Understanding
Adversaries for Building
Reliability in Security
Slide 4
Slide 4 text
● Attacker Motivations
● Attacker Profiles
● Methods to Prevent
● Considerations
● Security and Reliability
● Security Chaos Engineering
Agenda
We are going to talk
about
www.yurynino.dev
Slide 5
Slide 5 text
www.yurynino.dev
In 1989 written by Clifford Stoll wrote
how to hunt for a computer hacker who
broke into a computer at the Lawrence
Berkeley National Laboratory (LBNL).
Elliot Alderson, a cybersecurity engineer and
hacker with social anxiety disorder and clinical
depression. Elliot is recruited by an
insurrectionary anarchist known as "Mr.
Robot" to join a group of hacktivists called
"fsociety".
Slide 6
Slide 6 text
Understanding a system’s
adversaries is critical for building
resilience and survivability for a
wide variety of catastrophes.
Adversaries in the security context
are human; their actions are
calculated to affect the target system
in an undesirable way.
Slide 7
Slide 7 text
Attacker Motivations
Slide 8
Slide 8 text
Attacker Motivations
www.yurynino.dev
Slide 9
Slide 9 text
Attacker Profiles
Slide 10
Slide 10 text
Attacker Profiles
www.yurynino.dev
Slide 11
Slide 11 text
Hobbyists
● While debugging programs they discovered flaws
that the original system designers hadn’t noticed.
● Curious technologists. They hack for fun!
● Motivated by their thirst for knowledge.
www.yurynino.dev
Slide 12
Slide 12 text
Researchers
● Use their security expertise professionally.
● Employees, freelancers working finding
vulnerabilities.
● Participate in Vulnerability Reward Programs Bug
bounties.
● Motivated to make systems better, allies to
organizations.
● Red Teams and penetration testers.
www.yurynino.dev
Slide 13
Slide 13 text
Governments
● Security experts hired by Government
organizations.
● Everybody could be a target of a Government.
ACTIVITIES
Intelligence gathering
Military Purposes
Policy Domestic
www.yurynino.dev
Slide 14
Slide 14 text
Activists
● They are usually want to take credit publicity.
● Consider whether your business or project is
involved in controversial topics.
www.yurynino.dev
Slide 15
Slide 15 text
Criminal Actors
● Commonly they want to commit identities fraud, steal
money and blackmail.
● The only barriers to entry for most criminal actors are a
bit of time, a computer, and a little cash.
www.yurynino.dev
Slide 16
Slide 16 text
Artificial Intelligence
● Some attacks could be
executed without humans.
● Scientists and ethicists are
designing machines might be
capable enough to learn how
to attack each other.
● Developers need to consider
resilient system design.
www.yurynino.dev
Slide 17
Slide 17 text
Methods to Study to Attackers
Slide 18
Slide 18 text
https://attack.mitre.org/
www.yurynino.dev
Slide 19
Slide 19 text
Considerations
Slide 20
Slide 20 text
You may not realize you’re a target.
Sophistication is not a true predictor of success.
Attackers aren’t always afraid of being caught.
Don’t underestimate your adversary.
Attribution is hard.
Considerations
www.yurynino.dev
Slide 21
Slide 21 text
Security Chaos Engineering
Slide 22
Slide 22 text
Chaos Engineering
It is the discipline of experimenting failures in
production in order to reveal their weakness
and to build confidence in their resilience
capability.
https://principlesofchaos.org/
Slide 23
Slide 23 text
Security Chaos
Engineering
It is the identification of security control
failures through proactive experimentation to
build confidence in the system’s ability to
defend against malicious conditions in
production.
Chaos Engineering Book. 2020
Slide 24
Slide 24 text
Principles
Hypothesize
about
Steady State
Run
Experiments
Vary
Real-World
Events
Automate
Experiments
www.yurynino.dev
Slide 25
Slide 25 text
● The adoption of SCE faces challenges: human factors to
Security issues.
● Reducing potential damage and blast radius is critical in
Security.
● Communication and observability: successful
Chaos Security GameDays.
● Requirements may collision with experimentation in Security.
● You don’t need to be a security expert to start with
Security Chaos Engineering.
Security Chaos Journey
www.yurynino.dev
Slide 26
Slide 26 text
My Recommended
Books
www.yurynino.dev
Slide 27
Slide 27 text
Don’t fear failure. In great attempts it is glorious
even to fail.
Anonymous
One single vulnerability is all an attacker needs.
Window Snyder
Slide 28
Slide 28 text
How to Cook
https://www.gremlin.com
https://chaosengineering.slack.com
https://github.com/dastergon/awesome-chaos-e
ngineering
https://www.infoq.com/chaos-engineering