HITB-Invoice-Logo-1.png

1-day hands-on technical Workshop

Agile Whiteboard Hacking – aka Hands-on Threat Modeling

Register$2,299.00

This whiteboard training starts where other threat modeling trainings stop. We embed over a decade of real-world experience with threat modeling in a training filled with hands-on exercises that are fun, while at the same time participants understand how to create effective threat models.

Duration

1-day

Delivery Method

In-Person

Level

beginner

Seats Available

20

ATTEND IN-PERSON: Onsite at Abu Dhabi

DATE: 25-26 Nov 2024

TIME: 09:00 to 17:00 GST/GMT+4

Date Day Time Duration
25 Nov Monday 09:00 to 17:00 GST/GMT+4 8 Hours
26 Nov Tuesday 09:00 to 17:00 GST/GMT+4 8 Hours

Participants get access to the on-demand Threat Modeling Introduction training prior to the training, and one hour of threat modeling coaching after the training

You will be challenged with hands-on threat modeling exercises based on real-world projects. You will get insight into our practical industry experience, helping you to become a Threat Modeling Practitioner. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices.

We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park.

The level of this training is Beginner/Intermediate. Participants who are new to threat modeling are advised to follow our self-paced Threat Modeling Introduction training (which is about 2 hours and is included in this training).

As highly skilled professionals with years of experience under our belts, we’re intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling:

• Diagram techniques applied on a travel booking service
• Threat model a cloud-based update service for an IoT kiosk
• Create an attack tree against a nuclear research facility
• Create a SOC Risk Based Alerting system with MITRE ATT&CK
• Mitigate threats in a payment service build with microservices and S3 buckets
• Apply data protection by design and default on a loyalty app
• Apply the OWASP Threat Modeling Playbook on agile development
• Threat modeling the CI/CD pipeline
• Battle for control over “Zwarte Wind”, an offshore wind turbine park

After each hands-on exercise, the results are discussed, and students receive a documented solution. All participants get our Threat Modeling Playbook to improve you threat modeling practice, and a one-year access to our online threat modeling learning platform.

As part of this training, you will be asked to create and submit your own threat model, on which you will get feedback. One month after the training we organize an individual coaching session with all the participants.

 

Your bonus training package includes:

• Following a successful evaluation of your own threat model: Threat Modeling Expert certificate
• One year of access to our threat modeling e-learning platform
• Presentation handouts
• Tailored use case worksheets
• Detailed use case solution descriptions
• Threat model documentation template
• Template for calculating identified threat risk severity
• Threat modeling playbook
• STRIDE mapped on compliance standards

 

We plan 9 hands-on exercises:

• Diagram techniques applied on a travel booking service
• Threat model a cloud-based update service for an IoT kiosk
• Create an attack tree against a nuclear research facility
• Create a SOC Risk Based Alerting system with MITRE ATT&CK
• Mitigate threats in a payment service build with microservices and S3 buckets
• Apply data protection by design and default on a loyalty app
• Apply the OWASP Threat Modeling Playbook on agile development
• Threat modeling the CI/CD pipeline
• Battle for control over “Zwarte Wind”, an offshore wind turbine park
At least 60% of the training will be exercises.

 

Key Learning Objectives
  • Cover the 4 main steps of creating and updating an effective threat model
  • Use threat modeling as part of the secure design of systems and to scope pen-testing more efficiently
  • Use threat modeling to learn, model and communicate with security and development teams and build bridges between them.

 

Topics Covered

Threat modeling introduction
• Threat modeling in a secure development lifecycle
• What is threat modeling?
• Why perform threat modeling?
• Threat modeling stages
• Different threat modeling methodologies
• Document a threat model

Diagrams – what are you building?
• Understanding context
• Doomsday scenarios
• Data flow diagrams
• Trust boundaries
• Sequence and state diagrams
• Advanced diagrams
• Hands-on: Diagram techniques applied on a travel booking service

 

Identifying threats – what can go wrong?
• STRIDE introduction
• STRIDE threats
• Hands-on: Threat model a cloud-based update service for an IoT kiosk
• Attack trees
• Hands-on: Create an attack tree against a nuclear research facility
• Attack libraries
• MITRE ATT&CK
• Hands-on: Create a SOC Risk Based Alerting system with MITRE ATT&CK

 

Addressing each threat
• How to address threats
• Mitigation patterns
• Value of standard mitigations
• Setting priorities through risk calculation
• Risk management
• Threat agents
• The mitigation process
• Hands-on: Mitigate threats in a payment service build with microservices and S3 buckets

 

Threat modeling and compliance
• How to marry threat modeling with compliance
• GDPR and Privacy by design
• Privacy threats
• LINDUNN and Mitigating privacy threats
• Threat modeling medical devices
• Threat modeling Industrial Control Systems (IEC 62443)
• Threat Assessment and Remediation Analysis for automotive (TARA, SAE 21434)
• Mapping threat modeling on compliance frameworks
• Hands-on: Apply data protection by design and default on a loyalty app

 

Advanced threat modeling
• Typical steps and variations
• Validation threat models
• Effective threat model workshops
• Communicating threat models
• Agile and DevOps threat modeling
• Improving your practice with the Threat Modeling Playbook
• Scaling up threat modeling
• Hands-on: Apply the OWASP Threat Modeling Playbook on agile development
• Hands-on: Threat modeling the CI/CD pipeline

 

Threat modeling resources
• Open-Source tools
• Commercial tools
• General tools
• Threat modeling tools compared

 

Examination
• Hands-on examination
• Grading and certification
Battle for control over “Zwarte Wind”, an offshore wind turbine park
Red team versus Blue team battle for control over an offshore wind turbine park

 

Review session (online coaching session after 1 month)
• Hand-in of your own threat model
• Individual feedback on your threat model
• Review session

TRAINER

Co-founder & CTO

Toreon

Why You Should Take This Course

This whiteboard training starts where other threat modeling trainings stop. We embed over a decade of real-world experience with threat modeling in a training filled with hands-on exercises that are fun, while at the same time participants understand how to create effective threat models.

Who Should Attend

Toreon’s threat modeling training targets software developers, architects, product managers, incident responders, and security professionals. If creating or updating a threat model is essential to your line of work, then this course is for you.

Prerequisite Knowledge

Students should have a basic understanding of security concepts. Are you new to threat Modeling? Our self-paced Threat Modeling Introduction training is a prerequisite and included in this course.

Hardware / Software Requirements

Bring your own tablet or laptop to get access to our learning platform with all the handouts and solutions.