Best resources for becoming an expert Threat Modeller?

Original post by @wgildersleeve

So I know the usual suspects, of course: @AdamShostack’s books, various YouTube, the Threat Modelling Manifesto, and this forum…

But let’s say I want to become an “expert” in Threat Modelling… what can you recommend? Something on LinkedIn Learning, perhaps? Or by O’Reilly?

Or is it simply a matter of getting up-to-speed on the primary literature and hands-on learning?

What’s that joke about how do you get to the Carnegie Hall?

After you go over all the sources - threat model, threat model, threat model some more.

Crowd-sourcing is always a good mean to leverage common wisdom, therefore recommending this as a central resource: hysnsec/awesome-threat-modelling: A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review. (github.com)

Other than that -practice, practice, practice, …

Original post by @Ajay

Practice, practice, practice! Yes getting hands-on as well as reading the primary literature are the go to activities when it comes to becoming a seasoned Threat modelling professional. Also to add to the mix, collaborate amongst your peers either at work or at topical events as this will invariably provide you with valuable insight into the complexities of this and surrounding areas of Threat modelling.

I have the same opinion. Practice, Practice and keep Practicing. I suggest you look to others in your community (local security chapters like OWASP, etc) and ask what they are doing and how they go about it. The key is to network, learn from others and just keep threat modeling.

Original post by @lsaiz

Historical:

https://csrc.nist.gov/files/pubs/conference/1991/10/01/proceedings-14th-national-computer-security-confer/final/docs/1991-14th-ncsc-proceedings-vol-2.pdf (pages 572-581)

Related Practices:

• Privacy models (LINDDUN: https://www.linddun.org/_files/ugd/cc602e_d7cf949767b7486d8bff0ecc05b91db6.pdf , https://www.linddun.org/_files/ugd/cc602e_f98d9a92e4804e6a9631104c02261e1f.pdf)

Other not specific TM resources:

• NIST Risk&Controls frameworks
• CWE: https://cwe.mitre.org/
• Verizon DBIR, MITRE ATT&CK, threat intelligence reports and incident forensics (you need to know what and how systems failed / were attacked)
• “Security Engineering” (Anderson)/ “Engineering Security” (Gutmann) / “Thinking Security” (Bellovin) books
• System’s reliability resources, not just cyber (ex. “http://sunnyday.mit.edu/caib/safetyscience.pdf”, “Resilience Engineering”)
• Causal analysis (“CAST HANDBOOK: How to Learn More from Incidents and Accidents”, “Engineering a Safer World”, http://psas.scripts.mit.edu/home/wp-content/uploads/2020/07/STAMP-Tutorial.pdf, “STPA [System-Theoretic Process Analysis] Handbook” http://psas.scripts.mit.edu/home/get_file.php?name=STPA_handbook.pdf )
• Systems and controls (Thinking In Systems: A Primer - Wikipedia, http://www.donellameadows.org/wp-content/userfiles/Leverage_Points.pdf)
• Agile, DevOps, CI/CD, ATDD, DDD and other IT practices (you should adapt TM to their practices, expertise, incentives, …)
• Misuse cases / Abuse stories (https://www.se.rit.edu/~se555/Reading%20Materials/Misuse%20Cases%20%20%20Use%20Cases%20with%20Hostile%20Intent.pdf, http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)
• SW Security: “Agile Application Security” (Laura Bell) “Secure by Design” (Dan Bergh Johnsson)

I have two things I can think of that have helped me:

The first trick is to leverage new knowledge or skills that are outside my day to day expertise, and bring them into my threat modeling. This really helps when you are mostly flying solo, or don’t have access to a larger group of people.

For example, say you learn something new about Kubernetes, maybe a new exploit is explained in a talk you saw, or a blog, or wherever, I set a goal to try to use that new thing in a threat model.

It kind of makes a fun game of potential ideas you collect that you need to learn and understand well enough before you get to drop it into a threat model.

The second trick is to get really good at listening to people and understanding their skills and approaches. If you are lucky enough to get a few engineers to help you threat model, listen carefully to how they are describing their view of how the system works. Pay attention to where there are uncertainties, second guessing, or even disagreements on functionality. Then start asking questions!