2-DAY TRAINING 1 – Advanced Whiteboard Hacking – AKA Hands-On Threat Modeling




CAPACITY: 15 pax




Based on our successful trainings in the last years, we release this updated advanced threat modeling training with even more excercises and examples. This year we introduce an extra section on “offensive threat modeling” as part of pentesting.

As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.

In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands-on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.
Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:

  • B2B web and mobile applications, sharing the same REST backend
  • An Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
  • OAuth scenarios for an HR application
  • Privacy of a new face recognition system in an airport
  • Get into the defenders head – modeling points of attack against a nuclear facility

After each hands-on workshop, the results are discussed, and students receive a documented solution.

Based on our successful trainings in the last years we have received great and positive feedback:

“Sebastien delivered! One of the best workshop instructor’s I’ve ever had.”

“Very nice training course, one of the best I ever attended.”

“I feel that this course is one of the most important courses to be taken by a security professional.”

“The group hands-on practical exercises truly helped.”

“hands-on labs are very well designed and the solutions are also very smart!”

Key Learning Objectives

  • Cover the 4 main steps of creating and updating an effective threat model
  • Use threat model as part of secure design of systems and to more efficiently scope pentesting
  • Use threat modeling as a way to learn, model and communicate with security and development teams and build bridges between them.

Who Should Attend

This course is aimed at software developers, architects, system managers or security professionals.

Prerequisite Knowledge

  • Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles.

Hardware / Software Requirements

The students should bring their own laptop or tablet to read and use the training handouts and exercise descriptions.

What Students Will Be Provided With

  • Hand-outs of the presentations, with notes
  • Whiteboard Hacking survival guide
  • Work sheets of the use cases
  • Detailed solution descriptions of the use cases
  • Template to document a threat model
  • Template to calculate risk levels of identified threats

Agenda – Day 1:

Threat modeling introduction

  • Offensive threat modeling for penetration testers
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Exploiting a threat model

Diagrams – what are you attacking?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Attack Boundaries
  • Hands-on: Attacking a B2B web and mobile applications, sharing the same REST backend

Identifying threats – how can we attack?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Attack trees
  • Hands-on: Weakness analysis of an Internet of Things (IoT) smart home deployment

Agenda – Day 2:

Understanding defence

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Hands-on: get into the defenders head – modeling points of attack of a nuclear facility.

Attack libraries

  • Attack libraries
  • OWASP Top 10
  • The “Snowden” documents
  • Other lists
  • Create your own attack list

Penetration testing based on threat models

  • Create pentest cases for threat mitigation features
  • Pentest planning to exploit security design flaws
  • Vulnerabilities as input to plan and scope security testing
  • Prioritization of pentesting based on risk rating

Threat modeling resources

  • Open-Source tools
  • Commercial tools
  • General tools


  • Hands-on examination
  • Grading and certification

Location: Training Rooms Date: July 20, 2020 Time: 9:00 am - 6:00 pm Sebastien Deleersnyder