home.social

#threatmodeling — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #threatmodeling, aggregated by home.social.

  1. Incident Overview:
    Platform: Step Finance
    Loss: ~$40M treasury theft
    Vector: Compromised executive devices
    Status: Operations terminated

    Recovery efforts:
    • ~$3.7M Remora assets recovered
    • ~$1M additional tokens recovered
    • Snapshot-based reimbursement for STEP holders
    • Buyback + redemption process underway

    Collateral shutdown:
    Remora Markets, SolanaFloor

    Strategic insight:
    Executive endpoint compromise → treasury compromise.

    Crypto treasury management must incorporate hardened device policies, hardware-backed key storage, enforced MFA, anomaly detection.

    Source: therecord.media/step-finance-c

    Follow us for tactical crypto threat briefings.
    Share mitigation strategies below.

    #Infosec #CryptoSecurity #DeFiRisk #TreasuryManagement #EndpointSecurity #Blockchain #DigitalAssets #ThreatModeling #CyberIncident #SecurityOperations

  2. Incident Overview:
    Platform: Step Finance
    Loss: ~$40M treasury theft
    Vector: Compromised executive devices
    Status: Operations terminated

    Recovery efforts:
    • ~$3.7M Remora assets recovered
    • ~$1M additional tokens recovered
    • Snapshot-based reimbursement for STEP holders
    • Buyback + redemption process underway

    Collateral shutdown:
    Remora Markets, SolanaFloor

    Strategic insight:
    Executive endpoint compromise → treasury compromise.

    Crypto treasury management must incorporate hardened device policies, hardware-backed key storage, enforced MFA, anomaly detection.

    Source: therecord.media/step-finance-c

    Follow us for tactical crypto threat briefings.
    Share mitigation strategies below.

    #Infosec #CryptoSecurity #DeFiRisk #TreasuryManagement #EndpointSecurity #Blockchain #DigitalAssets #ThreatModeling #CyberIncident #SecurityOperations

  3. Incident Overview:
    Platform: Step Finance
    Loss: ~$40M treasury theft
    Vector: Compromised executive devices
    Status: Operations terminated

    Recovery efforts:
    • ~$3.7M Remora assets recovered
    • ~$1M additional tokens recovered
    • Snapshot-based reimbursement for STEP holders
    • Buyback + redemption process underway

    Collateral shutdown:
    Remora Markets, SolanaFloor

    Strategic insight:
    Executive endpoint compromise → treasury compromise.

    Crypto treasury management must incorporate hardened device policies, hardware-backed key storage, enforced MFA, anomaly detection.

    Source: therecord.media/step-finance-c

    Follow us for tactical crypto threat briefings.
    Share mitigation strategies below.

    #Infosec #CryptoSecurity #DeFiRisk #TreasuryManagement #EndpointSecurity #Blockchain #DigitalAssets #ThreatModeling #CyberIncident #SecurityOperations

  4. Incident Overview:
    Platform: Step Finance
    Loss: ~$40M treasury theft
    Vector: Compromised executive devices
    Status: Operations terminated

    Recovery efforts:
    • ~$3.7M Remora assets recovered
    • ~$1M additional tokens recovered
    • Snapshot-based reimbursement for STEP holders
    • Buyback + redemption process underway

    Collateral shutdown:
    Remora Markets, SolanaFloor

    Strategic insight:
    Executive endpoint compromise → treasury compromise.

    Crypto treasury management must incorporate hardened device policies, hardware-backed key storage, enforced MFA, anomaly detection.

    Source: therecord.media/step-finance-c

    Follow us for tactical crypto threat briefings.
    Share mitigation strategies below.

    #Infosec #CryptoSecurity #DeFiRisk #TreasuryManagement #EndpointSecurity #Blockchain #DigitalAssets #ThreatModeling #CyberIncident #SecurityOperations

  5. Check out ˗ˏˋ ⭒ lnkd.in/gE2wUqgc ⭒ ˎˊ˗ to see my intro whilst you listen.

    I'm thus re-naming this work as "CVE Keeper - Security at x+1; rethinking vulnerability management beyond CVSS & scanners". I must also thank @andrewpollock for reviewing several of my verbose drafts. 🫡

    So, Security at x+1; rethinking vulnerability management beyond CVSS & scanners -

    Most vulnerability tooling today is optimized for disclosure and alert volume, not for making correct decisions on real systems. CVEs arrive faster than teams can evaluate them, scores are generic, context arrives late, and we still struggle to answer the only question that matters: does this actually put my system at risk right now?

    Over the last few years working close to CVE lifecycle automation, I’ve been designing an open architecture that treats vulnerability management as a continuous, system-specific reasoning problem rather than a static scoring task. The goal is to assess impact on the same day for 0-days using minimal upstream data, refine accuracy over time as context improves, reason across dependencies and compound vulnerabilities, and couple automation with explicit human verification instead of replacing it.

    This work explores:

    ⤇ 1• Same-day triage of newly disclosed and 0-day vulnerabilities
    ⤇ 2• Dependency-aware and compound vulnerability impact assessment
    ⤇ 3• Correlating classical CVSS with AI-specific threat vectors
    ⤇ 4• Reducing operational noise, unnecessary reboots, and security burnout
    ⤇ 5• Making high-quality vulnerability intelligence accessible beyond enterprise teams

    The core belief is simple: most security failures come from misjudged impact, not missed vulnerabilities. Accuracy, context, and accountability matter more than volume.

    I’m sharing this to invite feedback from folks working in CVE, OSV, vulnerability disclosure, AI security, infra, and systems research. Disagreement and critique are welcome. This problem affects everyone, and I don’t think incremental tooling alone will solve it.

    P.S.

    • Super appreciate everyone that's spent time reviewing my drafts and reading all my essays lol. I owe you 🫶🏻
    • ... and GoogleLM. These slides would have taken me forever to make otherwise.

    Take my CVE-data User Survey to allow me to tailor your needs into my design - lnkd.in/gcyvnZeE
    See more at - lnkd.in/gGWQfBW5
    lnkd.in/gE2wUqgc

    #VulnerabilityManagement #Risk #ThreatModeling #CVE #CyberSecurity #Infosec #VulnerabilityManagement #ThreatIntelligence #ApplicationSecurity #SecurityOperations #ZeroDay #RiskManagement #DevSecOps #CVE #CVEAnalysis #VulnerabilityDisclosure #SecurityData #CVSS #VulnerabilityAssessment #PatchManagement #AI #AIML #AISecurity #MachineLearning #AIThreats #AIinSecurity #SecureAI #OSS #Rust #ZeroTrust #Security

    linkedin.com/feed/update/urn:l

  6. (20/N) Our second asset classification option:

    Intimate

    Assets that unfortunately can’t stay FYEO, because under certain circumstances, they need to be accessible to, or controlled by, fully trusted persons or entities. Preferably, these assets are kept publicly undetectable and unknown.

    Handling of such assets by others requires a considerable amount of #carefulness, #diligence, and #loyalty that exceeds anything that could be pinned down with enough precision in formal documents. Typically, only significant others, some family members, trustees or close friends are entrusted with handling this class of assets.

    For most individuals, this class is most likely the best default. Once you have sorted out which assets are actually not Intimate, but FYEO, consider moving them to a separate spreadsheet that is, in itself, classified as FYEO.

    Start of this thread:
    mastodon.de/@tuxwise/113503228

    #ThreatModeling #4D

  7. (10/N) A third category of adversaries:

    Ideologues

    #Ideologues want to push you to do the right thing, or to punish you for doing the wrong thing. They may also want to eliminate you, physically or metaphorically, when they can't achieve their goal: Maybe you just won't learn, or are incorrigible, as such.

    The assets that you are "entitled" to are considered a reward, for conforming to the respective ideology. The portion of your assets that you aren't "entitled" to is usually the target of relentless denial, even destruction.

    Entitlement is always conditional, and temporary: In case you seem to be going astray, and appeals to your conscience do not seem to have enough effect, your assets may be withdrawn or destroyed.

    Hacktivists, campaigners, protagonists or minions of gender-based violence, lobbyists, racists, and terrorists fall into this category.

    Note: I am not judging how "just" the respective "causes" are, I'm talking about behaviors.

    (to be continued)

    Start of this thread:
    mastodon.de/@tuxwise/113503228

    #ThreatModeling #4D

  8. (10/N) A third category of adversaries:

    Ideologues

    #Ideologues want to push you to do the right thing, or to punish you for doing the wrong thing. They may also want to eliminate you, physically or metaphorically, when they can't achieve their goal: Maybe you just won't learn, or are incorrigible, as such.

    The assets that you are "entitled" to are considered a reward, for conforming to the respective ideology. The portion of your assets that you aren't "entitled" to is usually the target of relentless denial, even destruction.

    Entitlement is always conditional, and temporary: In case you seem to be going astray, and appeals to your conscience do not seem to have enough effect, your assets may be withdrawn or destroyed.

    Hacktivists, campaigners, protagonists or minions of gender-based violence, lobbyists, racists, and terrorists fall into this category.

    Note: I am not judging how "just" the respective "causes" are, I'm talking about behaviors.

    (to be continued)

    Start of this thread:
    mastodon.de/@tuxwise/113503228

    #ThreatModeling #4D

  9. (10/N) A third category of adversaries:

    Ideologues

    #Ideologues want to push you to do the right thing, or to punish you for doing the wrong thing. They may also want to eliminate you, physically or metaphorically, when they can't achieve their goal: Maybe you just won't learn, or are incorrigible, as such.

    The assets that you are "entitled" to are considered a reward, for conforming to the respective ideology. The portion of your assets that you aren't "entitled" to is usually the target of relentless denial, even destruction.

    Entitlement is always conditional, and temporary: In case you seem to be going astray, and appeals to your conscience do not seem to have enough effect, your assets may be withdrawn or destroyed.

    Hacktivists, campaigners, protagonists or minions of gender-based violence, lobbyists, racists, and terrorists fall into this category.

    Note: I am not judging how "just" the respective "causes" are, I'm talking about behaviors.

    (to be continued)

    Start of this thread:
    mastodon.de/@tuxwise/113503228

    #ThreatModeling #4D

  10. (10/N) A third category of adversaries:

    Ideologues

    #Ideologues want to push you to do the right thing, or to punish you for doing the wrong thing. They may also want to eliminate you, physically or metaphorically, when they can't achieve their goal: Maybe you just won't learn, or are incorrigible, as such.

    The assets that you are "entitled" to are considered a reward, for conforming to the respective ideology. The portion of your assets that you aren't "entitled" to is usually the target of relentless denial, even destruction.

    Entitlement is always conditional, and temporary: In case you seem to be going astray, and appeals to your conscience do not seem to have enough effect, your assets may be withdrawn or destroyed.

    Hacktivists, campaigners, protagonists or minions of gender-based violence, lobbyists, racists, and terrorists fall into this category.

    Note: I am not judging how "just" the respective "causes" are, I'm talking about behaviors.

    (to be continued)

    Start of this thread:
    mastodon.de/@tuxwise/113503228

    #ThreatModeling #4D

  11. (8/N) For now, leave your spreadsheet of assets alone and turn to the second question of the #ThreatModelingManifesto:

    2. What can go wrong?

    The answer usually includes a list of adversaries, so you can later consider which ones you stand a chance fighting, if you think it's worth it.

    Again, this may be helpful for corporations, but not that much for individuals, since damage done to individuals can be much deeper, and last for much longer, even for life.

    So, lets rather consider abstract categories of adversaries from a perspective of what their primary goals are, and what they usually do to achieve them. We don't bother with specific bad actors here, nor are we considering how to "help them" via psychotherapy, legislation, imprisonment or campaigning, at this point in time.

    First, the list:

    A few thoughts, on each category:

    You, and people like you

    You and others prefer to keep asset protection efforts to a minimum. You tend to take the integrity of your assets for granted, hoping that others will respect your boundaries, either out of respect for you or because of legal regulations and repercussions. Your attitude towards handling the assets of others is equally shortsighted and careless.

    As a result, your digital assets stay exposed, and you're putting others at risk, too.

    (to be continued)

    Start of this thread:
    mastodon.de/@tuxwise/113503228

    #ThreatModeling #4D

  12. (8/N) For now, leave your spreadsheet of assets alone and turn to the second question of the #ThreatModelingManifesto:

    2. What can go wrong?

    The answer usually includes a list of adversaries, so you can later consider which ones you stand a chance fighting, if you think it's worth it.

    Again, this may be helpful for corporations, but not that much for individuals, since damage done to individuals can be much deeper, and last for much longer, even for life.

    So, lets rather consider abstract categories of adversaries from a perspective of what their primary goals are, and what they usually do to achieve them. We don't bother with specific bad actors here, nor are we considering how to "help them" via psychotherapy, legislation, imprisonment or campaigning, at this point in time.

    First, the list:

    A few thoughts, on each category:

    You, and people like you

    You and others prefer to keep asset protection efforts to a minimum. You tend to take the integrity of your assets for granted, hoping that others will respect your boundaries, either out of respect for you or because of legal regulations and repercussions. Your attitude towards handling the assets of others is equally shortsighted and careless.

    As a result, your digital assets stay exposed, and you're putting others at risk, too.

    (to be continued)

    Start of this thread:
    mastodon.de/@tuxwise/113503228

    #ThreatModeling #4D

  13. (8/N) For now, leave your spreadsheet of assets alone and turn to the second question of the #ThreatModelingManifesto:

    2. What can go wrong?

    The answer usually includes a list of adversaries, so you can later consider which ones you stand a chance fighting, if you think it's worth it.

    Again, this may be helpful for corporations, but not that much for individuals, since damage done to individuals can be much deeper, and last for much longer, even for life.

    So, lets rather consider abstract categories of adversaries from a perspective of what their primary goals are, and what they usually do to achieve them. We don't bother with specific bad actors here, nor are we considering how to "help them" via psychotherapy, legislation, imprisonment or campaigning, at this point in time.

    First, the list:

    A few thoughts, on each category:

    You, and people like you

    You and others prefer to keep asset protection efforts to a minimum. You tend to take the integrity of your assets for granted, hoping that others will respect your boundaries, either out of respect for you or because of legal regulations and repercussions. Your attitude towards handling the assets of others is equally shortsighted and careless.

    As a result, your digital assets stay exposed, and you're putting others at risk, too.

    (to be continued)

    Start of this thread:
    mastodon.de/@tuxwise/113503228

    #ThreatModeling #4D