Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Chaos Engineering- Cyberattacks are a ...

Yury Nino
September 09, 2020

Security Chaos Engineering- Cyberattacks are a new challenge for Chaos Engineering

Yury Nino

September 09, 2020
Tweet

More Decks by Yury Nino

Other Decks in Technology

Transcript

  1. • Why are we afraid of cyberattacks? • Why do

    not we commit with security SLAs? • Classical Exercises are not enough • Security Chaos Engineering • Security Chaos Gamedays • Security Chaos Engineering Tools • Our Proposal!
  2. As modern networks become more complex with a vastly larger

    threat surface, stopping break-ins before they happen takes on even greater importance. Cyberattacks are a new challenge for Chaos Engineering!
  3. What about SLOs, SLIs & SLAs for Security? Let me

    compare and contrast these security measurement concepts with Google’s SRE.
  4. Service Level Indicator Service Level Objective Service Level Agreement Key

    measurements of the availability of a system. Goals we set for how much availability we expect out of a system. Contracts with what happens if the system doesn’t meet its SLOs.
  5. Red Team Exercises • They were originated with the US

    Armed Forces by Bryce Hoffman. • Adversarial approach that imitates the behaviors and techniques of attackers in the most realistic way possible. • Two common forms of Red Teaming seen in the enterprise are: ◦ Ethical hacking ◦ Penetration testing. • Blue teams are the defensive counterparts to the Red teams in these exercises. • Recommendations: Think-Write-Share and Devil’s advocacy.
  6. Purple Team Exercises • They were intended as an evolution

    of Red Team exercises by delivering a more cohesive experience between the offensive and defensive teams. • The “Purple” in Purple Teaming reflects the cohesion of Red and Blue teaming. • The goal of these exercises is the collaboration of offensive and defensive tactics to improve the effectiveness of both groups in the event of an attempted compromise. • The intention is to increase transparency as well as provide a conduit for the security apparatus to learn about how effective their preparation is when subjected to a live fire exercise.
  7. Security Chaos Engineering allows teams to proactively, safely discover system

    weakness before they disrupt business outcomes. This requires a fundamentally new approach to cybersecurity, one that keeps pace with the rapidly evolving world of software engineering.
  8. What is Chaos Engineering? It is the discipline of experimenting

    failures in production in order to reveal their weakness and to build confidence in their resilience capability. https://principlesofchaos.org/
  9. What is Security Chaos Engineering? It is the identification of

    security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Chaos Engineering Book. 2020
  10. History 1986 Artificial Immune Systems 2008 Chaos Engineering was born

    2018 2020 Chapter dedicated to Security CE 2019 Aaron Rinehart first articles Artificial Intelligence for data security
  11. With Security Chaos Engineering we can introduce false positives into

    production, to check whether procedures are capable of identifying security failures under controlled conditions.
  12. What my mom thinks I do What my friends thinks

    I do What software engineers think I do What I really do Who is a Security Chaos Engineer? Help service owners to increase their security and resilience through education, tools and encouragement.
  13. Security Chaos GameDays They are events to conduct chaos experiments

    against a system to validate or invalidate hypothesis about a system’s resilience. They are an ideal way to ease into Chaos Engineering. Brian Lee, Jason Doffing
  14. ChaoSlingr • Serverless app in AWS. • Written in Python.

    • 100% Native in AWS. • Configuration as a Code. • Open Framework. • With example codes.
  15. Experiments • Introduce latency on security controls. • Drop a

    folder like a script would do in production. • Software secret clear text disclosure. • Permission collision in a shared IAM role policy. • Disable service event logging. • API gateway shutdown. • Unencrypted S3 Bucket. • Disable MFA.
  16. Experiments Hypothesis: After the owner of Root account in AWS

    left the company, we could use our cloud in a normal way. Result: Hypothesis disproved. In this experiment the access to AWS was connected to the Active Directory. When an employee left the company his account is dropped and we lost the access to AWS. Side Effect: Thinking in this scenario allows to consider another applications connected to Active Directory.
  17. The World is Chaotic! and Insecure Black swans take our

    systems down and keep them down for a long time. Laura Nolan, SRE in Slack
  18. “Don't worry about the future. Or worry, but know that

    worrying is as effective as trying to solve an algebra equation by chewing a bubble gum. The real troubles in your life are things that never crossed your worried mind, the kind that blindside you at 4 p.m. on some idle Tuesday" Mary Schmich