The Inner Circle

Expand all | Collapse all

Threat Modelling with remote participants

  • 1.  Threat Modelling with remote participants

    Posted Aug 20, 2021 07:56:00 AM
    Hi there, hopefully you can help.

    I am researching the best way to do security threat modelling while all participants are working remotely.

    My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

    I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

    If so, what would you recommend?

    Thanks in advance!

    ------------------------------
    Rowan
    ------------------------------


  • 2.  RE: Threat Modelling with remote participants

    Posted Aug 23, 2021 08:39:00 AM

    This is all we do in the open source world. I am running 2 such fully remote assessments currently. I don't have templates but check out this site for real world examples:
    https://github.com/cncf/tag-security/tree/main/assessments/projects

    as to specific tool we heavily use google docs and sheets and github and if you want to use sticky notes, github and jira and trello all have Kanban board views.

    use the MITRE ATT&CK tool online to scaffold the discussion.

    happy to lead an open session for anyone who wants to see how it all works first hand. Just send me your contact info or post a reply here.



    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 3.  RE: Threat Modelling with remote participants

    Posted Aug 23, 2021 01:30:00 PM
    I've done threat modeling with remote participants using the STRIDE method.  It's pretty simple to teach.  Also, I've setup the template on company's Confluence since that is where we keep all our documentation.  Happy to help in anyway possible.

    ------------------------------
    Sai Honig CISSP, CCSP


    Wellington
    ------------------------------



  • 4.  RE: Threat Modelling with remote participants

    Posted Aug 25, 2021 09:07:00 AM

    Hi Rowan,

    I participated in a threat modeling workshop where we used a Confluence site created for the activity. Each team had a dedicated confluence page and each participant had a dedicated page - these were used for lab exercises. Access rights to the pages were given accordingly. The site was used for sharing the threat diagram (with application architecture, which we were going to threat model); the threat matrix and threat analysis table. The lectures and the sessions themselves were held via zoom. Zoom also has the feature of breaking a meeting into different break rooms, each dedicated to one team. Hope this helps.

    Regards,
    Rima

    ------------------------------
    Rima Bose
    Vice President
    J P Morgan Chase & Co
    ------------------------------



  • 5.  RE: Threat Modelling with remote participants

    Posted Sep 01, 2021 09:03:00 AM
    Hi Rowan,

    I hope you are well, we have just began running remote threat modelling workshop with our teams at ITV. We found we have success using Miro boards (https://miro.com/about/), they're very interactive and collaborative for everyone involved in the workshop.  Plus it includes lots of integrations to other applications which helps tracking the lifecycle of the identified threats.

    Hope the above helps.

    Gareth

    ------------------------------
    Gareth Williams
    Cyber Security Analyst
    ITV Plc
    ------------------------------



  • 6.  RE: Threat Modelling with remote participants

    Posted Aug 24, 2021 02:49:00 AM
    Thanks Robert, I'll pm you my details it would be good to get a view on how it all works first hand.

    ------------------------------
    Rowan Sheridan
    it
    it
    ------------------------------



  • 7.  RE: Threat Modelling with remote participants

    Posted Aug 24, 2021 02:50:00 AM
    Hi Sai,

    Thank you for your reply. Would it be possible to send me a copy of the template you've set up?

    Thanks,
    Rowan

    ------------------------------
    Rowan Sheridan
    it
    it
    ------------------------------



  • 8.  RE: Threat Modelling with remote participants

    Posted Sep 13, 2021 09:55:00 AM
    Hello Sai,

    Would appreciate it if you could share the template, we are yet start-up with this method.

    Regards,
    Shyam M

    ------------------------------
    Shyam Muthiah
    PIS
    SST
    ------------------------------



  • 9.  RE: Threat Modelling with remote participants

    Posted Aug 27, 2021 12:14:00 AM
    Hi .. not sure if it helps anything. We work with partners that actually does what Robert F. (above) is doing - one using a different toolset. They also use ZafePass (see https://zafehouze.com/what-we-do ) to have all app's for all external users controlled in the way the application should work / be managed. These apps will show in ZafePass as menu items - and the security around this environment is second to none. we can guarantee no-one except the ones you provide the login will be able to gain access to the environment. Just a security option if the client requires a fully confidential environment.
    Kr,
    [email protected]

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------