2-DAY SPECIAL TRAINING 9 – Offensive Whiteboard Hacking Training For Penetration Testers

DURATION: 2 DAYS

CAPACITY: 20 pax

SEATS AVAILABLE: 20


SGD1999(early bird)

SGD2999 (normal)

Early bird registration rate ends on the 31st of May


Overview

Learn how to use threat modeling as an offensive weapon! While traditional threat modeling looks at the attacker, the asset and the system; offensive threat modeling looks at the defender to understand his tactics and expose weaknesses. And whether you are aiming to improve your ethical hacking skills or to up your defensive game, this is essential because threat modeling allows you to better understand your target or system. In this content-rich, action-packed, interactive training, you will be challenged to perform practical threat modeling in groups of 3 to 4 people. Apart from encountering many practical examples from the trenches, you will zoom in on three real live Use Cases provided by Toreon:

  • Attacking a hotel booking web and mobile application, sharing the same REST backend
  • Weakness analysis of an Internet of Things (IoT) smart home deployment
  • Get into the defenders head – modeling points of attack against a nuclear facility

Toreon has delivered threat modeling trainings at Black Hat, OWASP and O’Reilly Security conferences. Some feedback from our Black Hat training attendees:

“Sebastien delivered! One of the best workshop instructors I’ve ever had.”

“Very nice training course, one of the best I ever attended.”

“I feel that this course is one of the most important courses to be taken by a security professional.”

“The group hands-on practical exercises truly helped.”

Who Should Attend

This training is aimed at the following audience:

  • Penetration testers and ethical hackers that want to discover new ways to find weak spots by getting inside the head of the defender
  • Defenders that want to up their game by anticipating how they might be perceived by attackers.
  • All other security professionals that want to get better at threat modeling by looking at systems from different perspectives

Key Learning Objectives

  • You will learn how to do practical threat modeling.
  • You will have threat modeling as an extra technique in your penetration tester toolbox.
  • You will become better at scoping security penetration testing.
  • You will have a better understanding of “attack surface”.
  • You will become better at red teaming.

Prerequisite Knowledge

Participants should have a basic technical IT background and a basic level of security knowledge. Some penetration testing experience is recommended. Prior threat modeling experience is not required.

Hardware / Software Requirements

The students should bring their own laptop or tablet to read and use the training handouts and
exercise descriptions. No other specific tools or applications are required.

Agenda Day 1 & 2

Day 1:

Threat modeling introduction

  • Offensive threat modeling for penetration testers
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Exploiting a threat model

Diagrams – what are you attacking?

  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Attack Boundaries
  • Hands-on: Attacking a B2B web and mobile applications, sharing the same REST backend

Identifying threats – how can we attack?

  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Attack trees
  • Hands-on: Weakness analysis of an Internet of Things (IoT) smart home deployment

Day 2:

Understanding defence

  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Hands-on: get into the defenders head – modeling points of attack of a nuclear facility.

Attack libraries

  • Attack libraries
  • CAPEC
  • OWASP Top 10
  • The “Snowden” documents
  • Other lists
  • Create your own attack list

Penetration testing based on threat models

  • Create pentest cases for threat mitigation features
  • Pentest planning to exploit security design flaws
  • Vulnerabilities as input to plan and scope security testing
  • Prioritization of pentesting based on risk rating

Threat modeling resources

  • Open-Source tools
  • Commercial tools
  • General tools

Examination

  • Hands-on examination
  • Grading and certification

TRAINING
Location: TRAINING ROOMS Date: August 27, 2019 Time: 9:00 am - 6:00 pm Sebastien Deleersnyder