- CPA to Cybersecurity
- Posts
- Fabric: Your GRC Risk Assessment Force Multiplier
Fabric: Your GRC Risk Assessment Force Multiplier
Augmented: How To Integrate AI Into Life And Work (Open Source GitHub Project from Daniel Miessler)
Steve McMichael
January 13, 2025
Hey there, đź‘‹
🤖 AI: How can cybersecurity GRC people who are often considered "not technical," use it to drive cyber risk reduction?
Here’s a demo of augmenting risk assessments with an open source project on GitHub:
Curious to learn more about this “open-source framework for augmenting humans using AI?” Tune in here for a walkthrough of the blog below, premiering on Jan 15 at 9:30 AM ET. 👇️
Then give it a try and let me know how it goes!
Be safe, be well,
Steve
Contents
Never Heard of Fabric?
First Spend 15 Seconds Here
âťť
Integrate AI Into Your Life and Career to Stay Ahead
Daniel Miessler
Then Imagine the Possibilities Here
ONE SENTENCE SUMMARY:
- AI will dramatically change companies, startups, creativity, hiring, and personal broadcasting, potentially separating groups.
MAIN POINTS:
- AI will optimize business processes, reduce waste, and enable tiny, highly efficient companies.
- AI will reduce creative friction, enabling an explosion of new artists, writers, and filmmakers.
- AI-powered hiring will assess candidates based on their full online presence and work history.
TAKEAWAYS:
- Cultivate clear articulation of self, curiosity, continuous learning, AI integration, and focus on useful work.
- Capture your purpose, goals, and mission; learn to explain them through writing and presenting.
- Build an authentic online presence, connect with like-minded people, and share your full self.
yt https://www.youtube.com/watch\?v\=4b0iet22VIk | fabric -p create_micro_summary -s
You have curiosities, you start chasing them. And then pretty soon you're hacking because hacking is like answering questions. And it's the same with AI.
The most important thing is not that you have that tooling. The most important thing is that you know what you want to do. If you know what the real problem is and you can articulate the problem, well, then you can articulate the solution.
Daniel Miessler
âťť
That’s what it looks like: I mean, what you’re doing is insane! Normal productivity is this level and you’ve gone crazy with AI!
David Bombal
Here are relevant aphorisms related to the topics of AI, learning AI, and the opportunities and changes AI brings:
1. "The only way to predict the future is to build it." - Alan Kay
2. "Intelligence is the ability to adapt to change." - Stephen Hawking
3. "Change is the law of life. And those who look only to the past or present are certain to miss the future." - John F. Kennedy
4. "Live as if you were to die tomorrow. Learn as if you were to live forever." - Mahatma Gandhi
5. "Anyone who stops learning is old, whether at twenty or eighty." - Henry Ford
yt https://youtu.be/vF-MQmVxnCs | fabric -p create_aphorisms -s [manually shortlisted]
Project Explainer
ONE SENTENCE SUMMARY:
- Fabric is an open-source AI framework for augmenting human activities and solving real-world challenges.
MAIN POINTS:
- Fabric focuses on using AI to enhance human experiences, not replace them.
- It provides patterns (prompts) for various tasks like summarizing, analyzing, and creating content.
- Fabric is open-source, allowing users to contribute and improve upon existing patterns.
TAKEAWAYS:
- AI should be used to augment and enhance human activities, not replace them.
- Fabric enables users to solve real-world challenges by applying AI through customizable patterns.
- The open-source nature of Fabric allows for continuous improvement and collaboration from the community.
yt https://youtu.be/wPEyyigh10g | fabric -p create_micro_summary
Then Check It Out on GitHub
Pretty inspiring, eh?!
Also Featured with Gemini in Study GRC
👆️ See minute 32:20 Gems in Gemini
👇️ Then sample use cases where fabric patterns were used as Custom Gems:
pdf to analyze_paper https://gemini.google.com/share/4551ddbbab98
YouTube URL to extract_wisdom https://gemini.google.com/share/a9e4efacd780
Installation
Basic Commands
Help (fabric -h)
fabric -h
Usage:
fabric [OPTIONS]
Application Options:
-p, --pattern= Choose a pattern from the available patterns
-v, --variable= Values for pattern variables, e.g. -v=#role:expert -v=#points:30
-C, --context= Choose a context from the available contexts
--session= Choose a session from the available sessions
-a, --attachment= Attachment path or URL (e.g. for OpenAI image recognition messages)
-S, --setup Run setup for all reconfigurable parts of fabric
-t, --temperature= Set temperature (default: 0.7)
-T, --topp= Set top P (default: 0.9)
-s, --stream Stream
-P, --presencepenalty= Set presence penalty (default: 0.0)
-r, --raw Use the defaults of the model without sending chat options (like temperature etc.) and
use the user role instead of the system role for patterns.
-F, --frequencypenalty= Set frequency penalty (default: 0.0)
-l, --listpatterns List all patterns
-L, --listmodels List all available models
-x, --listcontexts List all contexts
-X, --listsessions List all sessions
-U, --updatepatterns Update patterns
-c, --copy Copy to clipboard
-m, --model= Choose model
--modelContextLength= Model context length (only affects ollama)
-o, --output= Output to file
--output-session Output the entire session (also a temporary one) to the output file
-n, --latest= Number of latest patterns to list (default: 0)
-d, --changeDefaultModel Change default model
-y, --youtube= YouTube video or play list "URL" to grab transcript, comments from it and send to chat
or print it put to the console and store it in the output file
--playlist Prefer playlist over video if both ids are present in the URL
--transcript Grab transcript from YouTube video and send to chat (it used per default).
--comments Grab comments from YouTube video and send to chat
-g, --language= Specify the Language Code for the chat, e.g. -g=en -g=zh
-u, --scrape_url= Scrape website URL to markdown using Jina AI
-q, --scrape_question= Search question using Jina AI
-e, --seed= Seed to be used for LMM generation
-w, --wipecontext= Wipe context
-W, --wipesession= Wipe session
--printcontext= Print context
--printsession= Print session
--readability Convert HTML input into a clean, readable view
--input-has-vars Apply variables to user input
--dry-run Show what would be sent to the model without actually sending it
--serve Serve the Fabric Rest API
--serveOllama Serve the Fabric Rest API with ollama endpoints
--address= The address to bind the REST API (default: :8080)
--config= Path to YAML config file
--version Print current version
--listextensions List all registered extensions
--addextension= Register a new extension from config file path
--rmextension= Remove a registered extension by name
Help Options:
-h, --help Show this help messagePattern List (fabric -l)
agility_story
ai
analyze_answers
analyze_candidates
analyze_cfp_submission
analyze_claims
analyze_comments
analyze_debate
analyze_email_headers
analyze_incident
analyze_interviewer_techniques
analyze_logs
analyze_malware
analyze_military_strategy
analyze_mistakes
analyze_paper
analyze_patent
analyze_personality
analyze_presentation
analyze_product_feedback
analyze_proposition
analyze_prose
analyze_prose_json
analyze_prose_pinker
analyze_risk
analyze_sales_call
analyze_spiritual_text
analyze_tech_impact
analyze_threat_report
analyze_threat_report_trends
answer_interview_question
ask_secure_by_design_questions
ask_uncle_duke
capture_thinkers_work
check_agreement
clean_text
coding_master
compare_and_contrast
convert_to_markdown
create_5_sentence_summary
create_academic_paper
create_ai_jobs_analysis
create_aphorisms
create_art_prompt
create_better_frame
create_coding_project
create_command
create_cyber_summary
create_design_document
create_diy
create_formal_email
create_git_diff_commit
create_graph_from_input
create_hormozi_offer
create_idea_compass
create_investigation_visualization
create_keynote
create_logo
create_markmap_visualization
create_mermaid_visualization
create_mermaid_visualization_for_github
create_micro_summary
create_network_threat_landscape
create_newsletter_entry
create_npc
create_pattern
create_quiz
create_reading_plan
create_recursive_outline
create_report_finding
create_rpg_summary
create_security_update
create_show_intro
create_sigma_rules
create_story_explanation
create_stride_threat_model
create_summary
create_tags
create_threat_scenarios
create_ttrc_graph
create_ttrc_narrative
create_upgrade_pack
create_user_story
create_video_chapters
create_visualization
dialog_with_socrates
explain_code
explain_docs
explain_math
explain_project
explain_terms
export_data_as_csv
extract_algorithm_update_recommendations
extract_article_wisdom
extract_book_ideas
extract_book_recommendations
extract_business_ideas
extract_controversial_ideas
extract_core_message
extract_ctf_writeup
extract_extraordinary_claims
extract_ideas
extract_insights
extract_insights_dm
extract_instructions
extract_jokes
extract_latest_video
extract_main_idea
extract_most_redeeming_thing
extract_patterns
extract_poc
extract_predictions
extract_primary_problem
extract_primary_solution
extract_product_features
extract_questions
extract_recipe
extract_recommendations
extract_references
extract_skills
extract_song_meaning
extract_sponsors
extract_videoid
extract_wisdom
extract_wisdom_agents
extract_wisdom_dm
extract_wisdom_nometa
find_hidden_message
find_logical_fallacies
get_wow_per_minute
get_youtube_rss
humanize
identify_dsrp_distinctions
identify_dsrp_perspectives
identify_dsrp_relationships
identify_dsrp_systems
identify_job_stories
improve_academic_writing
improve_prompt
improve_report_finding
improve_writing
label_and_rate
md_callout
official_pattern_template
prepare_7s_strategy
provide_guidance
rate_ai_response
rate_ai_result
rate_content
rate_value
raw_query
raycast
recommend_artists
recommend_pipeline_upgrades
recommend_talkpanel_topics
refine_design_document
review_design
show_fabric_options_markmap
solve_with_cot
suggest_pattern
summarize
summarize_debate
summarize_git_changes
summarize_git_diff
summarize_lecture
summarize_legislation
summarize_meeting
summarize_micro
summarize_newsletter
summarize_paper
summarize_prompt
summarize_pull-requests
summarize_rpg_session
to_flashcards
transcribe_minutes
translate
tweet
write_essay
write_hackerone_report
write_latex
write_micro_essay
write_nuclei_template_rule
write_pull-request
write_semgrep_ruleModel List (fabric -L)
(Limited to the API keys I selected in fabric —setup)
Available models:
Anthropic
[1] claude-3-5-haiku-latest
[2] claude-3-5-haiku-20241022
[3] claude-3-5-sonnet-latest
[4] claude-3-5-sonnet-20241022
[5] claude-3-5-sonnet-20240620
[6] claude-3-opus-latest
[7] claude-3-opus-20240229
[8] claude-3-sonnet-20240229
[9] claude-3-haiku-20240307
[10] claude-2.1
[11] claude-2.0
[12] claude-instant-1.2
OpenAI
[13] gpt-4o-audio-preview-2024-10-01
[14] gpt-4o-realtime-preview
[15] gpt-4o-realtime-preview-2024-10-01
[16] o1-mini-2024-09-12
[17] dall-e-2
[18] gpt-4-turbo
[19] gpt-4-1106-preview
[20] gpt-3.5-turbo
[21] gpt-3.5-turbo-0125
[22] gpt-3.5-turbo-instruct
[23] babbage-002
[24] whisper-1
[25] dall-e-3
[26] text-embedding-3-small
[27] gpt-3.5-turbo-16k
[28] gpt-4-0125-preview
[29] gpt-4-turbo-preview
[30] omni-moderation-latest
[31] gpt-4o-2024-05-13
[32] omni-moderation-2024-09-26
[33] tts-1-hd-1106
[34] chatgpt-4o-latest
[35] gpt-4
[36] gpt-4-0613
[37] o1-mini
[38] o1-preview
[39] o1-preview-2024-09-12
[40] tts-1-hd
[41] gpt-4o-mini-2024-07-18
[42] gpt-4o-mini
[43] text-embedding-ada-002
[44] gpt-3.5-turbo-1106
[45] gpt-4o-audio-preview
[46] tts-1
[47] tts-1-1106
[48] gpt-3.5-turbo-instruct-0914
[49] davinci-002
[50] text-embeddinSetup (fabric —S)
Available plugins (please configure all required plugins)::
AI Vendors [at least one, required]
[1] OpenAI (configured)
[2] Ollama
[3] Azure
[4] Groq
[5] Gemini
[6] Anthropic (configured)
[7] SiliconCloud
[8] OpenRouter
[9] Mistral
Tools
[10] Default AI Vendor and Model [required] (configured)
[11] Patterns - Downloads patterns [required] (configured)
[12] YouTube - to grab video transcripts and comments (configured)
[13] Language - Default AI Vendor Output Language (configured)
[14] Jina AI Service - to grab a webpage as clean, LLM-friendly text (configured)
[Plugin Number] Enter the number of the plugin to setup (leave empty to skip):
create_threat_scenarios
Input (with echo)
echo "remote access to a Research and Development lab environment" | fabric -p create_threat_scenarios -s -o threatscenarios1.mdOutput
|
create_stride_threat_model
Input (with pbpaste)
Clipboard contents
The architecture of an AI chatbot designed for corporate customer support is typically modular and involves multiple layers and components to ensure smooth interaction, data security, scalability, and efficient communication with customers. Here's a high-level breakdown of the core components and architecture:
1. User Interface (UI) Layer
This is the front-end where users interact with the chatbot. It can be deployed across various platforms:
Web Widget: A chat interface embedded on the company’s website.
Mobile Integration: Through mobile apps or SMS services.
Social Media Integration: Chatbots integrated with platforms like Facebook Messenger, WhatsApp, etc.
The UI collects user inputs (typically text or voice), presents chatbot responses, and ensures the user experience is seamless and easy to navigate.
2. Natural Language Processing (NLP) Engine
The NLP engine is the core component that processes and understands user queries. It converts the user input (text or voice) into structured data and determines the intent of the message.
Text Parsing: Breaks down user inputs into tokens or words.
Intent Recognition: Identifies the purpose of the user's message (e.g., "track my order," "product inquiry").
Entity Recognition: Detects key entities in the text such as product names, dates, or order numbers.
The most popular frameworks for NLP include SpaCy, NLTK, and platforms like Google Dialogflow, Microsoft LUIS, or IBM Watson.
3. Machine Learning Models
To ensure the chatbot learns and improves over time, machine learning models can be employed to predict the best responses based on historical interactions.
Supervised Learning: The chatbot can be trained using labeled datasets to handle common queries.
Reinforcement Learning: Over time, the chatbot improves by learning from user interactions and feedback.
Transfer Learning: Using pre-trained models (like GPT, BERT) that have learned general language understanding and fine-tuning them on the company-specific data.
4. Dialogue Management System
The dialogue management system manages the flow of conversation and determines what response or action should be taken next. Components of this layer include:
Context Management: Keeps track of the conversation’s context to maintain relevant and coherent responses.
Response Generation: Based on the user’s intent, the chatbot will either provide a pre-scripted answer or dynamically generate one.
Fallback Handling: If the bot doesn't understand the user's query, it escalates to a human agent or provides a relevant fallback message.
5. Back-End Integration
For customer support, the chatbot needs access to corporate databases and services to retrieve or update information.
CRM Integration: The chatbot should connect with the company's Customer Relationship Management (CRM) system (e.g., Salesforce, HubSpot) to access customer data.
Inventory or Order Management: If users inquire about products or order statuses, the chatbot interacts with backend systems like ERP or inventory management.
API Layer: The back-end integration is typically handled by an API that allows the chatbot to securely query databases and external services for information.
6. Knowledge Base
The chatbot needs access to a knowledge base that contains information on FAQs, troubleshooting guides, and product or service details.
Static FAQs: Pre-defined answers to frequently asked questions.
Dynamic Knowledge: Use of AI to mine documents, articles, and product manuals to dynamically generate answers.
7. Security Layer
Given the importance of data privacy, especially in a corporate setting, robust security measures need to be implemented.
Authentication: Secure login mechanisms (OAuth, Single Sign-On) to ensure that only authorized users can access sensitive data.
Data Encryption: All communication between the chatbot, users, and backend systems should be encrypted (using SSL/TLS).
Compliance: Ensuring compliance with data regulations such as GDPR, CCPA, or industry-specific standards (e.g., PCI DSS for payment information).
8. Analytics and Monitoring
Monitoring the chatbot’s performance is critical to understanding its effectiveness and identifying areas for improvement.
User Analytics: Track customer queries, chatbot success rates, response times, etc.
Training Data Feedback: Continuously update the chatbot's training data based on new user interactions to improve its understanding of user intent.
9. Escalation to Human Agents
In complex or sensitive cases, the chatbot should seamlessly transition the conversation to a human agent.
Live Chat Handover: When the chatbot cannot handle a query, it routes the conversation to a live agent, passing along the conversation history.
Ticketing System: If no live agents are available, the chatbot can create a support ticket for follow-up.
10. Deployment Infrastructure
The architecture is typically deployed on scalable infrastructure to ensure reliability.
Cloud-Based Infrastructure: Platforms like AWS, Google Cloud, or Azure to ensure scalability and flexibility.
Serverless Architecture: This helps in auto-scaling the services based on load without managing the underlying infrastructure.
Containerization: Using tools like Docker and Kubernetes for easy deployment, scaling, and updating of the chatbot across environments.Terminal Command
pbpaste | fabric -p create_stride_threat_model -s -o chatbot_threat_model.mdOutput
|
Add the Markmap Plugin to Visual Studio Code
Cmd+shift+xInstall
Open as markmap
Export as HTML
Open in Safari browser
Export as pdf
|
create_threat_model
Restored from the Archive
I discovered this pattern in March 2024 here:
But it has since been removed from the main GitHub pattern list. So I recovered it from the commit history and made it into a custom pattern on my Mac.
Like create_threat_scenarios, this pattern includes Miessler’s essay Everyday Threat Modelling
# IDENTITY and PURPOSE
You are an expert in risk and threat management and cybersecurity. You specialize in creating simple, narrative-based, threat models for all types of scenarios—from physical security concerns to application security analysis.
Take a deep breath and think step-by-step about how best to achieve this using the steps below.
# THREAT MODEL ESSAY BY DANIEL MIESSLER
Everyday Threat Modeling
Threat modeling is a superpower. When done correctly it gives you the ability to adjust your defensive behaviors based on what you’re facing in real-world scenarios. And not just for applications, or networks, or a business—but for life.
The Difference Between Threats and Risks
This type of threat modeling is a life skill, not just a technical skill. It’s a way to make decisions when facing multiple stressful options—a universal tool for evaluating how you should respond to danger.
Threat Modeling is a way to think about any type of danger in an organized way.
The problem we have as humans is that opportunity is usually coupled with risk, so the question is one of which opportunities should you take and which should you pass on. And If you want to take a certain risk, which controls should you put in place to keep the risk at an acceptable level?
Most people are bad at responding to slow-effect danger because they don’t properly weigh the likelihood of the bad scenarios they’re facing. They’re too willing to put KGB poisoning and neighborhood-kid-theft in the same realm of likelihood. This grouping is likely to increase your stress level to astronomical levels as you imagine all the different things that could go wrong, which can lead to unwise defensive choices.
To see what I mean, let’s look at some common security questions.
This has nothing to do with politics.
Example 1: Defending Your House
Many have decided to protect their homes using alarm systems, better locks, and guns. Nothing wrong with that necessarily, but the question is how much? When do you stop? For someone who’s not thinking according to Everyday Threat Modeling, there is potential to get real extreme real fast.
Let’s say you live in a nice suburban neighborhood in North Austin. The crime rate is extremely low, and nobody can remember the last time a home was broken into.
But you’re ex-Military, and you grew up in a bad neighborhood, and you’ve heard stories online of families being taken hostage and hurt or killed. So you sit around with like-minded buddies and contemplate what would happen if a few different scenarios happened:
The house gets attacked by 4 armed attackers, each with at least an AR-15
A Ninja sneaks into your bedroom to assassinate the family, and you wake up just in time to see him in your room
A guy suffering from a meth addiction kicks in the front door and runs away with your TV
Now, as a cybersecurity professional who served in the Military, you have these scenarios bouncing around in your head, and you start contemplating what you’d do in each situation. And how you can be prepared.
Everyone knows under-preparation is bad, but over-preparation can be negative as well.
Well, looks like you might want a hidden knife under each table. At least one hidden gun in each room. Krav Maga training for all your kids starting at 10-years-old. And two modified AR-15’s in the bedroom—one for you and one for your wife.
Every control has a cost, and it’s not always financial.
But then you need to buy the cameras. And go to additional CQB courses for room to room combat. And you spend countless hours with your family drilling how to do room-to-room combat with an armed assailant. Also, you’ve been preparing like this for years, and you’ve spent 187K on this so far, which could have gone towards college.
Now. It’s not that it’s bad to be prepared. And if this stuff was all free, and safe, there would be fewer reasons not to do it. The question isn’t whether it’s a good idea. The question is whether it’s a good idea given:
The value of what you’re protecting (family, so a lot)
The chances of each of these scenarios given your current environment (low chances of Ninja in Suburbia)
The cost of the controls, financially, time-wise, and stress-wise (worth considering)
The key is being able to take each scenario and play it out as if it happened.
If you get attacked by 4 armed and trained people with Military weapons, what the hell has lead up to that? And should you not just move to somewhere safer? Or maybe work to make whoever hates you that much, hate you less? And are you and your wife really going to hold them off with your two weapons along with the kids in their pajamas?
Think about how irresponsible you’d feel if that thing happened, and perhaps stress less about it if it would be considered a freak event.
That and the Ninja in your bedroom are not realistic scenarios. Yes, they could happen, but would people really look down on you for being killed by a Ninja in your sleep. They’re Ninjas.
Think about it another way: what if Russian Mafia decided to kidnap your 4th grader while she was walking home from school. They showed up with a van full of commandos and snatched her off the street for ransom (whatever).
Would you feel bad that you didn’t make your child’s school route resistant to Russian Special Forces? You’d probably feel like that emotionally, of course, but it wouldn’t be logical.
Maybe your kids are allergic to bee stings and you just don’t know yet.
Again, your options for avoiding this kind of attack are possible but ridiculous. You could home-school out of fear of Special Forces attacking kids while walking home. You could move to a compound with guard towers and tripwires, and have your kids walk around in beekeeper protection while wearing a gas mask.
Being in a constant state of worry has its own cost.
If you made a list of everything bad that could happen to your family while you sleep, or to your kids while they go about their regular lives, you’d be in a mental institution and/or would spend all your money on weaponry and their Sarah Connor training regiment.
This is why Everyday Threat Modeling is important—you have to factor in the probability of threat scenarios and weigh the cost of the controls against the impact to daily life.
Example 2: Using a VPN
A lot of people are confused about VPNs. They think it’s giving them security that it isn’t because they haven’t properly understood the tech and haven’t considered the attack scenarios.
If you log in at the end website you’ve identified yourself to them, regardless of VPN.
VPNs encrypt the traffic between you and some endpoint on the internet, which is where your VPN is based. From there, your traffic then travels without the VPN to its ultimate destination. And then—and this is the part that a lot of people miss—it then lands in some application, like a website. At that point you start clicking and browsing and doing whatever you do, and all those events could be logged or tracked by that entity or anyone who has access to their systems.
It is not some stealth technology that makes you invisible online, because if invisible people type on a keyboard the letters still show up on the screen.
Now, let’s look at who we’re defending against if you use a VPN.
Your ISP. If your VPN includes all DNS requests and traffic then you could be hiding significantly from your ISP. This is true. They’d still see traffic amounts, and there are some technologies that allow people to infer the contents of encrypted connections, but in general this is a good control if you’re worried about your ISP.
The Government. If the government investigates you by only looking at your ISP, and you’ve been using your VPN 24-7, you’ll be in decent shape because it’ll just be encrypted traffic to a VPN provider. But now they’ll know that whatever you were doing was sensitive enough to use a VPN at all times. So, probably not a win. Besides, they’ll likely be looking at the places you’re actually visiting as well (the sites you’re going to on the VPN), and like I talked about above, that’s when your cloaking device is useless. You have to de-cloak to fire, basically.
Super Hackers Trying to Hack You. First, I don’t know who these super hackers are, or why they’re trying ot hack you. But if it’s a state-level hacking group (or similar elite level), and you are targeted, you’re going to get hacked unless you stop using the internet and email. It’s that simple. There are too many vulnerabilities in all systems, and these teams are too good, for you to be able to resist for long. You will eventually be hacked via phishing, social engineering, poisoning a site you already frequent, or some other technique. Focus instead on not being targeted.
Script Kiddies. If you are just trying to avoid general hacker-types trying to hack you, well, I don’t even know what that means. Again, the main advantage you get from a VPN is obscuring your traffic from your ISP. So unless this script kiddie had access to your ISP and nothing else, this doesn’t make a ton of sense.
Notice that in this example we looked at a control (the VPN) and then looked at likely attacks it would help with. This is the opposite of looking at the attacks (like in the house scenario) and then thinking about controls. Using Everyday Threat Modeling includes being able to do both.
Example 3: Using Smart Speakers in the House
This one is huge for a lot of people, and it shows the mistake I talked about when introducing the problem. Basically, many are imagining movie-plot scenarios when making the decision to use Alexa or not.
Let’s go through the negative scenarios:
Amazon gets hacked with all your data released
Amazon gets hacked with very little data stolen
A hacker taps into your Alexa and can listen to everything
A hacker uses Alexa to do something from outside your house, like open the garage
Someone inside the house buys something they shouldn’t
alexaspeakers
A quick threat model on using Alexa smart speakers (click for spreadsheet)
If you click on the spreadsheet above you can open it in Google Sheets to see the math. It’s not that complex. The only real nuance is that Impact is measured on a scale of 1-1000 instead of 1-100. The real challenge here is not the math. The challenges are:
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
Experts can argue on exact settings for all of these, but that doesn’t matter much.
Assigning the value of the feature
Determining the scenarios
Properly assigning probability to the scenarios
The first one is critical. You have to know how much risk you’re willing to tolerate based on how useful that thing is to you, your family, your career, your life. The second one requires a bit of a hacker/creative mind. And the third one requires that you understand the industry and the technology to some degree.
But the absolute most important thing here is not the exact ratings you give—it’s the fact that you’re thinking about this stuff in an organized way!
The Everyday Threat Modeling Methodology
Other versions of the methodology start with controls and go from there.
So, as you can see from the spreadsheet, here’s the methodology I recommend using for Everyday Threat Modeling when you’re asking the question:
Should I use this thing?
Out of 1-100, determine how much value or pleasure you get from the item/feature. That’s your Value.
Make a list of negative/attack scenarios that might make you not want to use it.
Determine how bad it would be if each one of those happened, from 1-1000. That’s your Impact.
Determine the chances of that realistically happening over the next, say, 10 years, as a percent chance. That’s your Likelihood.
Multiply the Impact by the Likelihood for each scenario. That’s your Risk.
Add up all your Risk scores. That’s your Total Risk.
Subtract your Total Risk from your Value. If that number is positive, you are good to go. If that number is negative, it might be too risky to use based on your risk tolerance and the value of the feature.
Note that lots of things affect this, such as you realizing you actually care about this thing a lot more than you thought. Or realizing that you can mitigate some of the risk of one of the attacks by—say—putting your Alexa only in certain rooms and not others (like the bedroom or office). Now calculate how that affects both Impact and Likelihood for each scenario, which will affect Total Risk.
Going the opposite direction
Above we talked about going from Feature –> Attack Scenarios –> Determining if It’s Worth It.
But there’s another version of this where you start with a control question, such as:
What’s more secure, typing a password into my phone, using my fingerprint, or using facial recognition?
Here we’re not deciding whether or not to use a phone. Yes, we’re going to use one. Instead we’re figuring out what type of security is best. And that—just like above—requires us to think clearly about the scenarios we’re facing.
So let’s look at some attacks against your phone:
A Russian Spetztaz Ninja wants to gain access to your unlocked phone
Your 7-year old niece wants to play games on your work phone
Your boyfriend wants to spy on your DMs with other people
Someone in Starbucks is shoulder surfing and being nosy
You accidentally leave your phone in a public place
We won’t go through all the math on this, but the Russian Ninja scenario is really bad. And really unlikely. They’re more likely to steal you and the phone, and quickly find a way to make you unlock it for them. So your security measure isn’t going to help there.
For your niece, kids are super smart about watching you type your password, so she might be able to get into it easily just by watching you do it a couple of times. Same with someone shoulder surfing at Starbucks, but you have to ask yourself who’s going to risk stealing your phone and logging into it at Starbucks. Is this a stalker? A criminal? What type? You have to factor in all those probabilities.
First question, why are you with them?
If your significant other wants to spy on your DMs, well they most definitely have had an opportunity to shoulder surf a passcode. But could they also use your finger while you slept? Maybe face recognition could be the best because it’d be obvious to you?
For all of these, you want to assign values based on how often you’re in those situations. How often you’re in Starbucks, how often you have kids around, how stalkerish your soon-to-be-ex is. Etc.
Once again, the point is to think about this in an organized way, rather than as a mashup of scenarios with no probabilities assigned that you can’t keep straight in your head. Logic vs. emotion.
It’s a way of thinking about danger.
Other examples
Here are a few other examples that you might come across.
Should I put my address on my public website?
How bad is it to be a public figure (blog/YouTube) in 2020?
Do I really need to shred this bill when I throw it away?
Don’t ever think you’ve captured all the scenarios, or that you have a perfect model.
In each of these, and the hundreds of other similar scenarios, go through the methodology. Even if you don’t get to something perfect or precise, you will at least get some clarity in what the problem is and how to think about it.
Summary
Threat Modeling is about more than technical defenses—it’s a way of thinking about risk.
The main mistake people make when considering long-term danger is letting different bad outcomes produce confusion and anxiety.
When you think about defense, start with thinking about what you’re defending, and how valuable it is.
Then capture the exact scenarios you’re worried about, along with how bad it would be if they happened, and what you think the chances are of them happening.
You can then think about additional controls as modifiers to the Impact or Probability ratings within each scenario.
Know that your calculation will never be final; it changes based on your own preferences and the world around you.
The primary benefit of Everyday Threat Modeling is having a semi-formal way of thinking about danger.
Don’t worry about the specifics of your methodology; as long as you capture feature value, scenarios, and impact/probability…you’re on the right path. It’s the exercise that’s valuable.
Notes
I know Threat Modeling is a religion with many denominations. The version of threat modeling I am discussing here is a general approach that can be used for anything from whether to move out of the country due to a failing government, or what appsec controls to use on a web application.
END THREAT MODEL ESSAY
# STEPS
- Fully understand the threat modeling approach captured in the blog above. That is the mentality you use to create threat models.
- Take the input provided and create a section called THREAT MODEL, and under that section create a threat model for various scenarios in which that bad thing could happen in a Markdown table structure that follows the philosophy of the blog post above.
- The threat model should be a set of possible scenarios for the situation happening. The goal is to highlight what's realistic vs. possible, and what's worth defending against vs. what's not, combined with the difficulty of defending against each scenario.
- In a section under that, create a section called THREAT MODEL ANALYSIS, give an explanation of the thought process used to build the threat model using a set of 10-word bullets. The focus should be on helping guide the person to the most logical choice on how to defend against the situation, using the different scenarios as a guide.
# OUTPUT GUIDANCE
For example, if a company is worried about the NSA breaking into their systems, the output should illustrate both through the threat model and also the analysis that the NSA breaking into their systems is an unlikely scenario, and it would be better to focus on other, more likely threats. Plus it'd be hard to defend against anyway.
Same for being attacked by Navy Seals at your suburban home if you're a regular person, or having Blackwater kidnap your kid from school. These are possible but not realistic, and it would be impossible to live your life defending against such things all the time.
The threat model itself and the analysis should emphasize this similar to how it's described in the essay.
# OUTPUT INSTRUCTIONS
- You only output valid Markdown.
- Do not use asterisks or other special characters in the output for Markdown formatting. Use Markdown syntax that's more readable in plain text.
- Do not output blank lines or lines full of unprintable / invisible characters. Only output the printable portion of the ASCII art.
# INPUT:
INPUT:
Added as a Custom Pattern
#Change directory to the .config folder
cd ~/.config/
#Create a new directory for your new custom pattern, e.g. "create_threat_model"
mkdir -p custompatterns/create_threat_model
#Change directory to the new one for you pattern
cd custompatterns/create_threat_model
#Create a blank markdown file for your pattern
touch system.md
#Open the file with the Nano text editor
nano system.md
#Save and exit with Ctrl+x, Y, Enter
#Copy all of your custom patterns from your local custom patterns folder, to the main set of patterns in your fabric client
cp -a ~/.config/custompatterns/* ~/.config/fabric/patterns
#Check that your new custom pattern appears in the fabric list
fabric -l
Input (with echo)
echo "personal email without MFA" | fabric -p create_threat_model -s -o personal_email.mdOutput
Terminal
Html
|
Or Use Chat GPT for Formatting
Make this a table "| Scenario | Impact (1-1000) | Likelihood (0-100%) | Risk Score |
|----------|----------------|-------------------|------------|
| Password stolen via phishing attack | 800 | 40% | 320 |
| Password stolen via data breach at email provider | 800 | 30% | 240 |
| Password guessed due to weak/reused password | 700 | 35% | 245 |
| Account taken over by disgruntled ex/friend who knows habits | 600 | 15% | 90 |
| Nation-state actor specifically targeting your email | 1000 | 1% | 10 |
| Random hacker bruteforcing password | 700 | 10% | 70 |"
Next Steps
Give it a try and don’t hesitate to ask for help in Simply Cyber Discord
Related channels are:
👩 💻️ 🧑‍🦲 💻️ 🧔‍♂️ 💻️ CYBER WORKFORCE
⚠️ -grc-team-life
🤖 -ai-ml-security
🎓️ -STUDY-CHANNELS
akylade-cyber-resilience
Project ideas
Integrate fabric with GRC Assist
Test out any or all of the Helper Apps and share your progress with the Simply Cyber Community
to_pdf
Web Interface
Streamlit UI
Make a context file (AKA “soul file) with the Simply Cyber Values, and integrate it into your workflows
Here’s Daniel Miessler’s
And here’s mine
Experiment with different models, including local models
Integrate fabric with Obsidian
Try GitHub projects that integrate with fabric, and find or make more!