Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello From the Other Side

A6ff6fda1b44b5d02a970be24bd79f0b?s=47 Ian Coldwater
November 21, 2019

Hello From the Other Side

Attackers have user stories too. Are you designing with them in mind?

As an attacker, Ian Coldwater would like to help you understand these users and their stories. What do their mindsets, motivations and methodologies look like? What do attackers look for when they look at a Kubernetes context, what do they do when they get in there, and what can you do to help protect your clusters and code against them?

Being able to understand these perspectives can help you broaden your own. Let’s explore them together, and learn how to build stronger, more secure systems accordingly.

A6ff6fda1b44b5d02a970be24bd79f0b?s=128

Ian Coldwater

November 21, 2019
Tweet

Transcript

  1. HELLO FROM THE OTHER SIDE Dispatches From a Kubernetes Attacker

    @IanColdwater
  2. My name is Ian Coldwater. I’m a Lead Platform Security

    Engineer at Heroku, a Salesforce company. I specialize in hacking and hardening Kubernetes, containers and cloud infrastructure. @IanColdwater
  3. HI COMMUNITY! @IanColdwater

  4. DIVERSITY BUILDS STRONGER SYSTEMS @IanColdwater

  5. WHO DO YOU DESIGN FOR? @IanColdwater

  6. ATTACKERS HAVE USER STORIES TOO @IanColdwater

  7. WHO ARE ATTACKERS? @IanColdwater

  8. HOW DO ATTACKERS THINK? @IanColdwater

  9. WHAT DO YOU SEE? @IanColdwater

  10. WHAT DO YOU SEE? kubectl auth can-i --list --namespace=kube-system @IanColdwater

  11. WHAT DO ATTACKERS LOOK FOR? @IanColdwater

  12. ATTACKER METHODOLOGY @IanColdwater

  13. DESIGNING FOR DEFENSE @IanColdwater

  14. WHAT IS YOUR THREAT MODEL? • What are you trying

    to protect? • Who are you trying to protect it from? @IanColdwater
  15. WHAT’S IN YOUR GRAPH? • Know what you’re running, and

    understand it well. • What connects? What crosses? Where are the rough edges? • What would an attacker see? @IanColdwater
  16. CHECK YOUR ASSUMPTIONS @IanColdwater

  17. THINGS YOU CAN DO @IanColdwater

  18. MAKE FRIENDS! @IanColdwater

  19. GET PRACTICE • Capture the Flag: overthewire.org, picoctf.com, hackthebox.eu •

    goose.game • Play with your own systems! @IanColdwater
  20. BETTER TOGETHER @IanColdwater

  21. WE CAN DO IT! @IanColdwater

  22. RESOURCES • Kubernetes security audit • attack trees • attackers

    think in graphs • bug bounties and black swans • CIS benchmarks • https://k8s.io/security • github.com/kelseyhightower/ nocode - the best way to write secure and reliable applications! @IanColdwater