Slide 1

Slide 1 text

Chaos Engineering Considering Failures from Development

Slide 2

Slide 2 text

YURY NIÑO ROA Site Reliability Engineer Chaos Engineering Advocate Chaos Engineering Guild - ADL @yurynino https://www.yurynino.dev/

Slide 3

Slide 3 text

Understanding Adversaries for Building Reliability in Security

Slide 4

Slide 4 text

● Attacker Motivations ● Attacker Profiles ● Methods to Prevent ● Considerations ● Security and Reliability ● Security Chaos Engineering Agenda We are going to talk about www.yurynino.dev

Slide 5

Slide 5 text

www.yurynino.dev In 1989 written by Clifford Stoll wrote how to hunt for a computer hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL). Elliot Alderson, a cybersecurity engineer and hacker with social anxiety disorder and clinical depression. Elliot is recruited by an insurrectionary anarchist known as "Mr. Robot" to join a group of hacktivists called "fsociety".

Slide 6

Slide 6 text

Understanding a system’s adversaries is critical for building resilience and survivability for a wide variety of catastrophes. Adversaries in the security context are human; their actions are calculated to affect the target system in an undesirable way.

Slide 7

Slide 7 text

Attacker Motivations

Slide 8

Slide 8 text

Attacker Motivations www.yurynino.dev

Slide 9

Slide 9 text

Attacker Profiles

Slide 10

Slide 10 text

Attacker Profiles www.yurynino.dev

Slide 11

Slide 11 text

Hobbyists ● While debugging programs they discovered flaws that the original system designers hadn’t noticed. ● Curious technologists. They hack for fun! ● Motivated by their thirst for knowledge. www.yurynino.dev

Slide 12

Slide 12 text

Researchers ● Use their security expertise professionally. ● Employees, freelancers working finding vulnerabilities. ● Participate in Vulnerability Reward Programs Bug bounties. ● Motivated to make systems better, allies to organizations. ● Red Teams and penetration testers. www.yurynino.dev

Slide 13

Slide 13 text

Governments ● Security experts hired by Government organizations. ● Everybody could be a target of a Government. ACTIVITIES Intelligence gathering Military Purposes Policy Domestic www.yurynino.dev

Slide 14

Slide 14 text

Activists ● They are usually want to take credit publicity. ● Consider whether your business or project is involved in controversial topics. www.yurynino.dev

Slide 15

Slide 15 text

Criminal Actors ● Commonly they want to commit identities fraud, steal money and blackmail. ● The only barriers to entry for most criminal actors are a bit of time, a computer, and a little cash. www.yurynino.dev

Slide 16

Slide 16 text

Artificial Intelligence ● Some attacks could be executed without humans. ● Scientists and ethicists are designing machines might be capable enough to learn how to attack each other. ● Developers need to consider resilient system design. www.yurynino.dev

Slide 17

Slide 17 text

Methods to Study to Attackers

Slide 18

Slide 18 text

https://attack.mitre.org/ www.yurynino.dev

Slide 19

Slide 19 text

Considerations

Slide 20

Slide 20 text

You may not realize you’re a target. Sophistication is not a true predictor of success. Attackers aren’t always afraid of being caught. Don’t underestimate your adversary. Attribution is hard. Considerations www.yurynino.dev

Slide 21

Slide 21 text

Security Chaos Engineering

Slide 22

Slide 22 text

Chaos Engineering It is the discipline of experimenting failures in production in order to reveal their weakness and to build confidence in their resilience capability. https://principlesofchaos.org/

Slide 23

Slide 23 text

Security Chaos Engineering It is the identification of security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Chaos Engineering Book. 2020

Slide 24

Slide 24 text

Principles Hypothesize about Steady State Run Experiments Vary Real-World Events Automate Experiments www.yurynino.dev

Slide 25

Slide 25 text

● The adoption of SCE faces challenges: human factors to Security issues. ● Reducing potential damage and blast radius is critical in Security. ● Communication and observability: successful Chaos Security GameDays. ● Requirements may collision with experimentation in Security. ● You don’t need to be a security expert to start with Security Chaos Engineering. Security Chaos Journey www.yurynino.dev

Slide 26

Slide 26 text

My Recommended Books www.yurynino.dev

Slide 27

Slide 27 text

Don’t fear failure. In great attempts it is glorious even to fail. Anonymous One single vulnerability is all an attacker needs. Window Snyder

Slide 28

Slide 28 text

How to Cook https://www.gremlin.com https://chaosengineering.slack.com https://github.com/dastergon/awesome-chaos-e ngineering https://www.infoq.com/chaos-engineering

Slide 29

Slide 29 text

Thanks for coming!!! @yurynino www.yurynino.dev