View
24
Download
0
Category
Preview:
Citation preview
CONTROLLED CHAOSThe Inevitable Marriage of DevOps & Security
Kelly Shortridge (@swagitda_) Velocity Berlin 2019
@swagitda_
Hi, I’m Kelly
2
@swagitda_
“Chaos isn’t a pit. Chaos is a ladder.”
― Petyr Baelish, Game of Thrones
3
@swagitda_
Infosec has a choice: marry DevOps or be rendered impotent & irrelevant
4
@swagitda_
Infosec won’t survive in a silo. It must be embedded in software delivery.
5
@swagitda_
DevOps can learn to carve its own path to secure software delivery
@swagitda_
How can controlling chaos create a marriage of infosec and DevOps?
7
@swagitda_
1. Chaos Theory
2. Time to D.I.E.
3. A Phoenix Rises
8
Chaos Theory
@swagitda_
Chaos engineering = continual experimentation to test resilience
@swagitda_
“Things will fail” naturally extends into “things will be pwned”
11
@swagitda_
Security failure is when security controls don’t operate as intended
12
@swagitda_
What are the principles of chaotic security engineering?
13
@swagitda_
1. Expect that security controls will fail & prepare accordingly
14
@swagitda_
2. Don’t try to avoid incidents – hone your ability to respond to them
15
@swagitda_
Game days: like planned firedrills
16
@swagitda_
Prioritize security game days based on potential business impacts
17
@swagitda_
Decision trees: start at target asset, work back to easiest attacker paths
18
@swagitda_
Determine the attacker’s least-cost path (hint: it doesn’t involve 0day)
19
@swagitda_
Your goal is to raise the cost of attack, ideally beginning at design
20
Time to D.I.E.
@swagitda_
We need a model promoting qualitiesthat make systems more secure
22
@swagitda_
Enter the D.I.E. model by Sounil Yu: Distributed, Immutable, Ephemeral
23
@swagitda_
Distributed: multiple systems supporting the same overarching goal
24
@swagitda_
Distributed infrastructure reduces risk of DoS attacks by design
25
@swagitda_
A service mesh is like an on-demand VPN at the application level
26
@swagitda_
Attackers are forced to escalate privileges to access the iptables layer
27
@swagitda_
Immutable: infrastructure that doesn’t change after it’s deployed
28
@swagitda_
Immutable infra is more secure by design – ban shell access entirely
29
@swagitda_
Patching is no longer a nightmare with version-controlled images
@swagitda_
Ephemeral: infrastructure with a very short lifespan (dies after a task)
31
@swagitda_
Ephemerality creates uncertainty for attackers (persistence = nightmare)
32
@swagitda_
Installing a rootkit on a resource that dies in minutes is a waste of effort
33
@swagitda_
Optimizing for D.I.E. reduces risk by design & supports resilience
34
A Phoenix Rises
@swagitda_
Begin with “dumb” testing before moving to “fancy” testing
36
@swagitda_
D.I.E.ing is an art, like everything else
@swagitda_
Controlling Chaos: Distributed
38
@swagitda_
Distributed is mostly covered by the existing repertoire of chaos eng tools
39
@swagitda_
Repurpose these tools, but make attackers the source of failure
40
@swagitda_
Multi-region services present a fun opportunity to mess with attackers
41
@swagitda_
Shuffle IP blocks regularly to change attackers’ lateral movement game
42
@swagitda_
Test: inject failure into your service mesh to test authentication controls
43
@swagitda_
Controlling Chaos: Immutable
44
@swagitda_
Immutable infra is like a phoenix – it disappears & comes back a lot
45
@swagitda_
Volatile environments with continually moving parts raise the cost of attack
46
@swagitda_
Create rules like, “If there’s ever a write to disk, crash the node”
47
@swagitda_
Attackers must stay in-memory, which hopefully makes them cry
48
@swagitda_
Bonus: disallowing all local IO improves service reliability
49
@swagitda_
Metasploit Meterpreter + webshell:Touch passwords.txt & kaboom
50
@swagitda_
Build your Docker images with a garbage-filled “bamboozle layer”
51
@swagitda_
Mark garbage files as “unreadable” to craft enticing bait for attackers
52
@swagitda_
A potential goal: architect immutability turtles all the way down
53
@swagitda_
Test: inject attempts at writing to disk to ensure detection & reversion
54
@swagitda_
Treat changes to disk by adversaries similarly to failing disks: mercy kill
55
@swagitda_
Controlling Chaos: Ephemeral
56
@swagitda_
Most infosec bugs are stated-related – get rid of state, get rid of bugs
57
@swagitda_
Reverse uptime: longer host uptime adds greater security risk
58
@swagitda_
Test: change API tokens & test if services still accept old tokens
59
@swagitda_
Test: retrograde libraries, containers, other resources in CI/CD pipelines
60
@swagitda_
Test: inject hashes of old pieces of data to ensure no data persistence
61
@swagitda_
Leverage lessons from toll fraud –cloud billing becomes security signal
62
@swagitda_
Test: exfil TBs or run a cryptominerto inform billing spike detection
63
Conclusion
@swagitda_
Chaos/resilience are natural homes for infosec & represent its future.
65
@swagitda_
The future of infosec involves unified responsibility & accountability.
66
@swagitda_
Security can be innovative and fuel the engine of business as well.
67
@swagitda_
“You must have chaos within you to give birth to a dancing star.”
― Friedrich Nietzsche
68
@swagitda_
@swagitda_
/in/kellyshortridge
kelly@greywire.net
69
Recommended