Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello From the Other Side

Ian Coldwater
November 21, 2019
Technology
0
420

Hello From the Other Side

Attackers have user stories too. Are you designing with them in mind?

As an attacker, Ian Coldwater would like to help you understand these users and their stories. What do their mindsets, motivations and methodologies look like? What do attackers look for when they look at a Kubernetes context, what do they do when they get in there, and what can you do to help protect your clusters and code against them?

Being able to understand these perspectives can help you broaden your own. Let’s explore them together, and learn how to build stronger, more secure systems accordingly.

Ian Coldwater

November 21, 2019
Tweet

More Decks by Ian Coldwater

See All by Ian Coldwater
Advanced Persistence Threats: The Future of Kubernetes Attacks
iancoldwater
1
2.3k
Bridge Construction Kit: DevOps and Security Don’t Have to Be Islands
iancoldwater
2
420
Hello World
iancoldwater
1
150
The Path Less Traveled: Abusing Kubernetes Defaults
iancoldwater
7
6.5k
Crafty Requests: Deep Dive into Kubernetes CVE-2018-1002105
iancoldwater
2
300
Ship of Fools: Shoring Up Kubernetes Security
iancoldwater
3
2.2k

Other Decks in Technology

See All in Technology
株式会社オプティム_採用会社紹介資料 / optim-recruit
optim
0
9.6k
AI完全初心者でも最新の生成AIの仕組がわかった気になれるプレゼン
shimap_sampo
5
2k
Microsoft Build 2023 で発表された Cosmos DB の注目アップデート / Microsoft Build 2023 Cosmos DB update
miyake
1
220
Blueskyの「今」がわかる!Bot
lamrongol
0
130
「Go Style Guide」から学んだ可読性の高いコードの書き方
andpad
5
2.8k
Spotify API を使ったアイマス楽曲の楽しみ方
takemikami
0
120
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k
Large Language Models: From Prototype to Production
inesmontani
PRO
9
2.9k
よくわかるフォルシアのエンジニア 旅行プラットフォーム部編
forcia_dev_pr
0
200
組込みRustでも でかい?JSONを扱いたい!
ciniml
0
130
1人目QA奮闘記-2023年ver-/QA Engineer's Struggle 2023
mii3king
1
730
ハンズオンで学ぶ! Instana基礎
daihiraoka
1
140

Featured

See All Featured
Become a Pro
speakerdeck
PRO
7
3.4k
Infographics Made Easy
chrislema
236
17k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Making Projects Easy
brettharned
102
5k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.4k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.1k
Visualization
eitanlees
130
12k
Designing for humans not robots
tammielis
245
24k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
33
21k
The Language of Interfaces
destraynor
149
21k

Transcript

  1. HELLO FROM THE OTHER SIDE
    Dispatches From a Kubernetes Attacker @IanColdwater

    View Slide

  2. My name is Ian Coldwater.
    I’m a Lead Platform Security
    Engineer at Heroku, a Salesforce
    company.
    I specialize in hacking and
    hardening Kubernetes, containers
    and cloud infrastructure.
    @IanColdwater

    View Slide

  3. HI COMMUNITY!
    @IanColdwater

    View Slide

  4. DIVERSITY
    BUILDS
    STRONGER
    SYSTEMS
    @IanColdwater

    View Slide

  5. WHO DO YOU DESIGN FOR?
    @IanColdwater

    View Slide

  6. ATTACKERS HAVE USER STORIES TOO
    @IanColdwater

    View Slide

  7. WHO ARE ATTACKERS?
    @IanColdwater

    View Slide

  8. HOW DO ATTACKERS THINK?
    @IanColdwater

    View Slide

  9. WHAT DO YOU SEE?
    @IanColdwater

    View Slide

  10. WHAT DO YOU SEE?
    kubectl auth can-i --list
    --namespace=kube-system
    @IanColdwater

    View Slide

  11. WHAT DO ATTACKERS LOOK FOR?
    @IanColdwater

    View Slide

  12. ATTACKER METHODOLOGY
    @IanColdwater

    View Slide

  13. DESIGNING FOR DEFENSE
    @IanColdwater

    View Slide

  14. WHAT IS YOUR THREAT MODEL?
    • What are you trying to protect?
    • Who are you trying to protect it from?
    @IanColdwater

    View Slide

  15. WHAT’S IN YOUR GRAPH?
    • Know what you’re running, and understand it well.
    • What connects? What crosses? Where are the rough edges?
    • What would an attacker see?
    @IanColdwater

    View Slide

  16. CHECK YOUR ASSUMPTIONS
    @IanColdwater

    View Slide

  17. THINGS YOU CAN DO
    @IanColdwater

    View Slide

  18. MAKE FRIENDS!
    @IanColdwater

    View Slide

  19. GET PRACTICE
    • Capture the Flag:
    overthewire.org, picoctf.com,
    hackthebox.eu
    • goose.game
    • Play with your own systems!
    @IanColdwater

    View Slide

  20. BETTER TOGETHER
    @IanColdwater

    View Slide

  21. WE CAN DO IT!
    @IanColdwater

    View Slide

  22. RESOURCES
    • Kubernetes security audit
    • attack trees
    • attackers think in graphs
    • bug bounties and black
    swans
    • CIS benchmarks
    • https://k8s.io/security
    • github.com/kelseyhightower/
    nocode - the best way to
    write secure and reliable
    applications!
    @IanColdwater

    View Slide