My first experiences with threat modeling were an eye-opener. I instantly loved the technique and started teaching anyone who would listen. I jumped on the opportunity to train my colleagues at work, and I talked about threat modeling with my friends and family.
I’ve had success with a game called "threat hunters" in helping others to learn the techniques that underpin threat modeling. Having worked as an engineer my entire career, I understand how engineers like to work and learn. I found that the best way to teach engineers something new is to trick them into thinking they are not learning, or to hide it in a game. That is exactly what this game does well.
Engineers already understand the fundamentals of risk. The methodology of the game threat hunters gives them a forum to express themselves and describe the systemic risks within the systems they are building and maintaining.
Here's four tips for getting the most out of your threat hunting game session. Read on and you'll feel empowered to enable your teams to play the game and deliver risks and controls effectively.
1. Make the content relevant to the teams
When you are playing the game with many teams in succession, you may be tempted to reuse scenarios. It certainly saves time. However, the best way to get a high level of engagement is to use a scenario that the teams are familiar with.
For example, when working with the identity and registration team, the scenario's design and synopsis should be tailored to what they do. And when you later work with the IT support team, you shouldn’t use the identity design, but instead make a new scenario specific to that team.
You’ll find over time that you will end up with a suite of scenarios that you can use for training different teams.
Note, however, that for teams that cut across the organization, you should make a high-level system diagram that approximately replicates your organization. This is a great way for them to get an appreciation of what other teams within the organization do.
2. Don’t drown in detail
Sometimes teams playing the game will get caught in back and forth over whether a control mitigates a risk. When that happens, roll a die or flip a coin to resolve the dispute. You don't want progress to stall just because there's no agreement about whether a code review, say, is a good enough control for a malicious zero day.
The important thing is just to practice coming up with the risks and the controls, even if the controls don’t fully bat away all of the inherent risk. Remind the team that a small control is better than no control. And don’t forget about our good friend defense in depth.
3. Collate all findings
Even if you are playing for educational purposes, keep a running list of the risks the teams come up with. For me, this is test data. I use it when I want to try out new risk measurement methodologies. Test data is not only for developers; it also demonstrates business value while keeping confidentiality.
4. Don’t forget what you are trying to achieve
It’s often easy to forget when your are playing these games what you are trying to protect are the humans who use the services you supply. That includes you, your family, and your friends, so make sure that you prioritize the findings accordingly. And remember to use appropriate measures with PII data. After all, it belongs to someone who wanted to use the services that your organization provides and should be protected from misuse.
Decisions, decisions
I've had lots of fun threat modeling and playing this version of threat hunters with my colleagues, and the education it provides is invaluable. When you play the game, you aren’t teaching your fellow engineers to be more secure; you are just reminding them to fully use the part of their brain responsible for making secure decisions.
To learn more about the threat hunters game, view my talk from the recent Secure Guild 2020. You can also view the repository here.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.