Speakers
Synopsis
Have you had a penetration test before? You may have organised one, been the system contact, or perhaps been the recipient of a report at the end of engagement - and had no idea what was actually tested, how long it ran for, what goals it had, and what questions it actually answered.
If you keep finding yourself in this situation, this session is for you.
Good quality penetration tests have two things; a deep understanding of the target, and an idea of a threat model - formalised or otherwise. This session intends to introduce the concept of threat modelling; which will help develop skills and informal models of how to approach the planning and execution of a simulated attack, or a penetration test. This approach can be useful in many situations, including when very little of systems, processes or applications are known, such as a recently onboarded third party platform, or a legacy solution within an organisation.
At the point penetration testers are engaged, we mostly care about two things: what is our target, and what can go wrong. Ultimately, our goals are to make these bad things happen, and find bugs before the bad guys(TM) do, so systems can be secured against threats.
To enable a realistic penetration test, the concept of a threat model is introduced. A threat model is the idea of the target system, what can go wrong, what we can do about it, and measuring if the controls work - at least according to models such as Shostacks’ 4 question frame.
This session will endeavour to teach clients of penetration testers (and others) to critically think about their targets, what matters to them and what keeps them up at night - which ultimately leads to penetration testers making these bad things happen to their targets and answering critical questions about your security posture.
