Threat Modelling Methodology and process

Threats represent a potential danger to the security of one or more assets or components

● Threats could be malicious, accidental, due to a natural event, an insider, an outsider, …

● A single software can result in many threats.

● Threats exist even if there are no vulnerabilities

● Threats change with system changes

Threat Modeling is a process that helps the architecture team:

● Accurately determine the attack surface for the application

● Assign risk to the various threats

● Drive the vulnerability mitigation process

It is widely considered to be the one best method of improving the security of software

Threat Modeling Overview

The phases of the Threat Modeling process

1) Understand the security requirements

a) Use Scenarios –what are the boundaries of the security problem
b) Identify external dependencies –OS, web server, network, …
2) Create an activity matrix (actor-asset-action matrix)
a) Identify assets
b) Identify roles
c) Their interaction
3) Assets(
a) User credentials
b) User personal information
c) DB system
d) Web server
e) DB server
f) etc..,
4) Create Trust Boundaries
5) Use Scenarios
a) How users are interacting with the applications.
b) etc..
6) Roles/Permissions
a) Site admin –authenticated site administrator with configuration privileges
b) DB admin –authenticated database administrator with full db privileges
c) Web server user –user/process id of web server
d) Database read user –dbuser for accessing the database with read-only access
 e) Database write user –dbuser for accessing the database with read-write access
7) Identify threats that put assets at risk
8) Determine the risk for each attack and prioritize (if needed)
9) Plan and implement your mitigations
a) Plan your mitigations using OWASP/MITRE attack frameworks to all applicable threats.

Data Flow diagrams:(OWASP)

—---------------------------------------------------------------------------------------------------------------------------------------

Project related questions:

Can you explain to me the sample project that you had prepared...?

Yes. I can.

Since it is a sample application and few technical details were provided, A Generic threat model was
performed.

● After successful analysis of assets, communications,dataflows,trust boundaries by using STRIDE

and OWASP frameworks we were provided with around 10 Threats, associated risk and
mitigations.

Same was provided in a tabular format.

● We can see the attached Data flow diagrams and threat model diagrams based on the
provided architecture.
● Few of the common and major threats are related to Authentication, Authorization,
privilege escalation, Sensitive data exposure, and database related threats.
● All the threats were provided with their mitigations based on OWASP and STRIDE
framework.

—---------------------------------------------------------------------------------------------------------------------------------------

Self Introduction:
Hi.. Myself Amalapuram Sattibabu.

● I hold 5.2 years of experience in the information security domain, Which includes vulnerability
Assessment, Penetration testing and threat modeling.
● My first company was Radiare Software Solutions, valasarvakkam - Chennai _ and its been 5.2
years me working with organization. I joined as security consultant and now my designation is
Sr.security Consultant
● Coming to my technical skills, I am well experienced with Security assessment, Risk assessment,
for On-Prem/Cloud/Hybrid applications.
● Specialized with Web application security assessment and well familiar with multiple threat
model frameworks like STRIDE/MITRE and dread
● When it comes to tools I use, Microsoft threat modeler, IriusRisk (community edition “ threat
modeling tool , DrawiO etc in my daily work activities.
● That's all about myself
Possible Expected questions:
1. Are you working right now, If Yes why are you looking for a switch...?

I am working with Radiare Software Solutions, now with Chennai as work location and my
hometown is Andhra Pradesh.
I got to know that the current project that we are discussing is of completely remote mode and
that’s the reason I am interested towards this.
This helps me to relocate myself back to my native.

2. Are you serving notice period, If no how soon can you join..?

In our organization we have a notice period of 2 months, However If I was provided with offer, I
am willing to submit my resignation. I can negotiate and get relieving done by 2 weeks.

3. What are your salary expectations...?

My current CTC is 13.4LPA Fixed and I expect something around 16LPA Fixed.

4. Your expectations are high. Is there any reason...?

Based on the market research, someone with my experience and skill set would expect however
when I worked for the sample assessment project, I got to know the complexity and pre-defined
allocated, the efforts and time I need to invest are a bit more and the process here is too
technical.

So my expectations are reasonable.

5. How long will you stay with us/ will you go if you get any other job offer..?

It was communicated to me that this opening is a contract type, and we still have around 6
months of time to finish the project.

As of now I don't have any plans to look for another job as here we would be working in remote
mode.

6. How do you know Ravi..?

We have common professional friends.

 7. expertise/skillset do you have in cyber security...?

I have 5.2 years of experience in cyber security. Over This experience, I found myself working in
multiple areas like Vulnerability assessment, Penetration testing and Threat modelling. I am well familiar
with tools like

 Kali Linux
 Burp Suite
 Nessus
 Fortify
 Microsoft Threat Modeler
 IriusRisk
 STRIDE, OWASP, Mitre framework..etc

8. Do you face any challenging situations in your work activities?

Challenges are always part of anyone’s work activities. When I was working with Vulnerability
Assessment, Penetration testing there were few challenges in working with scope of application
and slight deviations
from it in-order to achieve the testing coverage.

While working with threat modeling, we face challenges in point of getting application details
(like protocols, asset management, deployment types) from the technical team. Eventually
these can be overcome by interacting with application owners multiple times. May be due to
unavailability of team there might be delay in deliverables. Apart from this there is not much of
challenges.

9. What are your daily activities...?

In our organization we are of a team size 6 and we have responsibilities shared across team. Our
responsibilities are no fixed. They keep on changing based on inflow of request for assessment.
And the priorities