Understanding Adversaries for Building Reliability in Security

Transcript

1. Understanding Adversaries for Building Reliability in Security

2. YURY NIÑO ROA Cloud Infrastructure Engineer Site Reliability Engineer Chaos

   Engineering Advocate @yurynino https://www.yurynino.dev/

3. • Attacker Motivations • Attacker Profiles • Methods to Prevent

   • Considerations • Security and Reliability • Security Chaos Engineering Agenda We are going to talk about www.yurynino.dev

4. In 1989 written by Clifford Stoll wrote how to hunt

   for a computer hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL). Elliot Alderson, a cybersecurity engineer and hacker with social anxiety disorder and clinical depression. Elliot is recruited by an insurrectionary anarchist known as "Mr. Robot" to join a group of hacktivists called "fsociety". www.yurynino.dev

5. What is common among these stories?

6. Understanding a system’s adversaries is critical for building resilience and

   survivability for a wide variety of catastrophes. Adversaries in the security context are human; their actions are calculated to affect the target system in an undesirable way.

7. Attacker Motivations

8. Attacker Motivations www.yurynino.dev

9. https://www.yurynino.dev/

10. Attacker Profiles

11. Attacker Profiles www.yurynino.dev

12. Hobbyists • Curious technologists. They hack for fun! • While

    debugging programs they discovered flaws that the original system designers hadn’t noticed. • Motivated by their thirst for knowledge. www.yurynino.dev

13. Researchers • Use their security expertise professionally. • Employees, freelancers

    working finding vulnerabilities. • Participate in Vulnerability Reward Programs Bug bounties. • Motivated to make systems better, allies to organizations. • Red Teams and penetration testers. www.yurynino.dev

14. Governments • Security experts hired by Government organizations. • Everybody

    could be a target of a Government. ACTIVITIES Intelligence gathering Military Purposes Policy Domestic www.yurynino.dev

15. Activists • They are usually want to take credit publicity.

    • Consider whether your business or project is involved in controversial topics. www.yurynino.dev

16. Criminal Actors • Commonly they want to commit identities fraud,

    steal money and blackmail. • The only barriers to entry for most criminal actors are a bit of time, a computer, and a little cash. www.yurynino.dev

17. Artificial Intelligence • Some attacks could be executed without humans.

    • Scientists and ethicists are designing machines might be capable enough to learn how to attack each other. • Developers need to consider resilient system design. www.yurynino.dev

18. Methods to Study to Attackers

19. https://attack.mitre.org/ www.yurynino.dev

20. Considerations

21. You may not realize you’re a target. Sophistication is not

    a true predictor of success. Attackers aren’t always afraid of being caught. Don’t underestimate your adversary. Attribution is hard. Considerations www.yurynino.dev

22. Security Chaos Engineering

23. Chaos Engineering It is the discipline of experimenting failures in

    production in order to reveal their weakness and to build confidence in their resilience capability. https://principlesofchaos.org/

24. Security Chaos Engineering It is the identification of security control

    failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Chaos Engineering Book. 2020

25. Principles Hypothesize about Steady State Run Experiments Vary Real-World Events

    Automate Experiments www.yurynino.dev

26. Chaos Monkey Chaos Toolkit Gremlin Chaos Mesh Chaos for Spring

    Boot Chaos Litmus Chaos Tools

27. Practicing Chaos GameDays Interactive, real-world and learning exercises. They are

    designed to give players a chance to put their skills in a technology to test. GameDays were created by Jesse Robbins inspired by his experience & training as a firefighter. The Journey

28. GameDays Framework Before After During • Pick a hypothesis. •

    Pick a style. • Decide who. • Decide where. • Decide when. • Document. • Get approval! • Detect the situation. • Take a deep breath. • Communicate. • Visit dashboards. • Analyze data. • Propose solutions. • Apply and solve! • Write a postmortem. • What Happened • Impact • Duration • Resolution Time • Resolution • Timeline • Action Items Russ Miles

29. GameDays Framework Before After During • Pick a hypothesis. •

    Pick a style. • Decide who. • Decide where. • Decide when. • Document. • Get approval! • Detect the situation. • Take a deep breath. • Communicate. • Visit dashboards. • Analyze data. • Propose solutions. • Apply and solve! • Write a postmortem. • What Happened • Impact • Duration • Resolution Time • Resolution • Timeline • Action Items Evolve • Improve your method. • Integrate in pipelines. • Adjust metrics. • Validate CMM position. • Adapt next GameDay. • Continuous Verification.

30. • Spring Boot • Chaos Monkey • Azure • Pulumi

    Gamedays Framework Before After During • Pick a hypothesis. • Pick a style. • Decide who. • Decide where. • Decide when. • Document. • Get approval! • Detect the situation. • Take a deep breath. • Communicate. • Visit dashboards. • Analyze data. • Propose solutions. • Apply and solve! • Write a postmortem. • What Happened • Impact • Duration • Resolution Time • Resolution • Timeline • Action Items Automate

31. Let me try one! Experiments • Introduce latency on security

    controls. • Drop a folder like a script would do in production. • Software secret clear text disclosure. • Permission collision in a shared IAM role policy. • Disable service event logging. • API gateway shutdown. • Unencrypted Cloud Bucket. • Disable MFA.

32. Let me try one! Experiments Hypothesis: After the owner of

    Root account in Google left the company, we could use our cloud in a normal way. Result: Hypothesis disproved. In this experiment the access to Google Cloud was connected to the Active Directory. When an employee left the company his account is dropped and we lost the access to Google. Side Effect: Thinking in this scenario allows to consider another applications connected to Active Directory.

33. • The adoption of SCE faces challenges: human factors to

    Security issues. • Reducing potential damage and blast radius is critical in Security. • Communication and observability: successful Chaos Security GameDays. • Requirements may collision with experimentation in Security. • You don’t need to be a security expert to start with Security Chaos Engineering. Security Chaos Journey www.yurynino.dev

34. My Recommended Books www.yurynino.dev

35. Don’t fear failure. In great attempts it is glorious even

    to fail. Anonymous One single vulnerability is all an attacker needs. Window Snyder

36. Thanks for coming!!! @yurynino www.yurynino.dev