Hacking Monitoring for Fun and Profit

Transcript

1. CNCF Omer Levi Hevroni | AppSec Engineer @ Snyk |

   @omerlh Hacking Monitoring for Fun and Profit

2. Agenda Threat Modeling Monitoring https://www.reddit.com/r/MrRobot/comments/b2x5ot/hackerman_20/ @omerlh

3. • What is Threat Modeling? • What is Monitoring? •

   How hackers can leverage our monitoring systems? ◦ AKA Threat modeling our monitoring systems What we are going to discuss @omerlh

4. A. Threat Modeling @omerlh

5. @omerlh

6. Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/ • What are we building? •

   What can go wrong? • What are we doing about it? • Did we do a good job? @omerlh

7. Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/ @omerlh

8. Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/ @omerlh

9. “Think like a hacker”? @omerlh

10. B. Monitoring @omerlh

11. @omerlh

12. Detect issues before customers experience them @omerlh

13. @omerlh

14. @omerlh

15. Black Box Monitoring White Box Monitoring https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/ @omerlh

16. confidential Let’s Dive In! @omerlh

17. C. Threat Modeling our Monitoring! @omerlh

18. White Box Monitoring @omerlh

19. • What are we building? • What can go wrong?

    • What are we doing about it? • Did we do a good job? Threat Modeling @omerlh

20. What are we building? @omerlh

21. “ Monitoring based on metrics exposed by the internals of

    the system, including logs, interfaces like the Java Virtual Machine Profiling Interface, or an HTTP handler that emits internal statistics. “ White-box Monitoring @omerlh

22. • Monitoring system • Time-Series database • Alerting system •

    Auto-discovery Prometheus https://prometheus.io/ @omerlh

23. Prometheus Scraping Model @omerlh

24. Exposing Metrics Metric’s Name Labels Value @omerlh

25. @omerlh

26. What Can go wrong? @omerlh

27. Information Disclosure @omerlh

28. Some Interesting Metrics @omerlh

29. One line of text slide @omerlh

30. What about this metric? @omerlh

31. The code behind it @omerlh

32. @omerlh

33. @omerlh

34. @omerlh

35. @omerlh

36. @omerlh

37. What Can We Do About It? @omerlh

38. Block Access (nginx ingress) https://www.edureka.c o/community/19277/a ccess-some-specific- paths-while-using-kub ernetes-ingress?show =19278#a19278

    @omerlh

39. Prometheus Metrics Limit https://www.omerlh.info/2019/03/04/keeping-prometheus-in-shape/ @omerlh

40. • Check for known vulns • Review manifests files before

    deployment • Testing • Authentication/VPN ◦ Grafana has built-in authentication ◦ Use products like oauth proxy for all the rest Other Mitigations @omerlh

41. Did we do a good job? @omerlh

42. Black Box Monitoring White Box Monitoring https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/ @omerlh

43. • What are we building? • What can go wrong?

    • What are we doing about it? • Did we do a good job? Threat Modeling @omerlh

44. One line of text slide @omerlh

45. What are we building? @omerlh

46. “ Testing externally visible behavior as a user would see

    it. “ Black-box Monitoring @omerlh

47. Our Monitoring System @omerlh

48. What Can go wrong? @omerlh

49. STRIDE @omerlh https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs

50. Spoofing @omerlh

51. Repudiation @omerlh

52. Denial of Service @omerlh

53. What are we doing about it? @omerlh

54. • Least Privilege • Block access • Tracing • Limit

    to test data only Potential Mitigations @omerlh

55. What issues should we care about?

56. • Mozilla RRA • OWASP DREAD • Multiply with likelihood

    Risk Assessment @omerlh

57. Did we do a good job? @omerlh

58. Wrapping Up @omerlh

59. • Monitoring is just code • Careful when exposed to

    the internet • Conduct threat model for monitoring Key Takeaway @omerlh

60. Questions? @omerlh

61. Agenda Threat Modeling Monitoring https://www.reddit.com/r/MrRobot/comments/b2x5ot/hackerman_20/ @omerlh

62. Snyk Infrastructure as Code Developer-focused configuration security @omerlh

63. Thanks for listening Sign up for free at snyk.io/signup @omerlh