Threat Modeling Intensive (222 Self-paced)
Technology professionals will develop the knowledge & skills needed to consistently and efficiently threat model: identify threats, mitigation techniques, document results, deliver more secure products.
Threat Modeling Intensive (222) is the most popular course at Shostack + Associates, and this is the self-paced version.
Participants will complete 7 chapters including: 1 preparation, 5 knowledge and skills, and an optional chapter. The six core chapters each include a set of video lectures (about 5 minutes each) and exercises to build the skills covered in the lectures. There is also one chapter with and additional reading and two videos of 45 minutes each.
After taking this class, participants will have a depth of knowledge and skills to consistently and efficiently utilize:
These techniques will help participants to identify threats and mitigation techniques (such as controls and risk management), accurately document results, and turn threat analysis consistently and efficiently into more secure products. As a result participants will eventually champion threat modeling within their organization.
Enrollment in this course is active for 30 days.
Estimated time to complete is 14-16 hours.
Everything you need to complete the course is included, but some people want or need more.
Optional add-ons:
Threat Modeling Engagement Pack
1-on-1 With Adam
A 1-on-1 session with Adam where you can ask questions and get feedback on what you learned in the self-paced course. Along with the 1-on-1 you will also receive a Threat Modeling Engagement Pack.
We've found that not everyone needs physical copies or a 1-on-1 discussion with Adam Shostack to learn Threat Modeling and are happy to offer a learning package that includes only what you feel you need.
Digital Resources + Engagement Pack
Engagement Pack + 1-on-1
Digital Resources Only
Welcome and Introduction
Syllabus
Learning Online
Welcome to Threat Modeling
Slide Book (downloadable)
Exercises File
Exercise: Drawing tools
The Question: What Are We Working On?
DFDs: Diagrams and Models
Trust Boundaries Slide Supplement
Trust Boundaries (Introduction)
Understanding Boundaries
Exercise: Data Flow Diagram Essay
Exercise: Data Flow Diagram Creation
Models answer key
Sketching
Exercises: Trust Boundaries Essay
Exercise: Draw Trust Boundaries
DFDs in Depth
Boundaries Technical
Boundary Complexity
Exercise: Stop and Reflect
What Can Go Wrong? Brainstorming
STRIDE (Introduction)
Applying STRIDE
Tracking Threats + Assumptions
Exercise: STRIDE Essay
Exercise: Apply STRIDE
Tools in Context
Elevation of Privilege
Attack Trees
Final Tips + Recap: What Can Go Wrong
Exercise: Stop and Reflect
Mitigations
Strategies for Addressing Threats
Addressing Threats
Exercise: Design Control - Broadly
Exercise: Design Controls in Depth
Exercise: Risk Mitigation
(Optional) Prioritization
(Optional) Managing "What We're Going to Do About it"
(Optional) Chess and Arms Races
Exercise: Stop and Reflect
Managing Risk
Did we do a good job?
Retrospectives
Answer key: threats and mitigations
Exercise: Stop and Reflect
Introduction to Kill Chains
Applying the Kill Chain
Exercise: Kill Chain Essay
Exercise: Apply a Kill Chain
(optional) Kill Chain Cheat Sheet
MITRE'S ATT&CK Kill Chain
"Act On Objectives" Stage of the Kill Chain
Exercise: Stop and Reflect