Micro Focus is now part of OpenText. Learn more >

You are here

You are here

4 tips to get your game on with threat hunting

public://pictures/harjit.jpeg
Harjit Sandhu Senior Application Security Engineer, Zoopla
 

My first experiences with threat modeling were an eye-opener. I instantly loved the technique and started teaching anyone who would listen. I jumped on the opportunity to train my colleagues at work, and I talked about threat modeling with my friends and family.

I’ve had success with a game called "threat hunters" in helping others to learn the techniques that underpin threat modeling. Having worked as an engineer my entire career, I understand how engineers like to work and learn. I found that the best way to teach engineers something new is to trick them into thinking they are not learning, or to hide it in a game. That is exactly what this game does well.

Engineers already understand the fundamentals of risk. The methodology of the game threat hunters gives them a forum to express themselves and describe the systemic risks within the systems they are building and maintaining.

Here's four tips for getting the most out of your threat hunting game session. Read on and you'll feel empowered to enable your teams to play the game and deliver risks and controls effectively.

1. Make the content relevant to the teams

When you are playing the game with many teams in succession, you may be tempted to reuse scenarios. It certainly saves time. However, the best way to get a high level of engagement is to use a scenario that the teams are familiar with.

For example, when working with the identity and registration team, the scenario's design and synopsis should be tailored to what they do. And when you later work with the IT support team, you shouldn’t use the identity design, but instead make a new scenario specific to that team.

You’ll find over time that you will end up with a suite of scenarios that you can use for training different teams. 

Note, however, that for teams that cut across the organization, you should make a high-level system diagram that approximately replicates your organization. This is a great way for them to get an appreciation of what other teams within the organization do.

2. Don’t drown in detail

Sometimes teams playing the game will get caught in back and forth over whether a control mitigates a risk. When that happens, roll a die or flip a coin to resolve the dispute. You don't want progress to stall just because there's no agreement about whether a code review, say, is a good enough control for a malicious zero day.

The important thing is just to practice coming up with the risks and the controls, even if the controls don’t fully bat away all of the inherent risk. Remind the team that a small control is better than no control. And don’t forget about our good friend defense in depth.

3. Collate all findings

Even if you are playing for educational purposes, keep a running list of the risks the teams come up with. For me, this is test data. I use it when I want to try out new risk measurement methodologies. Test data is not only for developers; it also demonstrates business value while keeping confidentiality.

4. Don’t forget what you are trying to achieve

It’s often easy to forget when your are playing these games what you are trying to protect are the humans who use the services you supply. That includes you, your family, and your friends, so make sure that you prioritize the findings accordingly. And remember to use appropriate measures with PII data. After all, it belongs to someone who wanted to use the services that your organization provides and should be protected from misuse.

Decisions, decisions

I've had lots of fun threat modeling and playing this version of threat hunters with my colleagues, and the education it provides is invaluable. When you play the game, you aren’t teaching your fellow engineers to be more secure; you are just reminding them to fully use the part of their brain responsible for making secure decisions.

To learn more about the threat hunters game, view my talk from the recent Secure Guild 2020. You can also view the repository here.

Keep learning

Read more articles about: SecurityApplication Security