Remitly’s Jason Craig on Building a Threat Modeling Strategy
Jan 10, 2024
To protect your organization and its valuable assets, you need to know your environment first, especially the pathways through which attackers can access your most valuable assets. On a recent episode of our Detection at Scale podcast, Jason Craig, Director - Threat Detection & Response at Remitly, explained how to start building your threat modeling strategy.
Here are the top takeaways:
Start with what your organization does and what has value in your business that an attacker might want. Whether you're a social media company, a fintech company, or a cloud storage company, attackers will be after something: user data, money, abuse of your platform, or something else.
Next, identify the pathways that lead to those assets. Create an accurate asset inventory so you have situational awareness of your environment. Then you can visualize the pathways attackers may take to get to your assets — and if valuable assets are just a few hops away from an area of compromise.
Determine how you'll safeguard that sensitive data. Choose a hierarchy for protection, starting with the most sensitive data first. Once you have observable data and an understanding of your environment, you can more easily build your detection and response strategies.
Take steps to strengthen identity management as well. There's too much potential for exploit using SMS-based MFA over cellular networks. Instead, use hardware-backed authentication, as well as increase your behavioral profiling to understand the habits of your employees.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.