YURY NIÑO
Site Reliability Engineer
Chaos Engineering Advocate
Garagoa is a town located
in Boyacá, a Department in
Colombia.
Slide 3
Slide 3 text
If you know the enemy and know
yourself, you need not fear the
result of a hundred battles …
The Art of War. Sun Tzu
Slide 4
Slide 4 text
How many of you have seen a
black swan?
Slide 5
Slide 5 text
Black Swans
1. The event is a surprise.
2. The event has a major effect.
3. After the first recorded, it is
rationalized by hindsight!
Slide 6
Slide 6 text
The impact of viruses are considered black swans.
Biological viruses === Computer viruses.
Solutions in both worlds: biology === cybersecurity.
Security Chaos Engineering: definition, principles
and practices.
Software Security: a roadmap of the milestones and
tools in security chaos engineering.
Agenda
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
The metaphor of software viruses to
biological ones is deeply ingrained, easily
seen in the fact that biological viruses are
at least the namesake, if not the
inspiration for computer viruses.
Slide 9
Slide 9 text
Analogy
Initial infection via a vulnerability
Usb Vulnerability - targeting USB
port infecting network node.
A vulnerability that allows a
virus to infect a healthy cell.
Or Weis
Slide 10
Slide 10 text
Analogy
Initial infection via a vulnerability
Virus execute malicious code in
order to produce more copies to
infect the all system :(
Virus execute an algorithm to infect
cells and through ribosomes and RNA
assemble new copies :(
Or Weis
Slide 11
Slide 11 text
“Don't worry about the future. Or worry, but know
that worrying is as effective as trying to solve an
algebra equation by chewing a bubble gum.
The real troubles in your life are things that never
crossed your worried mind, the kind that blindside
you at 4 p.m. on some idle Tuesday"
Mary Schmich
Slide 12
Slide 12 text
Antivirus patterns and Antibodies
Analogy
Antivirus software often relies on
malicious code/file signatures to
identify and thwart malware.
Our immune system produces
signatures on viruses via memory
cells.
Or Weis
Slide 13
Slide 13 text
Antivirus patterns and Antibodies
Analogy
Imagine if our immune system could, like
your AV software, download an update from
the web or even from a local service.
Or Weis
Slide 14
Slide 14 text
Firewalls and Masks
Analogy
Firewalls protects a network node
from attacks by limiting the type or
content of traffic and minimizing the
attack surface.
In the healthcare world are face
masks.
Or Weis
Slide 15
Slide 15 text
The World is Chaotic!
and Insecure
Black swans take our systems
down and keep them down for a
long time.
Laura Nolan, SRE in Slack
Slide 16
Slide 16 text
Immunity Artificial Systems
Slide 17
Slide 17 text
It’s important to note that while we have a rather
good understanding of software and cybersecurity,
the world of biology still remains more of a mystery
for us in comparison.
Slide 18
Slide 18 text
About software systems we can proactively
prepare us for cyberattacks!
Bring Order through Chaos!
Slide 19
Slide 19 text
What is Chaos Engineering?
It is the discipline of experimenting failures
in production in order to reveal their
weakness and to build confidence in their
resilience capability.
https://principlesofchaos.org/
Slide 20
Slide 20 text
What is Security Chaos
Engineering?
It is the identification of security control
failures through proactive experimentation
to build confidence in the system’s ability
to defend against malicious conditions in
production.
Chaos Engineering Book. 2020
Slide 21
Slide 21 text
History
1986
Artificial Immune
Systems
2008
Chaos Engineering
was born
2018 2020
Chapter
dedicated to
Security CE
2019
Aaron Rinehart
first articles
Artificial Intelligence
for data security
Slide 22
Slide 22 text
Principles
Chaos Engineering Principles
Injecting failure to achieve resilience!
Hypothesize
about
Steady State
Run
Experiments
Vary
Real-World
Events
Automate
Experiments
Slide 23
Slide 23 text
More Chaos Security
Engineering
With Security Chaos Engineering
we can introduce false positives
into production, to check whether
procedures are capable of
identifying security failures under
controlled conditions.
Slide 24
Slide 24 text
More Chaos Security
Engineering
www.thoughtworks.com
Slide 25
Slide 25 text
Human factors in
cybersecurity are perhaps the
biggest challenge when
building an effective threat
prevention strategy.
Vircom
Slide 26
Slide 26 text
A Report
Slide 27
Slide 27 text
Who is responsible for
Security Chaos Engineering
Slide 28
Slide 28 text
What my mom thinks I do What my friends thinks I do
What software engineers think I do What I really do
Who is a Security Chaos Engineer?
Help service owners to
increase their security and
resilience through education,
tools and encouragement.
Slide 29
Slide 29 text
By intentionally introducing a failure
mode or other event, engineering
teams can discover how well
instrumented, observable, and
measurable security systems truly are.
Everybody is responsible
for the security!
Slide 30
Slide 30 text
Humans operate differently
when they expect things to fail!
Aaron Rinehart
Slide 31
Slide 31 text
Security Chaos
GameDays
They are events to conduct chaos
experiments against a system to
validate or invalidate hypothesis
about a system’s resilience.
They are an ideal way to ease into
Chaos Engineering.
Brian Lee, Jason Doffing
Slide 32
Slide 32 text
How can we start with Security Chaos
Engineering?
Slide 33
Slide 33 text
Taken from Laura Nolan Talk
Slide 34
Slide 34 text
With technology, tools and automation!
Slide 35
Slide 35 text
Tools
Slide 36
Slide 36 text
ChaoSlingr
Tools
● Serverless app in AWS.
● Written in Python.
● 100% Native in AWS.
● Configuration as a Code.
● Configurable Operational Mode.
● Open Framework.
● With example codes.
Slide 37
Slide 37 text
Design Experiments!
Slide 38
Slide 38 text
Let me try one!
Experiments
● Introduce latency on security controls.
● Drop a folder like a script would do in production.
● Software secret clear text disclosure.
● Permission collision in a shared IAM role policy.
● Disable service event logging.
● API gateway shutdown.
● Unencrypted S3 Bucket.
● Disable MFA.
Slide 39
Slide 39 text
Let me try one!
Experiments
Hypothesis:
After the owner of Root account in AWS left the company, we could
use our cloud in a normal way.
Result:
Hypothesis disproved. In this experiment the access to AWS was
connected to the Active Directory. When an employee left the
company his account is dropped and we lost the access to AWS.
Side Effect:
Thinking in this scenario allows to consider another applications
connected to Active Directory.
Slide 40
Slide 40 text
Consider Human Factors
Slide 41
Slide 41 text
How to begin?
How to begin?
https://chaosengineering.slack.com
https://github.com/dastergon/
awesome-chaos-engineering
https://www.infoq.com/chaos-engineering
@yurynino
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
As Henry Ford said, "Failure is only the opportunity
to begin again, this time more intelligently."
Security Chaos Engineering and Security Chaos
Testing give us that opportunity.
Taken from DevOpsSec by Jim Bird