Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello From the Other Side

Ian Coldwater
November 21, 2019
Technology
0
440

Hello From the Other Side

Attackers have user stories too. Are you designing with them in mind?

As an attacker, Ian Coldwater would like to help you understand these users and their stories. What do their mindsets, motivations and methodologies look like? What do attackers look for when they look at a Kubernetes context, what do they do when they get in there, and what can you do to help protect your clusters and code against them?

Being able to understand these perspectives can help you broaden your own. Let’s explore them together, and learn how to build stronger, more secure systems accordingly.

Ian Coldwater

November 21, 2019
Tweet

More Decks by Ian Coldwater

See All by Ian Coldwater
Advanced Persistence Threats: The Future of Kubernetes Attacks
iancoldwater
1
2.5k
Bridge Construction Kit: DevOps and Security Don’t Have to Be Islands
iancoldwater
2
440
Hello World
iancoldwater
1
160
The Path Less Traveled: Abusing Kubernetes Defaults
iancoldwater
7
7k
Crafty Requests: Deep Dive into Kubernetes CVE-2018-1002105
iancoldwater
2
330
Ship of Fools: Shoring Up Kubernetes Security
iancoldwater
3
2.4k

Other Decks in Technology

See All in Technology
LINE WORKSへ簡単通知!Incoming Webhookアプリの紹介
mmclsntr
0
110
可視化プラットフォームGrafanaの基本と活用方法の全て
hamadakoji
0
230
初中級者用如何使用backlog -VALE TUDOEDITION-
in0u
0
140
Classmethod流のPlatform Engineering / classmethod-platform-engineering-devio2024
tomoki10
0
470
AWS IAMのアンチパターン/AWSが考える最低権限実現へのアプローチ概略(JAWS-UG朝会#59資料改修20分版)
htan
0
330
累計ダウンロード数1億8000万を超えるアプリケーションプラットフォームのレガシーシステム脱却とモダン化への道
kmitsuhashi
0
120
[NIKKEI Tech Talk] KDDI/KAG Scrum & Community for Engineering Training
curanosuke
2
220
20240717_イケコパ代表Copilot_in_Teams会社でこう使ってます
ponponmikankan
2
430
データ分析を支える技術 生成AI再入門
ishikawa_satoru
0
380
テスト・設計研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170
コミュニティサービスに「あなたへ」フィードを リリースするまでの試行錯誤
takapy
1
140
開発生産性をむしろ向上させる
セキュリティパートナーの作り方 / Dev Productivity Con 2024
flatt_security
0
360

Featured

See All Featured
The Language of Interfaces
destraynor
151
23k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
18
1.2k
WebSockets: Embracing the real-time Web
robhawkes
59
7.2k
Designing on Purpose - Digital PM Summit 2013
jponch
113
6.6k
Writing Fast Ruby
sferik
623
60k
10 Git Anti Patterns You Should be Aware of
lemiorhan
652
58k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
149
45k
Raft: Consensus for Rubyists
vanstee
134
6.5k
4 Signs Your Business is Dying
shpigford
178
21k
Stop Working from a Prison Cell
hatefulcrawdad
266
20k
GitHub's CSS Performance
jonrohan
1026
450k
GraphQLの誤解/rethinking-graphql
sonatard
59
9.6k

Transcript

  1. HELLO FROM THE OTHER SIDE Dispatches From a Kubernetes Attacker

    @IanColdwater

  2. My name is Ian Coldwater. I’m a Lead Platform Security

    Engineer at Heroku, a Salesforce company. I specialize in hacking and hardening Kubernetes, containers and cloud infrastructure. @IanColdwater

  3. HI COMMUNITY! @IanColdwater

  4. DIVERSITY BUILDS STRONGER SYSTEMS @IanColdwater

  5. WHO DO YOU DESIGN FOR? @IanColdwater

  6. ATTACKERS HAVE USER STORIES TOO @IanColdwater

  7. WHO ARE ATTACKERS? @IanColdwater

  8. HOW DO ATTACKERS THINK? @IanColdwater

  9. WHAT DO YOU SEE? @IanColdwater

  10. WHAT DO YOU SEE? kubectl auth can-i --list --namespace=kube-system @IanColdwater

  11. WHAT DO ATTACKERS LOOK FOR? @IanColdwater

  12. ATTACKER METHODOLOGY @IanColdwater

  13. DESIGNING FOR DEFENSE @IanColdwater

  14. WHAT IS YOUR THREAT MODEL? • What are you trying

    to protect? • Who are you trying to protect it from? @IanColdwater

  15. WHAT’S IN YOUR GRAPH? • Know what you’re running, and

    understand it well. • What connects? What crosses? Where are the rough edges? • What would an attacker see? @IanColdwater

  16. CHECK YOUR ASSUMPTIONS @IanColdwater

  17. THINGS YOU CAN DO @IanColdwater

  18. MAKE FRIENDS! @IanColdwater

  19. GET PRACTICE • Capture the Flag: overthewire.org, picoctf.com, hackthebox.eu •

    goose.game • Play with your own systems! @IanColdwater

  20. BETTER TOGETHER @IanColdwater

  21. WE CAN DO IT! @IanColdwater

  22. RESOURCES • Kubernetes security audit • attack trees • attackers

    think in graphs • bug bounties and black swans • CIS benchmarks • https://k8s.io/security • github.com/kelseyhightower/ nocode - the best way to write secure and reliable applications! @IanColdwater