Learn how to threat model using an interactive board game

Threat modelling is a very hot topic within security. With many companies struggling to roll out this methodology, we needed a solution that would allow us to do this at scale

Threat modelling allows us to look at any given application and the infrastructure it lives in, as well as document and prioritise the security flaws. For more detail check out the following OWASP entry: https://www.owasp.org/index.php/Application_Threat_Modeling.

Aligning almost 100 scrum teams in their approach to threat modelling is a challenge we have at ASOS. Along with my Secure Development team, I embraced this challenge, and took the opportunity to come up with some innovative ideas.

One of these ideas came to me in what felt like an epiphany — a relatively straightforward way that we could roll out threat modelling.

What if we were to focus our efforts on the core skill sets and attempt to teach each of these individually?

I remembered when I was at school, and I learned how to multiply, my teacher told me how five multiplied by five is the same as adding five together five times. Here we reduced multiplication down to addition. I wanted to apply this concept of reducing a complex task to one that I already understood to threat modelling.

Once these skills had been identified, I could then build it back up to threat modelling, focusing on the individual skill sets. Whilst doing it in a way that is interactive and collaborative. The interactivity was important, as everyone involved would be encouraged to put forward their views.

As any scientist would do before testing a theory, I entered a research phase. I played a few games including Cards Against Humanity, Monopoly and Risk, and even thought about Dungeons & Dragons, all in the name of science. It became apparent that the only way that this would work would be to create an eco-system purely around software, engineering, and, more specifically, security.

The first part of any good threat modelling exercise is to identify the assets. When I threat model with a team, I ask them to draw their architecture first. I used an extremely simplified version of an e-commerce company base architecture. You can see in the board further down, that it’s clear what each of the components are, and how they work together to provide an e-commerce service.

The board has been partially obscured, but I encourage you to create one of your own that fits your use cases better.

Now that we have the architecture articulated, I would highlight the high-value assets. High-value assets are those assets we seek to protect, or attack if we are thinking with the hacker mindset.

The high-value assets differ based on perspective and context, but we should be conscious that we understand what is important to us and why.

Because the system view was only partial, I decided it would be best not to short cut the game and call out where the high-valuable assets are. Rather I’d let the people I’m playing with decide which assets they want to defend or attack.

Depending on how you threat model, there are a number of things you can do next. A very simple example would be: how can I attack that thing? To give the game some direction, and also provide guidance to those that aren’t aware of the various methods available to attackers, I brainstormed and came up with a number of attack vectors that have been put on cards.

These are a few examples of these cards

I enticed a few of my colleagues to play it through with me using cookies and sweets, and the promise of becoming threat-modelling pros. I didn’t tell them that I had no idea of how the game really worked. I did what I do best and improvised as I went along.

‘This game makes no sense’ — quote from player in the first game

Me holding the hard copy of the game

I borrowed the practice of continuous improvement, using iterations, to improve the gameplay and specifically the rules.

I spent a few evenings using GIMP, and managed to create a slightly nicer board, which is the board we use today. And I even made a hard copy of the board.

I’ve played through the game a few times, and I’ve got the rules ironed out now. So, without further ado, here’s how to play my game…