How To Have Impact In Security: Stories About Risk Reduction At Scale

Transcript

1. HOW TO HAVE IMPACT IN SECURITY: STORIES ABOUT RISK REDUCTION

   AT SCALE BRYAN D. PAYNE

2. Washington Univ BS CS & Math Univ of MD MS

   CS Georgia Tech PhD CS NSA BAE Georgia Tech SNL IBM 1995 - 2000 2000 - 2005 2005 - 2010 2010 - 2015 2015 - 2020 Nebula Netflix CMU CISO Government Research Industry Academia 2020 - 2025 AWS Adobe BU
3. None

4. Est Number of Infected Hosts 1 100 10000 1000000 100000000

   Year Released 1999 2000.5 2002 2003.5 2005 ILOVEYOU Email worm Mydoom Fastest spreading email worm Code Red Defaced websites Blaster Sircam SQL Slammer Double in size every 8.5 seconds Infected 90% of vulnerable hosts in 10 minutes

5. Whiteboard

6. Threat Intel Report - Targets - Goals - Methods -

   Skill Level - Defense Reverse Engineering - Protected lab setting - Observe behavior - Find signatures - Attribution

7. TOP SKILLS UTILIZED REVERSE ENGINEERING MALWARE ▸ Understanding how software

   / compilers work ▸ Teamwork ▸ Visual thinking ▸ Connecting with resources across the agency ▸ Writing
8. None

9. Hardware / Firmware Operating System Users / Processes

10. Hardware / Firmware Operating System Users / Processes

11. Hardware / Firmware Operating System Users / Processes

12. Hardware / Firmware Operating System Users / Processes

13. Virtual Machine Introspection (VMI) Security VM User VM Hypervisor Hardware

14. Hypervisor User VM Security VM Hooks User Processes ... Memory

    Protector Virtual Machine Introspection Network Traffic Trampoline Hardware Events Hook Events Security Application Memory Analysis Mouse / Keyboard Network Disk Architecture enables secure active monitoring of virtual machines. Secure Access - Passive - Active Memory Analysis - Semantic gap Applications - Feasibility - Performance

15. Memory analysis techniques to locate data structures across software versions.

    Secure Access - Passive - Active Memory Analysis - Semantic gap Applications - Feasibility - Performance

16. Anti-virus Linking user intent to security policy Secure Access -

    Passive - Active Memory Analysis - Semantic gap Applications - Feasibility - Performance
17. None
18. None
19. None

20. Hardware Event Interposition Memory Access Screen Scraping

21. TOP SKILLS UTILIZED RESEARCH PUBLICATION AT GA TECH ▸ Operating

    systems ▸ Forensic memory analysis ▸ Software engineering ▸ Writing and editing ▸ Grit / Solving New Problems ▸ Teamwork

22. https://github.com/libvmi/libvmi

23. CHALLENGES WITH VMI ▸ Semantic gap ▸ Performance ▸ Platform

    support ▸ User-space vs kernel-space vs hypervisor-space

24. LIBVMI FEATURES (CIRCA 2011) - Virtual address translation - Kernel

    symbol resolution - Read / Write to memory - physical addresses - virtual addresses - kernel symbols - Read registers - Pause / Resume VM - Get total size of memory - Map physical memory pages - Read registers - Pause / Resume VM - Get total size of memory VMM Platform LibVMI

25. LIBVMI INTERNALS (CIRCA 2011) ▸ Initialization of LibVMI ▸ Runtime

    guest introspection ▸ Memory access (read / write) ▸ Register access ▸ Pause / resume ▸ Hypervisor-level support ▸ OS-level support

26. LIBVMI READ EXAMPLE (VMI_READ_KSYM … CIRCA 2011) resolve symbol translate

    to paddr read from VMM handle page wraps

27. LIBVMI PROCESS LIST (CIRCA 2011) ▸ C or Python interface

28. LIBVMI + VOLATILITY INTEGRATION (CIRCA 2011) LibVMI (C language API)

    pyvmi (Python language wrapper for LibVMI) Volatility (memory analysis framework) pyvmi address space plugin plugin plugin plugin plugin plugin Runtime analysis capabilities augment Volatility's rich memory analysis. ... KVM Xen Other VMM Memory Snapshot patch ‣ Read keyboard buffer from real mode memory ‣ Print list of open network connections ‣ Crash dump information ‣ List loaded DLLs for each process ‣ List open handles for each process ‣ Parse / traverse registry hives ‣ Find and decrypt LSA secrets from registry ‣ Dump a process or kernel driver to an executable sample ‣ List loaded kernel modules ‣ List running processes ‣ Display SSDT entries ‣ Display VAD tree information ‣ Reconstruct wireframe view of screen ‣ Various malware detection techniques ‣ Reconstruct event timeline information

29. TOP SKILLS UTILIZED LIBVMI ▸ Operating systems ▸ Software engineering

    ▸ Navigating the bureaucracy ▸ Building an open source community ▸ Convincing others of the value of this work ▸ Create a lasting change

30. https://docs.openstack.org/security-guide/

31. Looking for security people Team formed Wrote OpenStack Security Guide

    Enabled sustainability 2012 2012 2013 2014

32. June 29, 2013 — “The OpenStack Security Guide Book Sprint

    fi nished yesterday and 38,000 words of wisdom from some of the top experts is now available.”

33. OPENSTACK SECURITY PATH (CIRCA 2014) OpenStack Security Jenkins Enhancements Threat

    Analysis Static Analysis Cryptography Review OpenStack Security Guide OpenStack Security Notes Tempest Modules Developer Security Guidelines Key Projects Best Practices Stretch Goals

34. TOP SKILLS UTILIZED OPENSTACK SECURITY GROUP ▸ Navigating a global

    open source project, fi nding a need, and leading the way ▸ Pulling together a group of people to solve important problems but who had very different motivations ▸ Advertising the work ▸ Scaling the work - book writing, commit checks, security response functions ▸ Create a lasting change

35. Service Identity at Scale at Net fl ix https://www.youtube.com/watch?v=-mmOT9I6JlY USENIX

    Enigma 2016 - PKI at Scale Using Short-lived Certi fi cates https://www.youtube.com/watch?v=7YPIsbz8Pig
36. None
37. None
38. None
39. None
40. None
41. None
42. None

43. Identity (human + machine) Secret Protection Authentication (AuthN) Authorization (AuthZ)

    Transport Layer Security (TLS)

44. TOP SKILLS UTILIZED METATRON ▸ Problem identi fi cation, fi

    nding the root cause of the problem ▸ User experience as a critical acceptance criteria ▸ Motivating change across the company ▸ The adoption curve ▸ Building an ecosystem (secrets, authN, authZ, etc.)
45. None

46. Team Health Security Outcomes Team Happiness Individual Performance Talent Magnet

    / Team Flywheel Team “Charter” Clarity Trust & Coach

47. TOP SKILLS UTILIZED PEOPLE LEADERSHIP ▸ Building team health ▸

    Developing team culture ▸ Strategy for impact ▸ Creating a self sustaining team ▸ Solving the right technical problems

48. CYBERSECURITY IS NOT (JUST) A TECH PROBLEM Lakshmi Hanspal

49. None

50. WHAT PATH WILL YOU TAKE?