2-DAY SPECIAL TRAINING 9 – Offensive Whiteboard Hacking Training For Penetration Testers
DURATION: 2 DAYS
CAPACITY: 20 pax
SEATS AVAILABLE: 20
Early bird registration rate ends on the 31st of May
Learn how to use threat modeling as an offensive weapon! While traditional threat modeling looks at the attacker, the asset and the system; offensive threat modeling looks at the defender to understand his tactics and expose weaknesses. And whether you are aiming to improve your ethical hacking skills or to up your defensive game, this is essential because threat modeling allows you to better understand your target or system. In this content-rich, action-packed, interactive training, you will be challenged to perform practical threat modeling in groups of 3 to 4 people. Apart from encountering many practical examples from the trenches, you will zoom in on three real live Use Cases provided by Toreon:
Attacking a hotel booking web and mobile application, sharing the same REST backend
Weakness analysis of an Internet of Things (IoT) smart home deployment
Get into the defenders head – modeling points of attack against a nuclear facility
Toreon has delivered threat modeling trainings at Black Hat, OWASP and O’Reilly Security conferences. Some feedback from our Black Hat training attendees:
“Sebastien delivered! One of the best workshop instructors I’ve ever had.”
“Very nice training course, one of the best I ever attended.”
“I feel that this course is one of the most important courses to be taken by a security professional.”
“The group hands-on practical exercises truly helped.”
Who Should Attend
This training is aimed at the following audience:
Penetration testers and ethical hackers that want to discover new ways to find weak spots by getting inside the head of the defender
Defenders that want to up their game by anticipating how they might be perceived by attackers.
All other security professionals that want to get better at threat modeling by looking at systems from different perspectives
Key Learning Objectives
You will learn how to do practical threat modeling.
You will have threat modeling as an extra technique in your penetration tester toolbox.
You will become better at scoping security penetration testing.
You will have a better understanding of “attack surface”.
You will become better at red teaming.
Participants should have a basic technical IT background and a basic level of security knowledge. Some penetration testing experience is recommended. Prior threat modeling experience is not required.
Hardware / Software Requirements
The students should bring their own laptop or tablet to read and use the training handouts and
exercise descriptions. No other specific tools or applications are required.
Agenda Day 1 & 2
Threat modeling introduction
Offensive threat modeling for penetration testers
What is threat modeling?
Why perform threat modeling?
Threat modeling stages
Exploiting a threat model
Diagrams – what are you attacking?
Data flow diagrams
Hands-on: Attacking a B2B web and mobile applications, sharing the same REST backend
Identifying threats – how can we attack?
Information disclosure threats
Denial of service threats
Elevation of privilege threats
Hands-on: Weakness analysis of an Internet of Things (IoT) smart home deployment
Authentication: mitigating spoofing
Integrity: mitigating tampering
Non-repudiation: mitigating repudiation
Confidentiality: mitigating information disclosure
Availability: mitigating denial of service
Authorization: mitigating elevation of privilege
Hands-on: get into the defenders head – modeling points of attack of a nuclear facility.
OWASP Top 10
The “Snowden” documents
Create your own attack list
Penetration testing based on threat models
Create pentest cases for threat mitigation features
Pentest planning to exploit security design flaws
Vulnerabilities as input to plan and scope security testing