HELLO FROM THE OTHER SIDE
Dispatches From a Kubernetes Attacker @IanColdwater
Slide 2
Slide 2 text
My name is Ian Coldwater.
I’m a Lead Platform Security
Engineer at Heroku, a Salesforce
company.
I specialize in hacking and
hardening Kubernetes, containers
and cloud infrastructure.
@IanColdwater
Slide 3
Slide 3 text
HI COMMUNITY!
@IanColdwater
Slide 4
Slide 4 text
DIVERSITY
BUILDS
STRONGER
SYSTEMS
@IanColdwater
Slide 5
Slide 5 text
WHO DO YOU DESIGN FOR?
@IanColdwater
Slide 6
Slide 6 text
ATTACKERS HAVE USER STORIES TOO
@IanColdwater
Slide 7
Slide 7 text
WHO ARE ATTACKERS?
@IanColdwater
Slide 8
Slide 8 text
HOW DO ATTACKERS THINK?
@IanColdwater
Slide 9
Slide 9 text
WHAT DO YOU SEE?
@IanColdwater
Slide 10
Slide 10 text
WHAT DO YOU SEE?
kubectl auth can-i --list
--namespace=kube-system
@IanColdwater
Slide 11
Slide 11 text
WHAT DO ATTACKERS LOOK FOR?
@IanColdwater
Slide 12
Slide 12 text
ATTACKER METHODOLOGY
@IanColdwater
Slide 13
Slide 13 text
DESIGNING FOR DEFENSE
@IanColdwater
Slide 14
Slide 14 text
WHAT IS YOUR THREAT MODEL?
• What are you trying to protect?
• Who are you trying to protect it from?
@IanColdwater
Slide 15
Slide 15 text
WHAT’S IN YOUR GRAPH?
• Know what you’re running, and understand it well.
• What connects? What crosses? Where are the rough edges?
• What would an attacker see?
@IanColdwater
Slide 16
Slide 16 text
CHECK YOUR ASSUMPTIONS
@IanColdwater
Slide 17
Slide 17 text
THINGS YOU CAN DO
@IanColdwater
Slide 18
Slide 18 text
MAKE FRIENDS!
@IanColdwater
Slide 19
Slide 19 text
GET PRACTICE
• Capture the Flag:
overthewire.org, picoctf.com,
hackthebox.eu
• goose.game
• Play with your own systems!
@IanColdwater
Slide 20
Slide 20 text
BETTER TOGETHER
@IanColdwater
Slide 21
Slide 21 text
WE CAN DO IT!
@IanColdwater
Slide 22
Slide 22 text
RESOURCES
• Kubernetes security audit
• attack trees
• attackers think in graphs
• bug bounties and black
swans
• CIS benchmarks
• https://k8s.io/security
• github.com/kelseyhightower/
nocode - the best way to
write secure and reliable
applications!
@IanColdwater