Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Chaos Engineering for Fun & Profit

Security Chaos Engineering for Fun & Profit

The dynamic nature of cloud-native infrastructure requires continuous security mechanisms to effectively tackle security threats. However, cloud native infrastructure is complex and still emerging hence the security threats are barely understood resulting in successful attacks due to unknown attack patterns and behavior. In this talk, the innovative notion of Security Chaos Engineering (SCE) is introduced as a viable approach for enabling proactive cloud native security mechanisms for cloud native infrastructure. Essentially, SCE applies chaos engineering principles to cyber security such that defended environments are not just secure but also resilient to cyber-attacks. A major benefit is the derivation and use of instant empirical feedback loops that aid in verifying security mechanisms (e.g. tools) and expected properties (confidentiality, integrity and availability). Through the injection of controlled security faults (crafted as security hypotheses), deployed security mechanisms are properly analyzed, security blind spots are identified and remediated, thereby resulting in increased security and resiliency. Furthermore to previous presentations, this talks demonstrates SCE benefits including compliance monitoring, incident response and threat detection.


Kennedy Torkura

October 13, 2021


  1. Kennedy A. Torkura (@run2obtain) Senior Cloud Security Researcher Firebolt Analytics

    Security Chaos Engineering For Fun & Profit 1
  2. Agenda • Chaos engineering vs Security Chaos Engineering • Security

    Chaos Engineering in cloud native security • Example Security Chaos Engineering experiments • Risk Driven Fault Injection - an opinionated approach 2
  3. Chaos Engineering The discipline of experimenting on a system in

    order to build confidence in the system's capability to withstand turbulent conditions in production. - https://principlesofchaos.org/ • Addresses availability (and performance) problems • Employs resiliency patterns ◦ Timeouts ◦ Bulkheads ◦ Circuit breaker 3
  4. Security Chaos Engineering Security Chaos Engineering is the identification of

    security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production Aaron Rinehart, Co-Founder & CTO,Verica • Addresses security issues by focusing on ◦ Confidentiality ◦ Integrity ◦ Availability • Verify security patterns/controls • AIM - detect security blind spots 4
  5. Security Chaos Engineering 5

  6. Cloud Native Infrastructure is Complex Death Star Graphs The future

    of digital systems is complexity, and complexity is the worst enemy of security - Bruce Schneier 6
  7. Increasing Cloud Attacks Cloud Native threat Report 2020 - Aqua

    Security Team The volume of attacks against honeypots: ~160 attacks per day on average, during the first half of 2020 IBM Cloud Threat Report 2021 7
  8. Cloud Native Security Platforms 8

  9. The 4Cs of Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security 9

  10. Cloud-Native Attack Surface container code cloud cluster attacker 10

  11. Cloud Native Attack Surface attacker 11

  12. Cloud Native Attack Surface attacker defender 12

  13. Public Bucket Experiment start create user Bob get cloud buckets

    select random bucket create malicious policy assign policy to Bob & bucket end 13
  14. Bucket Ransomware Experiment start create user Bob get cloud buckets

    select random bucket encrypt bucket request for ransom end 14
  15. Advanced Ransome Experiment start create user Bob get EKS Clusters

    compromise a pod in one of the clusters encrypt bucket request for ransom end Compromise an S3 bucket 15
  16. Risk Driven Fault Injection PLAN Apply outcome of analysis to

    improve security. Design and plan future security hypotheses ANALYZE Collect and analyze observations. Vulnerabilities can be ranked and prioritized MONITOR Observe and monitor the execution of security perturbations. Intervene when necessary to ensure safety EXECUTE Inject security faults based on crafted hypotheses KNOWLEDGE Security insights & information including security fault models, detected vulnerabilities & analytical outcomes 16
  17. Risk Driven Fault Injection - Execute Execute • The aim

    of the experiment • Craft a suitable hypothesis • Determine the scope: scale, depth and intensity • Perform sanity check ◦ Coordinate with appropriate teams (admin & social aspects) ◦ Establish steady state and recoverability options (IaC, Git, state management) 17
  18. Risk Driven Fault Injection - Monitor Monitor • Observe the

    progress of the experiment ◦ Logging ◦ Observability ◦ Tracing • Intervene if necessary ◦ Stop experiment ◦ Recover steady state 18
  19. Risk Driven Fault Injection - Analyze Analyze • Gather results

    and analyze ◦ Failed - had to stop, need to identify the reasons and figure out how to improve in the future ◦ Success - Critical to derive answers to the questions posed at the planning stage ◦ Hypothesis - is your hypothesis proven? 19
  20. Risk Driven Fault Injection - Analyze OWASP Risk Rating Methodology

  21. Risk Driven Fault Injection • Document the outcome of the

    hypothesis e.g. create tickets in the backlog ◦ Vulnerability management (patching) ◦ Security operations ◦ Development teams ◦ Threat modelling ◦ Awareness training • Next steps ◦ Remediate ◦ Construct hypothesis for the next iteration Plan 21
  22. Risk Driven Fault Injection Knowledge-base • Security automation ◦ Create

    cloudwatch rules to trigger alarms for specific events ◦ Create audit rules for CSPM ◦ Flag policies with broad permissions • Security analytics ◦ SIEM ◦ Threat hunting ◦ Incident response • Machine learning 22
  23. Resources https://cutt.ly/Dm7Hkpr https://cutt.ly/GzomtGV https://cutt.ly/bEghufd https://cutt.ly/wniedGg https://www.oreilly.com/library/view/security-chaos-engineering/9781492080350/ 23

  24. That’s all folks thanks for listening ! Kennedy Torkura @run2obtain