most likely to be used by the attacker to target the asset were documented and profiled. These attack patterns were “realistic” scenarios in which an attacker can disrupt, destroy, or deny the asset and thus the recommended mitigations were specific to the TTPs identified. To add validity to threat scenarios, the asset in question is profiled and cross-referenced with MITRE ATT&CK framework and Cybersecurity Threat Intelligence (CTI) to identify any malware campaigns and/or threat actor group(s) that have the means, motive, and capability to (successfully) attack the asset.
- Threat Modeling Training – Training material was created to detail our threat modeling methodology and several training sessions were held to teach the threat modeling methodology to the client’s cybersecurity staff (Risk Management Analysts). Training the existing staff on threat modeling allowed for there to be staff members that can execute the procedures with minimal guidance, with the ultimate goal of handing over this process for the client to own and manage.
