Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

YURY NIÑO ROA Cloud Infrastructure Engineer Site Reliability Engineer Chaos Engineering Advocate @yurynino https://www.yurynino.dev/

Slide 3

Slide 3 text

Understanding Adversaries with Security Chaos Engineering

Slide 4

Slide 4 text

● Attacker Motivations ● Attacker Profiles ● Methods to Prevent ● Considerations ● Security and Reliability ● Security Chaos Engineering Agenda We are going to talk about www.yurynino.dev

Slide 5

Slide 5 text

www.yurynino.dev In 1989 written by Clifford Stoll wrote how to hunt for a computer hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL). Elliot Alderson, a cybersecurity engineer and hacker with social anxiety disorder and clinical depression. Elliot is recruited by an insurrectionary anarchist known as "Mr. Robot" to join a group of hacktivists called "fsociety".

Slide 6

Slide 6 text

Understanding a system’s adversaries is critical for building resilience and survivability for a wide variety of catastrophes. Adversaries in the security context are human; their actions are calculated to affect the target system in an undesirable way.

Slide 7

Slide 7 text

Attacker Motivations

Slide 8

Slide 8 text

Attacker Motivations www.yurynino.dev

Slide 9

Slide 9 text

Attacker Profiles

Slide 10

Slide 10 text

Attacker Profiles www.yurynino.dev

Slide 11

Slide 11 text

Hobbyists ● While debugging programs they discovered flaws that the original system designers hadn’t noticed. ● Curious technologists. They hack for fun! ● Motivated by their thirst for knowledge. www.yurynino.dev

Slide 12

Slide 12 text

Researchers ● Use their security expertise professionally. ● Employees, freelancers working finding vulnerabilities. ● Participate in Vulnerability Reward Programs Bug bounties. ● Motivated to make systems better, allies to organizations. ● Red Teams and penetration testers. www.yurynino.dev

Slide 13

Slide 13 text

Governments ● Security experts hired by Government organizations. ● Everybody could be a target of a Government. ACTIVITIES Intelligence gathering Military Purposes Policy Domestic www.yurynino.dev

Slide 14

Slide 14 text

Activists ● They are usually want to take credit publicity. ● Consider whether your business or project is involved in controversial topics. www.yurynino.dev

Slide 15

Slide 15 text

Criminal Actors ● Commonly they want to commit identities fraud, steal money and blackmail. ● The only barriers to entry for most criminal actors are a bit of time, a computer, and a little cash. www.yurynino.dev

Slide 16

Slide 16 text

Artificial Intelligence ● Some attacks could be executed without humans. ● Scientists and ethicists are designing machines might be capable enough to learn how to attack each other. ● Developers need to consider resilient system design. www.yurynino.dev

Slide 17

Slide 17 text

Methods to Study to Attackers

Slide 18

Slide 18 text

https://attack.mitre.org/ www.yurynino.dev

Slide 19

Slide 19 text

Considerations

Slide 20

Slide 20 text

You may not realize you are a target. Sophistication is not a true predictor of success. Attackers aren’t always afraid of being caught. Don’t underestimate your adversary. Attribution is hard. Considerations www.yurynino.dev

Slide 21

Slide 21 text

● Red/Blue Teaming exercises: ● With adversarial approach that imitates the behaviors and techniques of attackers. ● Two common forms of ● Ethical hacking ● Penetration testings How do we mitigate them? www.yurynino.dev

Slide 22

Slide 22 text

● Purple Teaming that reflects the cohesion of Red and Blue Teaming. ● They are an evolution of Red Team exercises by delivering a more cohesive experience between teams. ● The goal: collaboration of offensive and defensive tactics to improve the effectiveness of both groups. ● Purple Teams increase transparency and allow to learn about how effective engineers are. www.yurynino.dev How do we mitigate them?

Slide 23

Slide 23 text

PenTests are not enough! This requires a fundamentally new approach to cybersecurity, one that keeps pace with the rapidly evolving world of Security Engineering.

Slide 24

Slide 24 text

Security Chaos Engineering

Slide 25

Slide 25 text

Chaos Engineering It is the discipline of experimenting failures in production in order to reveal their weakness and to build confidence in their resilience capability. https://principlesofchaos.org/

Slide 26

Slide 26 text

www.yurynino.dev Common Attacks for CE https://www.gremlin.com/

Slide 27

Slide 27 text

We focus on confidentiality and reliability … when the issue is a cyberattack we do not commit ... What about Security? www.yurynino.dev

Slide 28

Slide 28 text

Security Chaos Engineering It is the identification of security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Chaos Engineering Book. 2020

Slide 29

Slide 29 text

Principles Hypothesize about Steady State Run Experiments Vary Real-World Events Automate Experiments www.yurynino.dev

Slide 30

Slide 30 text

It is not the intention to overlook the value of Red and Purple Team Exercises or other security testing methods. With Security Chaos Engineering we can introduce false positives to check if procedures are capable of identifying security failures under controlled conditions. Security Chaos Journey www.yurynino.dev

Slide 31

Slide 31 text

Chaos Gamedays

Slide 32

Slide 32 text

Chaos Gamedays www.yurynino.dev GameDays are interactive team-based learning exercises designed to give players a chance to put their skills to the test in a real-world, gamified, risk-free environment. A Chaos GameDay is a practice event, and although it can take a whole day, it usually requires only a few hours. The goal is to practice how your team supports your systems with real-world turbulent conditions.

Slide 33

Slide 33 text

www.yurynino.dev Before After During ● Pick a hypothesis. ● Pick a style. ● Decide who. ● Decide where. ● Decide when. ● Document. ● Get approval! ● Detect the situation. ● Take a deep breath. ● Communicate. ● Visit dashboards. ● Analyze data. ● Propose solutions. ● Apply and solve! ● Write a postmortem. ● What Happened ● Impact ● Duration ● Resolution Time ● Resolution ● Timeline ● Action Items https://www.yurynino.dev/ The Framework

Slide 34

Slide 34 text

My Proposal

Slide 35

Slide 35 text

www.yurynino.dev https://www.yurynino.dev/ My Proposal Before After During ● Pick a hypothesis. ● Pick a style. ● Decide who. ● Decide where. ● Decide when. ● Document. ● Get approval! ● Detect the situation. ● Take a deep breath. ● Communicate. ● Visit dashboards. ● Analyze data. ● Propose solutions. ● Apply and solve! ● Write a postmortem. ● What Happened ● Impact ● Duration ● Resolution Time ● Resolution ● Timeline ● Action Items Evolve ● Improve vulnerability DB. ● Refine the process. ● Adjust metrics. ● Validate CMM position. ● Adapt next Gameday. ● Continuous Verification.

Slide 36

Slide 36 text

www.yurynino.dev https://www.yurynino.dev/ My Proposal ● Pick a hypothesis ● Pick a style ● Decide who ● Decide where ● Decide when ● Document ● Get approval! Understand the adversary: Motivations, profiles and methods. Reconsider the roles: Do you need consultant and google? Choose an style with adversaries: Dungeons & Dragons with at least 2 teams.

Slide 37

Slide 37 text

www.yurynino.dev https://www.yurynino.dev/ Examples of Experiments ● Introduce latency on security controls. ● Drop a folder like a script would do in production. ● Software secret clear text disclosure. ● Permission collision in a shared IAM role policy. ● Disable service event logging. ● API gateway shutdown. ● Unencrypted Bucket. ● Disable MFA.

Slide 38

Slide 38 text

Result: Hypothesis disproved. In this experiment the access to GCP was connected to the Active Directory. When an employee left the company his account is dropped and we lost the access to Google. Side Effect: Thinking in this scenario allows to consider another applications connected to Active Directory. www.yurynino.dev https://www.yurynino.dev/ Hypothesis: After the owner of Root account in Google Cloud left the company, we could use our cloud in a normal way.

Slide 39

Slide 39 text

www.yurynino.dev https://www.yurynino.dev/ My Proposal A security postmortem covers technology issues that the attacker exploited, and also recognizes opportunities for improved incident handling. Document the time frames and efforts associated with these action items, and decide which action items.

Slide 40

Slide 40 text

www.yurynino.dev https://www.yurynino.dev/ My Proposal ● Improve vulnerability DB. ● Refine the process. ● Adjust metrics. ● Validate CMM position. ● Adapt next Gameday. ● Continuous Verification. Continuous Verification encourages both of these requirements in a way that proactively educates engineers about the systems they operate. It is emerging as a crucial practice for navigating complex software systems. Continuous Verification is a game changer for complex software system management. In the future it will fundamentally change the scale and types of systems that we even consider building.

Slide 41

Slide 41 text

The adoption of the Security Chaos Engineering principles across organizations remains as an open challenge. Security may be included in the Chaos Maturity Model since combining a CMM and Security Chaos GameDays help newcomers to start their CE efforts and allow to build resilience on security. It’s an exciting time to be working on this space. For the Future www.yurynino.dev

Slide 42

Slide 42 text

Humans operate differently when they expect things to fail! Anonymous One single vulnerability is all an attacker needs. Window Snyder Chief Security Officer, Fastly

Slide 43

Slide 43 text

My Recommended Books www.yurynino.dev

Slide 44

Slide 44 text

How to Cook https://www.gremlin.com https://chaosengineering.slack.com https://github.com/dastergon/awesome-chaos-e ngineering https://www.infoq.com/chaos-engineering www.yurynino.dev

Slide 45

Slide 45 text

Thanks for coming!!! @yurynino www.yurynino.dev