Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Thinking Evil Thoughts

Gareth Rushgrove
September 01, 2016
Technology
6
2.7k

Thinking Evil Thoughts

Talk from Software Circus 2016 on Threat Modeling

Gareth Rushgrove

September 01, 2016
Tweet

More Decks by Gareth Rushgrove

See All by Gareth Rushgrove
GTM vs Open Source
garethr
0
690
Software Build of Materials For Cloud Native applications
garethr
1
330
Evolving vulnerabilities in CycloneDX
garethr
0
280
Configuration security is a developer problem
garethr
2
1.9k
Patterns for secure container base image management
garethr
1
1.9k
Testing configuration with Open Policy Agent
garethr
0
490
Building a Docker Image Packaging Pipeline Using GitHub Actions
garethr
5
2.1k
The perils of configuration security
garethr
1
190
Shifting Terraform security left
garethr
3
1.6k

Other Decks in Technology

See All in Technology
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.4k
「知的単純作業」を自動化する、地に足の着いた大規模言語モデル (LLM) の活用
nrryuya
8
6.5k
自らを知り外と繋がる、日経のエンジニア採用とDevRel活動/devreljp92
nishiuma
2
190
One engineer company with Ruby on Rails
rstankov
2
460
NewSQL Landscape
oracle4engineer
PRO
2
2.6k
AWS アーキテクチャ作図入門/aws-architecture-diagram-101
ma2shita
16
6.5k
Building Dashboards as a Hobby
egmc
0
430
require(ESM)とECMAScript仕様
uhyo
4
1k
パスワードを保存しますか?
hanacchi
0
210
データベース03: 関係データモデル
trycycle
0
110
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
1.1k
個人のAWSアカウントをマルチ運用してみた
miura55
2
250

Featured

See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
KATA
mclloyd
16
12k
We Have a Design System, Now What?
morganepeng
43
6.8k
It's Worth the Effort
3n
180
27k
Visualization
eitanlees
137
14k
The Invisible Customer
myddelton
114
12k
The Cost Of JavaScript in 2023
addyosmani
21
3.9k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
66
14k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Agile that works and the tools we love
rasmusluckow
325
20k
Code Reviewing Like a Champion
maltzj
515
39k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k

Transcript

  1. (without introducing more risk) Thinking Evil Thoughts Puppet Gareth Rushgrove

    A taste of threat modeling

  2. (without introducing more risk) @garethr

  3. (without introducing more risk) Gareth Rushgrove

  4. (without introducing more risk) This Talk What to expect

  5. - What is threat modeling? - Getting the scope right

    - Identifying risks - Using conferences to hack people Gareth Rushgrove

  6. Introduce some security language to help you navigate the domain

    Gareth Rushgrove

  7. Dive straight into examples Gareth Rushgrove

  8. Empower you to ask questions more than provide easy answers

    Gareth Rushgrove

  9. (without introducing more risk) Threat modeling A brief introduction

  10. Gareth Rushgrove a procedure for optimizing network security by identifying

    objectives and vulnerabilities THREAT MODELING

  11. - Determine scope - Identify threat agents and attacks -

    Understand existing countermeasures - Identify vulnerabilities - Prioritise risks - Identify countermeasures Gareth Rushgrove https://www.owasp.org/index.php/Category:Threat_Modeling

  12. Inside each of us, there is the seed of both

    good and evil. It's a constant struggle as to which one will win. Gareth Rushgrove “ ” Eric Burdon

  13. (without introducing more risk) Think evil.

  14. (without introducing more risk) Getting the scope rights Avoiding gaps

    in your threat model

  15. Ignoring part of your system when considering security is a

    common mistake Gareth Rushgrove

  16. Gareth Rushgrove the attack surface of a software environment is

    the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. ATTACK SURFACE

  17. (without introducing more risk) Example What is Production? Gareth Rushgrove

  18. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION?

  19. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS

    CI SERVER

  20. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS

    CI SERVER HYPERVISOR MANAGEMENT MONITORING

  21. Do you protect your CI stack as well as your

    production database? Gareth Rushgrove

  22. Could I execute a query on your production database if

    I compromised your CI server? Gareth Rushgrove

  23. Example Third party services Gareth Rushgrove

  24. Gareth Rushgrove an entity which facilitates interactions between two parties

    who both trust the third party TRUSTED THIRD PARTY

  25. Gareth Rushgrove a term in computer science and security used

    to describe a boundary where program data or execution changes its level of "trust". The term refers to any distinct boundary within which a system trusts all sub-systems (including data). TRUST BOUNDARY

  26. Gareth Rushgrove

  27. Why Serverless is a bad name Gareth Rushgrove

  28. (without introducing more risk) There are still servers somewhere Gareth

    Rushgrove

  29. How you think about the servers changes, and the respective

    risks and mitigations change. But servers still exist. Gareth Rushgrove

  30. Why NoOps is a bad name Gareth Rushgrove

  31. None
  32. None

  33. How you think about operations changes, and the respective risks

    and mitigations change. But operations still exist. Gareth Rushgrove

  34. Your attack surface is bigger than you think Gareth Rushgrove

  35. (without introducing more risk) Identifying risks The need to understand

    your system

  36. Differences in how you perceive a system and how it

    actually works can be used to exploit it Gareth Rushgrove

  37. Example Immutable infrastructure Gareth Rushgrove

  38. Out systems are immutable, we don’t need runtime file integrity

    checking Gareth Rushgrove “ ” A possibly naive developer

  39. Gareth Rushgrove unchanging over time or unable to be changed.

    synonyms: unchangeable, fixed IMMUTABLE

  40. (without introducing more risk) Containers are not immutable by default

    Gareth Rushgrove

  41. (without introducing more risk) Containers are not immutable by default

    Gareth Rushgrove

  42. (without introducing more risk) Gareth Rushgrove $ docker run -d

    alpine /bin/sh \ -c "while true; do echo hello world; sleep 1; done"

  43. (without introducing more risk) Gareth Rushgrove $ docker exec a7a01beb14de

    touch /tmp/surprise

  44. (without introducing more risk) Gareth Rushgrove $ docker diff a7a01beb14de

    C /tmp A /tmp/surprise

  45. (without introducing more risk) Gareth Rushgrove $ docker run --read-only

    -d alpine /bin/sh \ -c "while true; do echo hello world; sleep 1; done"

  46. (without introducing more risk) Gareth Rushgrove $ docker exec 379150b2cf05

    touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste

  47. (without introducing more risk) Do your immutable EC2 instances have

    read-only filesystems? Gareth Rushgrove

  48. (without introducing more risk) Most Immutable Infrastructure isn’t Gareth Rushgrove

  49. (without introducing more risk) Without technical controls you only have

    social guarantees of immutability Gareth Rushgrove

  50. (without introducing more risk) Hacking conferences Looking for vulnerabilities

  51. Let’s assume your applications and infrastructure are super secure* Gareth

    Rushgrove * This probably isn’t true. You should worry about that as well.

  52. - Penetration testing - Intrusion detection system - Web application

    firewall - Network firewalls - Malware scanning - Configuration management Gareth Rushgrove

  53. Gareth Rushgrove How secure is your laptop?

  54. - Hand maintained configuration - Updated whenever - No central

    monitoring - Administrative access - Single factor authentication Gareth Rushgrove

  55. Can you push new Docker images from your laptop? Gareth

    Rushgrove

  56. Can you create jobs on your Jenkins instance from your

    laptop? Gareth Rushgrove

  57. Can you launch new replication controllers from your laptop? Gareth

    Rushgrove

  58. Can you release new functions to Lambda from your laptop?

    Gareth Rushgrove

  59. Real world threat

  60. (without introducing more risk) As a hacker how do I

    own your laptop? The fun stuff

  61. Where can I find hundreds of developer laptops… Gareth Rushgrove

  62. Developer Conferences are a Target Rich Environment Gareth Rushgrove

  63. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE

    WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK

  64. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE

    WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK This is the official conference wifi right?

  65. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE

    WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK Or is it this one? Whatever, both work

  66. Devices exist to man-in-the-middle wireless networks Gareth Rushgrove

  67. Who has ever picked up a USB memory stick at

    a conference? Gareth Rushgrove

  68. Gareth Rushgrove

  69. USB devices exist which will run a script on connect

    (normally by impersonating a keyboard) Gareth Rushgrove

  70. (without introducing more risk) DELAY 1000 COMMAND SPACE DELAY 500

    STRING Terminal DELAY 500 ENTER DELAY 800 STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys ENTER DELAY 1000 STRING killall Terminal ENTER Add my public key https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29

  71. Local databases

  72. Lots of people here are on Twitter and using the

    conference hashtag Gareth Rushgrove

  73. Lots of people here are on GitHub with the same

    username Gareth Rushgrove

  74. (without introducing more risk) $ curl -s https://api.github.com/users/<username>/events/public \ |

    jq '.[].payload.commits[0].author.email' \ | sort \ | uniq \ | grep -v "null" Email from GitHub user

  75. an e-mail spoofing fraud attempt that targets a specific organization

    or individual, seeking unauthorized access to confidential data. Gareth Rushgrove SPEAR PHISHING

  76. Hi <your name> Great to see you at <conference name

    here> last week. I thought you’d be interested in the container testing tool I mentioned. http://nothingevilhere.com. Would love to know what you think. Hopefully see you at DockerCon next year too.

  77. (without introducing more risk) So you’re saying we’re all doomed?

    This is quite depressing now I think about it

  78. Part of threat modeling is coming up with suitable mitigations

    to the risks identified Gareth Rushgrove

  79. - 2 factor authentication - Time-limited credentials - Separation of

    duties - Two person rule - Configuration management Gareth Rushgrove

  80. having more than one person required to complete a task.

    In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. Gareth Rushgrove SEPARATION OF DUTIES

  81. a control mechanism designed to achieve a high level of

    security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times. Gareth Rushgrove TWO-PERSON RULE

  82. Gareth Rushgrove a process that identifies critical information to determine

    if friendly actions can be observed by enemy intelligence and determines if information obtained by adversaries could be interpreted to be useful to them. OPERATIONAL SECURITY (OPSEC)

  83. Once you understand the threat you can seek out specific

    guidance Gareth Rushgrove
  84. None

  85. - Protect data in transit - Protect data at rest

    - Authentication - Secure boot - Platform integrity and sandboxing - Application whitelisting Gareth Rushgrove - Malicious code detection - Security policy enforcement - External interface protection - Device update policy - Event collection and analysis - Incident response https://www.cesg.gov.uk/guidance/end-user-devices-security-principles

  86. Education. Education. Education. Gareth Rushgrove

  87. Gareth Rushgrove

  88. (without introducing more risk) Conclusions If all you remember is…

  89. With Cloud Native approaches developers are nearer to production than

    ever before Gareth Rushgrove

  90. The efficiency of modern tooling introduces new threats, and magnifies

    existing ones Gareth Rushgrove

  91. Existing mitigations and security controls won’t be enough. You need

    to collaborate with security colleagues on new approaches Gareth Rushgrove

  92. Threat modeling should be part of your development process Gareth

    Rushgrove

  93. Gareth Rushgrove

  94. Elevation of privilege

  95. Gareth Rushgrove

  96. (without introducing more risk) Thanks And any questions?