Shostack + Friends Blog


How To Choose a Threat Modeling Training

Understanding how to choose the right threat modeling training can give you the education you want for the skills you need. graphic depicting two adults conducting threat modeling training with laptop and whiteboard

Anticipa----tion. Threat modeling is really about anticipation. It’s about wondering what could happen. This is different from prediction, of course. Prediction is about taking an educated or informed guess at what will happen. The problem: in security, you can’t really predict the future. You can, however, anticipate problems, and that’s where threat modeling is valuable. If you’re new to threat modeling or want to advance your knowledge, you might be asking: how do I choose a threat modeling training?

What is threat modeling?

In cybersecurity, threat modeling is a structured process that empowers you to analyze threats to software and looks at some combination of:

  • Business processes
  • Software and hardware that implement those processes
  • Clients and partners that connect from outside the business’ control.
  • Vulnerabilities
  • Threats
  • Controls
  • Assets
  • attackers

A good threat analysis uses a methodology and structured techniques to help identify risks so you can proactively mitigate them so the work is consistent across the many participants.

We threat model so that we can anticipate problems and, hopefully, fix them before they become a problem. If we can fix something before it’s an issue, then it’s less expensive. We don’t have to re-do work, we don’t have to adjust dependent code.

What makes a good threat model?

A good threat model starts with the Four Question Framework:

You might notice, these questions are not really technical, and that makes it a great language for communicating with executives about security issues.

What are we working on?

You can model anything. We’re used to talking about software and classic enterprise architectures. Today, we also need to think about operational, mobile app, and IoT threats. On the other hand, if you haven’t defined what you’re working on, then you won’t be able to scope your analysis and move confidently to the next question.

What can go wrong?

This is where you start thinking about threats to your specific environment. You can be as structured as you want. Many people brainstorm with an open-ended question, while others start with a very structured approach. This can include specific threat types, like spoofing. You can also look at it from how threat actors operate, using Kill Chains.

What are we going to do?

Now you start going through the list of what could go wrong to try and address each threat. You can take four types of actions:

  • Mitigate - apply a control of some type
  • Eliminate - remove risky features
  • Transfer - via insurance or user interface
  • Accept - by the right person, and tracked

The choice you make depends on your capacity - technical and financial. You prioritize then take action. The action you take may depend on your risk tolerance.

Did we do a good job?

This is where you validate what you did. You make sure that you addressed all the identified threats. Basically, you’re checking your work.

This step also gives you the opportunity to summarize for non-technical executives. You can assess to see if you did a good job in the organizational senses, as well. Organizational means looking at both whether you had a good workflow and whether you have the right team in place.

Some questions to ask might include:

  • Did we document the work and the threats we discovered?
  • Are documents in the right place?
  • Are people happy to have spent time threat modeling?
  • Is cross-team and cross-functional communication improving?

What to look for in threat modeling training content

Great training requires great content, great instructional design and great execution, in that order. Any issues will limit what can be learned.

When you’re choosing technical tools, you have a certain set of specifications for what you want and need. Choosing a threat modeling training isn’t really that different. You might know that you want to learn the threat analysis process, but you might not realize there are different approaches.

To help you, I have some questions that you can ask when deciding on a threat modeling course so that you get the education you want.

What is the learning approach?

No matter what kind of course you take, the learning approach should be the first thing you consider. Training and education are different. With training, you gain skills. With education, you learn so that you can apply those skills to new problems.

Let’s think about how people view traditional cybersecurity awareness trainings. Most don’t work because attendees don’t actually learn in meaningful ways. The same is true for any training course. With threat modeling, the learning approach might be even more important because you need the ability to adapt to new threats.

This means that when evaluating a threat modeling course, you want to ask the following questions:

  • What are the learning goals?
  • How are the learning modules structured?
  • What does the execution of these goals and modules look like?
  • What happens to bring it all together?

What is the threat modeling approach used?

Some trainings will focus on one threat modeling methodology or technology. So, you should know the differences so you can choose the one that’s right for you.

More often than not, trainings will focus on the different threat modeling methodologies and how to choose the right one. For example, some focus solely on STRIDE, which is the acronym for the six threat types it focuses on:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of Service (DoS)
  • Privilege Escalation

STRIDE is important and should definitely be discussed. It’s not the only framework for threat modeling.

The problem is that instead of starting with the threat types addressed, you need to start with an organizing principle, like the Four Question Framework. Threat modeling is about creating a repeatable process, and that means following a series of steps like identifying, brainstorming, analyzing, solving, and reviewing. Then, you pick the threat modeling techniques that support into those steps.

What is the core content provided?

When you’re choosing an online training course, you’re also buying use of the content provided. Any class is really just for the time you’re going through the course, but you also pay for any resources that you can reference later.

This means that you should consider what types of downloadable resources come with the class. Some things to consider are:

  • How do the materials reinforce learning objectives?
  • How many exercises are provided? How deep can you go with them?
  • How are the videos structured?
  • What is the instructor’s experience?
  • How do these materials help you continue your learning after the course ends?

Does the training meet my needs?

Often, online training gives you basic skills. This is great if you’re just getting started. However, learning is a journey, trite though that may sound.

The question you need to ask yourself is, “what do I need and want to learn?” If you already know the basics of threat modeling, then you need a course that gives you learning outcomes that apply to your everyday life. If you’re unsure what you need to learn, you probably want a respected and trustworthy source to make those choices for you.

As you start your search for advanced coursework, you should consider whether the course provides training to help with:

  • Cybersecurity
  • Application security
  • Security design principles
  • Specific frameworks, like OWASP
  • Job function, like engineers
  • Technology area, such as IoT or cloud
  • Business vertical, such as medical devices, automotive or aviation

Is the training focused on a specific threat modeling technology?

Some trainings focus on giving you experience that focuses on how to use a vendor technology. With so many threat modeling technologies available, this makes sense. After all, you can’t use something if you haven’t been trained on it.

On the other hand, threat modeling doesn’t have to use a specific technology. You can just as easily get started with threat modeling using a whiteboard. Technology can certainly add value once you have the skills and the framework or process to apply them.

You also want a threat modeling course that takes a modern, thoughtful, and applicable approach to threat modeling. This means giving you a way to really learn the underlying skills - including the non-technical ones - so that you can successfully threat model anything, even new technologies.

How does the training help evaluate or validate the threat model exercises?

The course you take needs to be practical and applicable. You need to learn, and a lot of times that’s hard, especially with a remote course. We deliver either self-paced or instructor-led trainings, and have instructions for organizations that apply a cohort strategy to keep self-paced learners motivated.

Self-Paced Courses

If you’re an independent learner with limited time, self-paced might be perfect for you. This is especially true if you’re someone who’s good at learning from doing, then reviewing. Self-paced trainings, also called computer-based trainings (CBT), give you that flexibility and independence.

Instructor-Led Courses

Some people need the structure of instructor-led coursework. They need a defined time where they interact. Some people want the structure of sitting in a lecture. This is also ok. After all, no two learners are the same. If part of taking the time out of your day to attend lectures is getting instructor or peer feedback, you should make sure that the course includes time for these activities.

With a “flipped classroom” approach, lectures are pre-recorded, and you spend time interacting with the instructor rather than just listening to them drone on. If you’re taking a course with a flipped-classroom approach, you can watch lectures on your own time. You can speed up or slow down the video. You can re-wind. You can read the subtitles. (Adam will teach you to take notes with pen and paper to help you stay focused.) You can spend as much time as you need doing exercises. Then, you can spend the dedicated live session time engaging in discussion and instructor feedback.

Our Threat Modeling Trainings

What works in person doesn’t alway work online, so we worked with educational designers to create trainings modeled on research around how people learn best and made them technology agnostic, taking a modern, thoughtful, and applicable approach.

Are we effective? We like to think we are, but we also know that everyone thinks their service offers value. Instead of listening to us, why not see what some of our students have said:

The course was very thought provoking about how our program should be run. I like the emphasis on Adam not having the answers for us, but having things that we should consider.

For more information about the courses Shostack + Associates currently have available, please see the listings here.