Major Venation Product Update: Scenario Visuals

We've been busy.

Today, I'm happy to announce a major improvement for our Venation Scenario Intelligence Subscription: Visualizations of all our threat scenarios.

Venation's mission is providing our clients the most compelling digital risk management experience possible.

Over the years, we found our visualizations played important roles when our clients needed to discuss narratives about (digital) risk.

What we also found is that every organization is unique and needs their own means of visualization.

So, what can we provide that provides curated content which is 80% ready for use AND scalable?

This exact question led us to exploring sustainable way of both curating scenarios and simultaneously using a structure for visualization that everyone can use; everyone can do a one-off cool visual but how to maintain and automate sustainably is the issue.

TLDR:

For all our scenarios, we already provide Markdown files and starting today will be rolling out Attack Flow Build, JSON files and images. Below is what this looks like and in the next few chapters I'll give some background.

??

Retrospective views

First a look back; After officially releasing the first 'structured threat scenario' content repository back in November '23, we steadily grew the repository to 30+ scenarios and developed a weekly newsletter through which we share our proven systems.

Raising the bar

These systems include practical content for better information consumption and risk decision-making. It also includes things like how to's and templates. I strongly believe we needed to make this content widely available to raise the level of quality and maturity of threat and risk practices globally.

Btw, newsletter recipients receive a free registration code for our systems content; so sign up here if you haven't already: https://venation.digital/newsletter

Narratives

Our scenario content allows you to evolve your conversation about single incident and threat, to a holistic approach; allowing you to talk about what happens often in a narrative that all stakeholders will understand.

We invested a lot of time and energy in exploring how to leverage GenAI to sustainably create threat scenarios; let me share our three key takeaways because people often ask me about it:

1. We found that its not effective in creating a new scenario but extremely effective in tracking changes. Our open-sourced scenario template is used by human analysts to create the scenario in the first place, then we can leverage GenAi to identify areas that have changed over time. The added result is that our content is an ideal training corpus to train your LLM's on scenario creation (if you are into that).
2. If you are truly invested in scenario planning or threat modeling like we do, then you should have serious security concerns about input / output. Modeling out a simple attack path for a specific threat group is different to tailoring how that group potentially targets your internal workings and access critical systems. Only with the proper (internal) guidelines and parameters we recommend teams to fully trust input/output.
3. Finally, the inherent bias issue. With humans you can cater for their inherent bias, this is more difficult to pinpoint with LLM's and/or GenAI. Its not impossible just harder. As a result, you are spending the hours you saved with pushing the material to an LLM for processing, into QA at the back - saving you net nothing.

Glancing the future

Personally, I see our Venation product trajectory move towards new forms of User Experience & User Interface (UX/UI) such as the use of Augmented Reality (AR) and I'm casually scouting for interested folks to join in.

That said, I got to keep it real. While I will always keep an eye on bringing state-of-the-art closer to state of the practice, the reality is that my focus in on bringing our Scenario Intelligence content mainstream first. Keeping the company going is my main priority (we're a commercial company just like the next one, right ??).

How did we select our solution

After personally creating and visualizing numerous scenarios for dozens of clients since 2017, I conclude that there are no perfect visualization tools.

There's just more solutions that work for specific usecases.

Ideally, I'd love to see a virtual whiteboard (in AR?) but reality is that most of the time you revert back to the most effective, low fidelity, solution.

In this period I worked with extremely talented folks having technical skills far exceeding my own, below you see the top solutions used over the years:

• Whiteboard, Mural , Miro : Low fidelity, maximum impact. Quickly visualize content and be able to collaborate. Difficult to maintain at scale or load data into.
• Microsoft PowerPoint, Google Slides, Canva : Traditional consultancy tradecraft. Very helpful to customize things to the specific requirements of the client. Most of the time, the client is left with a sense of 'yet-another-powerpoint'.
• Obsidian : Personal favorite writing app. Easily importable for Markdown files and tracking using hashtags. Currently contains a so-called 'Canvas' feature which is absolutely amazing for scenario modeling. Downside is that this works in small teams or for individuals but has difficulties in scaling to enterprise levels.

• Draw.IO, Microsoft Visio: Graphical relationship visualization tools. Ideal for manual views of a certain process and flow. Does not have any onboard MITRE ATT&CK tagging or whatsoever, making you process a lot of manual changes.
• Custom: Graph databases like Neo4J are extremely cool. They provide instant visualizations in size, relationship and hierarchy. This is excellent for individual research, except when it is shared outside of the comfortable bubble to a executive with limited time a lot more explanation is needed and it falls flat. I've seen so many cool applications, notably SpecterOps 's Bloodhound Enterprise solutions, except sometimes you have to talk more abstract than just attack paths.

Selected option

This led us to exploring Attack Flow from the Center for Threat-Informed Defense .

It was released a while back, but we found that it actually fits a lot of the criteria we have:

• You can instantly start loading your content in the solution.
• It's relatively low fidelity and easy to learn.
• You can use the solution online of create a private, internal instance using Docker.
• It provides different levels of abstraction.
• It provides the option to differentiate between technical details (e.g. STIX) and technique level elements (e.g. MITRE ATT&CK )
• It provides export to JSON option.
• It provides export to GraphViz & Mermaid option; very useful if you want to build Attack Trees (wink wink Sherman Chu ).
• It looks great on a virtual presentation or in your deliverables.

Its not perfect for all our usecases; it for example lacks a customizable color scheme or relationship graph features.

I'm working with their CTO Mark Haase to bring it closer to what my clients are asking for.

Keep an eye on this to see where it improves.

So where does that leave us?

The team is currently making scenario visualizations for all our scenarios, working through them one by one.

Our subscription clients are entitled to prioritize specific scenarios for their usecases; we love their feedback and want to give something in return.

Initially, the additions (Attack Flow Build files, PNG, JSON) will be available via our closed GitHub repository.

Second, they will be added to our portal.

How that will look we don't know yet.

We're still figuring out what level of functionality our content portal users truly require but we're taking the approach that in this day and age people need less portals rather than more.

Wrapping up

Shout out to the amazing team helping to make this success possible: Roman Y. Sannikov, Martyn Gill, Josh Darby MacLellan, CISSP, CCSP , Luke Rodeheffer , Sylvia Mermans, Kai L. and the others that prefer to remain anonymous.

There is still work to do.

Effective decision-making is challenging.

Traditional thinking around digital risk management continues to be prevalent (e.g. risk matrices, lists, tables, PDF reports).

Not every organization is open to shifting their risk management mindset from linear, to a systems thinking & non-linear one.

Our next phase starts today.

I encourage you to start yours as well.

Visit our website https://venation.digital/ to understand more details about our Scenario Intelligence Subscription offering and pricing.

You can use the website to request a demo in less than 5 minutes or simply DM me.

Let's make this week count!

GJ

www.venation.digital

#cyberthreatintelligence #cybersecurity #scenarioplanning #digitalriskmanagement #threat #risk #threatmanagement #threatscenarios