Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding Adversaries for Building Reliabil...

Yury Nino
February 23, 2023

Understanding Adversaries for Building Reliability in Security

Yury Nino

February 23, 2023
Tweet

More Decks by Yury Nino

Other Decks in Technology

Transcript

  1. YURY NIÑO ROA Site Reliability Engineer Chaos Engineering Advocate Chaos

    Engineering Guild - ADL @yurynino https://www.yurynino.dev/
  2. • Attacker Motivations • Attacker Profiles • Methods to Prevent

    • Considerations • Security and Reliability • Security Chaos Engineering Agenda We are going to talk about www.yurynino.dev
  3. www.yurynino.dev In 1989 written by Clifford Stoll wrote how to

    hunt for a computer hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL). Elliot Alderson, a cybersecurity engineer and hacker with social anxiety disorder and clinical depression. Elliot is recruited by an insurrectionary anarchist known as "Mr. Robot" to join a group of hacktivists called "fsociety".
  4. Understanding a system’s adversaries is critical for building resilience and

    survivability for a wide variety of catastrophes. Adversaries in the security context are human; their actions are calculated to affect the target system in an undesirable way.
  5. Hobbyists • While debugging programs they discovered flaws that the

    original system designers hadn’t noticed. • Curious technologists. They hack for fun! • Motivated by their thirst for knowledge. www.yurynino.dev
  6. Researchers • Use their security expertise professionally. • Employees, freelancers

    working finding vulnerabilities. • Participate in Vulnerability Reward Programs Bug bounties. • Motivated to make systems better, allies to organizations. • Red Teams and penetration testers. www.yurynino.dev
  7. Governments • Security experts hired by Government organizations. • Everybody

    could be a target of a Government. ACTIVITIES Intelligence gathering Military Purposes Policy Domestic www.yurynino.dev
  8. Activists • They are usually want to take credit publicity.

    • Consider whether your business or project is involved in controversial topics. www.yurynino.dev
  9. Criminal Actors • Commonly they want to commit identities fraud,

    steal money and blackmail. • The only barriers to entry for most criminal actors are a bit of time, a computer, and a little cash. www.yurynino.dev
  10. Artificial Intelligence • Some attacks could be executed without humans.

    • Scientists and ethicists are designing machines might be capable enough to learn how to attack each other. • Developers need to consider resilient system design. www.yurynino.dev
  11. You may not realize you’re a target. Sophistication is not

    a true predictor of success. Attackers aren’t always afraid of being caught. Don’t underestimate your adversary. Attribution is hard. Considerations www.yurynino.dev
  12. Chaos Engineering It is the discipline of experimenting failures in

    production in order to reveal their weakness and to build confidence in their resilience capability. https://principlesofchaos.org/
  13. Security Chaos Engineering It is the identification of security control

    failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Chaos Engineering Book. 2020
  14. • The adoption of SCE faces challenges: human factors to

    Security issues. • Reducing potential damage and blast radius is critical in Security. • Communication and observability: successful Chaos Security GameDays. • Requirements may collision with experimentation in Security. • You don’t need to be a security expert to start with Security Chaos Engineering. Security Chaos Journey www.yurynino.dev
  15. Don’t fear failure. In great attempts it is glorious even

    to fail. Anonymous One single vulnerability is all an attacker needs. Window Snyder