Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking Monitoring for Fun and Profit

Omer Levi Hevroni
December 08, 2020
Technology
0
110

Hacking Monitoring for Fun and Profit

Omer Levi Hevroni

December 08, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Continuous Hacking
omerlh
0
45
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
64
GitOps keeping it secret
omerlh
1
81

Other Decks in Technology

See All in Technology
コードや知識を組み込む / Incorporate Code and knowledge
ks91
PRO
0
150
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
1k
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
1
370
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
1
120
ルーターでプレゼンする
puhitaku
1
3.3k
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
2
600
.NET Profiler in 2024.
kkamegawa
2
1.8k
データベース03: 関係データモデル
trycycle
0
100
中年男性がメインフレームから クラウドへキャリアシフトしてみた
uechishingo
0
300
プロンプトエンジニアリングでがんばらない-Agentic Workflow へ-近藤憲児
kenjikondobai
6
1.2k
【基本】データベース設計
oracle4engineer
PRO
2
200
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
2
140

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
12
1k
YesSQL, Process and Tooling at Scale
rocio
165
13k
Facilitating Awesome Meetings
lara
43
5.6k
Designing for Performance
lara
601
67k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
123
39k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
66
14k
Infographics Made Easy
chrislema
238
18k
Building Effective Engineering Teams - LeadDev
addyosmani
32
1.9k
Teambox: Starting and Learning
jrom
128
8.4k
Practical Orchestrator
shlominoach
183
9.7k
Statistics for Hackers
jakevdp
790
220k
Unsuck your backbone
ammeep
663
57k

Transcript

  1. CNCF Omer Levi Hevroni | AppSec Engineer @ Snyk |

    @omerlh Hacking Monitoring for Fun and Profit

  2. Agenda Threat Modeling Monitoring https://www.reddit.com/r/MrRobot/comments/b2x5ot/hackerman_20/ @omerlh

  3. • What is Threat Modeling? • What is Monitoring? •

    How hackers can leverage our monitoring systems? ◦ AKA Threat modeling our monitoring systems What we are going to discuss @omerlh

  4. A. Threat Modeling @omerlh

  5. @omerlh

  6. Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/ • What are we building? •

    What can go wrong? • What are we doing about it? • Did we do a good job? @omerlh

  7. Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/ @omerlh

  8. Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/ @omerlh

  9. “Think like a hacker”? @omerlh

  10. B. Monitoring @omerlh

  11. @omerlh

  12. Detect issues before customers experience them @omerlh

  13. @omerlh

  14. @omerlh

  15. Black Box Monitoring White Box Monitoring https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/ @omerlh

  16. confidential Let’s Dive In! @omerlh

  17. C. Threat Modeling our Monitoring! @omerlh

  18. White Box Monitoring @omerlh

  19. • What are we building? • What can go wrong?

    • What are we doing about it? • Did we do a good job? Threat Modeling @omerlh

  20. What are we building? @omerlh

  21. “ Monitoring based on metrics exposed by the internals of

    the system, including logs, interfaces like the Java Virtual Machine Profiling Interface, or an HTTP handler that emits internal statistics. “ White-box Monitoring @omerlh

  22. • Monitoring system • Time-Series database • Alerting system •

    Auto-discovery Prometheus https://prometheus.io/ @omerlh

  23. Prometheus Scraping Model @omerlh

  24. Exposing Metrics Metric’s Name Labels Value @omerlh

  25. @omerlh

  26. What Can go wrong? @omerlh

  27. Information Disclosure @omerlh

  28. Some Interesting Metrics @omerlh

  29. One line of text slide @omerlh

  30. What about this metric? @omerlh

  31. The code behind it @omerlh

  32. @omerlh

  33. @omerlh

  34. @omerlh

  35. @omerlh

  36. @omerlh

  37. What Can We Do About It? @omerlh

  38. Block Access (nginx ingress) https://www.edureka.c o/community/19277/a ccess-some-specific- paths-while-using-kub ernetes-ingress?show =19278#a19278

    @omerlh

  39. Prometheus Metrics Limit https://www.omerlh.info/2019/03/04/keeping-prometheus-in-shape/ @omerlh

  40. • Check for known vulns • Review manifests files before

    deployment • Testing • Authentication/VPN ◦ Grafana has built-in authentication ◦ Use products like oauth proxy for all the rest Other Mitigations @omerlh

  41. Did we do a good job? @omerlh

  42. Black Box Monitoring White Box Monitoring https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/ @omerlh

  43. • What are we building? • What can go wrong?

    • What are we doing about it? • Did we do a good job? Threat Modeling @omerlh

  44. One line of text slide @omerlh

  45. What are we building? @omerlh

  46. “ Testing externally visible behavior as a user would see

    it. “ Black-box Monitoring @omerlh

  47. Our Monitoring System @omerlh

  48. What Can go wrong? @omerlh

  49. STRIDE @omerlh https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs

  50. Spoofing @omerlh

  51. Repudiation @omerlh

  52. Denial of Service @omerlh

  53. What are we doing about it? @omerlh

  54. • Least Privilege • Block access • Tracing • Limit

    to test data only Potential Mitigations @omerlh

  55. What issues should we care about?

  56. • Mozilla RRA • OWASP DREAD • Multiply with likelihood

    Risk Assessment @omerlh

  57. Did we do a good job? @omerlh

  58. Wrapping Up @omerlh

  59. • Monitoring is just code • Careful when exposed to

    the internet • Conduct threat model for monitoring Key Takeaway @omerlh

  60. Questions? @omerlh

  61. Agenda Threat Modeling Monitoring https://www.reddit.com/r/MrRobot/comments/b2x5ot/hackerman_20/ @omerlh

  62. Snyk Infrastructure as Code Developer-focused configuration security @omerlh

  63. Thanks for listening Sign up for free at snyk.io/signup @omerlh