With this training we will teach you how to use threat modeling as an offensive weapon. Traditional threat modeling looks at the attacker, the asset and the system. With offensive threat modeling we look at the defender to understand his tactics and expose weaknesses.
The training material and hands-on workshops with real-world use cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of offensive threat modeling on:
- Attacking a hotel booking web and mobile application, sharing the same REST backend
- Weakness analysis of an Internet of Things (IoT) smart home deployment
- Get into the defenders head – modeling points of attack against a nuclear facility
During the training many real-world examples of attacks will be provided. This training is derived from our flagship training which is now selected for Black Hat USA for the 4th year in a row. Toreon has delivered threat modeling workshops and trainings at DevSecCon, OWASP and O’Reilly Security conferences. Example feedback from our Black Hat training attendees:
- “Sebastien delivered! One of the best workshop instructor's I've ever had.”
- “Very nice training course, one of the best I ever attended.”
- “I feel that this course is one of the most important courses to be taken by a security professional.”
- “The group hands-on practical exercises truly helped.”
Who is this course for?
This course is designed for security professionals, security incident responders or penetration testers. Before attending this course, students should be familiar with basic knowledge of penetration testing methodologies and techniques.
What makes this course special?
- Our trainers are specialists from the field with years of practical threat modeling experience
- Our training is at least 50% hands-on with exercises to enable the participants to apply this to their own systems
- Our training can be tailored to the sector/systems that are relevant for the attendees
This course is all about getting you started with threat modeling as soon – and as effectively – as possible. We make your journey more convenient, with these extras:
- our Whiteboard Hacking survival guide
- hand-outs of the presentations
- worksheets and detailed solution descriptions of the use cases
- templates, to document a threat model and to calculate risk levels of threats
- certification for successful completion of the course
What is thread modeling?
Threat modeling is the primary security analysis task performed during system design to identify and manage application threats and vulnerabilities.
What are the benefits of offensive threat modeling?
- Get the team on the same page with a shared vision on security
- Understand security design flaws
- Identify & address greatest risks
- Prioritize red teaming efforts based on risk weightings
- Increased risk awareness and understanding
- Cost justification and support for needed security testing
- Adjusted and targeted scoping of pentests
What topics are covered?
- Offensive threat modeling for penetration testers
- Different threat modeling methodologies
- Doomsday scenarios
- Exploiting a threat model
- Data flow diagram and trust boundaries
- STRIDE and attack trees
- Attack libraries and mitigation patterns
- Create pentest cases for threat mitigation features
- Pentest planning to exploit security design flaws
- Vulnerabilities as input to plan and scope security testing
- Prioritization of pentesting based on risk rating
- Threat modeling resources
- Threat modeling tools compared
- Examination and certification