Risk Driven Fault Injection Security Chaos Engineering for The Fast & Furious Kennedy A . Torkura 

Security Chaos Engineering ● What is Security Chaos Engineering ○ How is differs from Chaos Engineering ● Why it is important/why are we talking about it ○ Complexity ○ Increasing attacks against cloud native infrastructure ○ Inefficient security countermeasures ● Cloud Native Security ○ What is it ○ Challenges ● Risk-Driven Fault Injection 

Security Chaos Engineering Security Chaos Engineering is the identification of security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production Aaron Rinehart, Co-Founder & CTO,Verica 

Security Chaos Engineering Chaos Engineering ● Addresses availability problems ● Resiliency patterns ○ Timeouts ○ Bulkheads ○ Circuit breaker Security Chaos Engineering ● Addresses ○ Availability ○ Integrity ○ Confidentiality ● Verify security patterns/controls ○ Preventive controls e.g. firewalls ○ Detective controls e.g. IDS ○ Corrective controls e.g. incident response systems ● AIM - detect security blind spots 

Complexity Complexity is the worst enemy of security - Bruce Schneier 

Increasing Cloud Attacks Cloud Native threat Report 2020 - Aqua Security Team 

Evolving Security Challenges 99% cloud security incidents is caused by users - Gartner Why? ● Knowledge gap ● Insufficient tooling support 

Evolving Security Challenges ● Digital transformation ● DevOps ● CI/CD Traditional Security 

Evolving Security Challenges ● Digital transformation ● DevOps ● CI/CD Modern Security 

Cloud Native Security Cloud Native Security is about securing cloud native infrastructure The 4C’s of Cloud Native Security ● defence-in-depth https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security 

Cloud Attack Paths 

Cloud Attack Paths container code cloud cluster 

Cloud Native Security Platforms Cloud Security Posture Management Cloud Access Security Brokers Cloud Workload Protection Platforms SCE 

PLAN Apply outcome of analysis to improve security. Design and plan future security hypotheses ANALYZE Collect and analyze observations. Vulnerabilities can be ranked and prioritized MONITOR Observe and monitor the execution of security perturbations. Intervene when necessary to ensure safety EXECUTE Inject security faults based on crafted hypotheses KNOWLEDGE Security insights & information including security fault models, detected vulnerabilities & analytical outcomes Risk Driven Fault Injection ● adapted from MAPE-K Feedback loop used in autonomous computer systems SCE Feedback Loop 

Execute ● 100% security is a dream ● Risk driven security ○ Quantitative risk assessments ○ Data driven ● Communicate security information/analysis to management and other teams ● Measure progress Risk Driven Fault Injection 

Execute ● The aim of the experiment ● Craft a suitable hypothesis ● Determine the scope: scale, depth and intensity ● Perform sanity check ○ Coordinating with responsible teams (admin & social aspects) ○ Recoverability (IaC, Git, State Management) SCE Feedback Loop 

Implementation ■ Modes of operation: □ Low- 30% □ Medium - 60% □ High - 90% ■ Attack scenario: chaining of multiple attack actions 

start create user Bob get cloud buckets select random bucket create malicious policy assign policy to Bob & bucket end An example of an experiment hypothesis: cloud buckets are secure SCE Attack Scenario 

Monitor SCE Feedback Loop ● Observe the progress of the experiments ○ Logging ○ Observability ○ Tracing ● Intervene if necessary ○ Stop experiment ○ Recover to good state 

Analyze SCE Feedback Loop ● Failed - had to stop , need to identify the reasons and figure out how to improve in the future ● Success - Critical to derive answers to the questions posed at the planning stage 

Analyse SCE Results Using Risk-Driven Methodologies OWASP Risk Rating Methodology https://owasp.org/www-project-top-ten/2017/Application_Security_Risks.html 

SCE Feedback Loop Plan ● Creating of backlogs ○ Vulnerability management (patching) ○ Security operations ○ Development teams ○ Threat modelling ○ Awareness training ● Next steps ○ Remediate ○ Construct hypothesis for the next iteration 

SCE Feedback Loop Knowledge-base ● Security automation ○ Create cloudwatch rules to trigger alarms for specific events ○ Create audit rules for CSPM ○ Flag policies with broad permissions ● Security analytics ● Security correlation ● Machine learning 

Security Knowledgebase SIEM Data Collection Analysis, Visualization & Automation Unified Query & Storage Threat Intelligence Source Extended Detection & Response Security Chaos Engineering Security Orchestration, Automation & Response Compliance Automation Extract, Transform & Load Security Data Lake 

Research & Publications 

Thank you for listening ! Kennedy Torkura @run2obtain