Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello From the Other Side

Ian Coldwater
November 21, 2019

Hello From the Other Side

Attackers have user stories too. Are you designing with them in mind?

As an attacker, Ian Coldwater would like to help you understand these users and their stories. What do their mindsets, motivations and methodologies look like? What do attackers look for when they look at a Kubernetes context, what do they do when they get in there, and what can you do to help protect your clusters and code against them?

Being able to understand these perspectives can help you broaden your own. Let’s explore them together, and learn how to build stronger, more secure systems accordingly.

Ian Coldwater

November 21, 2019
Tweet

More Decks by Ian Coldwater

Other Decks in Technology

Transcript

  1. HELLO FROM THE OTHER SIDE
    Dispatches From a Kubernetes Attacker @IanColdwater

    View full-size slide

  2. My name is Ian Coldwater.
    I’m a Lead Platform Security
    Engineer at Heroku, a Salesforce
    company.
    I specialize in hacking and
    hardening Kubernetes, containers
    and cloud infrastructure.
    @IanColdwater

    View full-size slide

  3. HI COMMUNITY!
    @IanColdwater

    View full-size slide

  4. DIVERSITY
    BUILDS
    STRONGER
    SYSTEMS
    @IanColdwater

    View full-size slide

  5. WHO DO YOU DESIGN FOR?
    @IanColdwater

    View full-size slide

  6. ATTACKERS HAVE USER STORIES TOO
    @IanColdwater

    View full-size slide

  7. WHO ARE ATTACKERS?
    @IanColdwater

    View full-size slide

  8. HOW DO ATTACKERS THINK?
    @IanColdwater

    View full-size slide

  9. WHAT DO YOU SEE?
    @IanColdwater

    View full-size slide

  10. WHAT DO YOU SEE?
    kubectl auth can-i --list
    --namespace=kube-system
    @IanColdwater

    View full-size slide

  11. WHAT DO ATTACKERS LOOK FOR?
    @IanColdwater

    View full-size slide

  12. ATTACKER METHODOLOGY
    @IanColdwater

    View full-size slide

  13. DESIGNING FOR DEFENSE
    @IanColdwater

    View full-size slide

  14. WHAT IS YOUR THREAT MODEL?
    • What are you trying to protect?
    • Who are you trying to protect it from?
    @IanColdwater

    View full-size slide

  15. WHAT’S IN YOUR GRAPH?
    • Know what you’re running, and understand it well.
    • What connects? What crosses? Where are the rough edges?
    • What would an attacker see?
    @IanColdwater

    View full-size slide

  16. CHECK YOUR ASSUMPTIONS
    @IanColdwater

    View full-size slide

  17. THINGS YOU CAN DO
    @IanColdwater

    View full-size slide

  18. MAKE FRIENDS!
    @IanColdwater

    View full-size slide

  19. GET PRACTICE
    • Capture the Flag:
    overthewire.org, picoctf.com,
    hackthebox.eu
    • goose.game
    • Play with your own systems!
    @IanColdwater

    View full-size slide

  20. BETTER TOGETHER
    @IanColdwater

    View full-size slide

  21. WE CAN DO IT!
    @IanColdwater

    View full-size slide

  22. RESOURCES
    • Kubernetes security audit
    • attack trees
    • attackers think in graphs
    • bug bounties and black
    swans
    • CIS benchmarks
    • https://k8s.io/security
    • github.com/kelseyhightower/
    nocode - the best way to
    write secure and reliable
    applications!
    @IanColdwater

    View full-size slide