thinking evil thoughts
TRANSCRIPT
(without introducing more risk)
Thinking Evil Thoughts
PuppetGareth Rushgrove
A taste of threat modeling
(without introducing more risk)
@garethr
(without introducing more risk)
Gareth Rushgrove
(without introducing more risk)This Talk
What to expect
- What is threat modeling?- Getting the scope right- Identifying risks- Using conferences to hack people
Gareth Rushgrove
Introduce some security language to help you navigate the domain
Gareth Rushgrove
Dive straight into examples
Gareth Rushgrove
Empower you to ask questions more than provide easy answers
Gareth Rushgrove
(without introducing more risk)Threat modeling
A brief introduction
Gareth Rushgrove
a procedure for optimizing network security by identifying objectives and vulnerabilities
THREAT MODELING
- Determine scope- Identify threat agents and attacks- Understand existing countermeasures- Identify vulnerabilities- Prioritise risks- Identify countermeasures
Gareth Rushgrove
https://www.owasp.org/index.php/Category:Threat_Modeling
Inside each of us, there is theseed of both good and evil.It's a constant struggle as towhich one will win.
Gareth Rushgrove
“
”Eric Burdon
(without introducing more risk)Think evil.
(without introducing more risk)
Getting the scope rights
Avoiding gaps in your threat model
Ignoring part of your systemwhen considering security isa common mistake
Gareth Rushgrove
Gareth Rushgrove
the attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment.
ATTACK SURFACE
(without introducing more risk)ExampleWhat is Production?
Gareth Rushgrove
LOAD BALANCER
FRONT END
BACK END
DATABASE
PRODUCTION?
LOAD BALANCER
FRONT END
BACK END
DATABASE
PRODUCTION?
PEOPLE
DESKTOPS
CI SERVER
LOAD BALANCER
FRONT END
BACK END
DATABASE
PRODUCTION?
PEOPLE
DESKTOPS
CI SERVER
HYPERVISOR MANAGEMENT MONITORING
Do you protect your CI stack as well as your production database?
Gareth Rushgrove
Could I execute a query on your production database if I compromised your CI server?
Gareth Rushgrove
ExampleThird party services
Gareth Rushgrove
Gareth Rushgrove
an entity which facilitates interactions between two parties who both trustthe third party
TRUSTED THIRD PARTY
Gareth Rushgrove
a term in computer science and security used to describe a boundary where program data or execution changes its level of "trust". The term refers to any distinct boundary within which a system trusts all sub-systems (including data).
TRUST BOUNDARY
Gareth Rushgrove
Why Serverless is a bad name
Gareth Rushgrove
(without introducing more risk)There are still servers somewhere
Gareth Rushgrove
How you think about the servers changes, and the respectiverisks and mitigations change.But servers still exist.
Gareth Rushgrove
Why NoOps is a bad name
Gareth Rushgrove
How you think about operations changes, and the respectiverisks and mitigations change.But operations still exist.
Gareth Rushgrove
Your attack surface is biggerthan you think
Gareth Rushgrove
(without introducing more risk)Identifying risks
The need to understand your system
Differences in how you perceivea system and how it actually works can be used to exploit it
Gareth Rushgrove
ExampleImmutable infrastructure
Gareth Rushgrove
Out systems are immutable,we don’t need runtime fileintegrity checking
Gareth Rushgrove
“”A possibly naive developer
Gareth Rushgrove
unchanging over time or unableto be changed.synonyms: unchangeable, fixed
IMMUTABLE
(without introducing more risk)Containers are notimmutable by default
Gareth Rushgrove
(without introducing more risk)
Containers are not immutable by default
Gareth Rushgrove
(without introducing more risk)
Gareth Rushgrove
$ docker run -d alpine /bin/sh \ -c "while true; do echo hello world; sleep 1; done"
(without introducing more risk)
Gareth Rushgrove
$ docker exec a7a01beb14de touch /tmp/surprise
(without introducing more risk)
Gareth Rushgrove
$ docker diff a7a01beb14deC /tmpA /tmp/surprise
(without introducing more risk)
Gareth Rushgrove
$ docker run --read-only -d alpine /bin/sh \ -c "while true; do echo hello world; sleep 1; done"
(without introducing more risk)
Gareth Rushgrove
$ docker exec 379150b2cf05 touch /tmp/surprisetouch: cannot touch '/tmp/surprise': Read-only file system
(without introducing more risk)
Do your immutable EC2 instances have read-only filesystems?
Gareth Rushgrove
(without introducing more risk)Most ImmutableInfrastructure isn’t
Gareth Rushgrove
(without introducing more risk)
Without technical controls you only have social guaranteesof immutability
Gareth Rushgrove
(without introducing more risk)
Hacking conferencesLooking for vulnerabilities
Let’s assume your applications and infrastructure are super secure*
Gareth Rushgrove
* This probably isn’t true. You should worry about that as well.
- Penetration testing- Intrusion detection system- Web application firewall- Network firewalls- Malware scanning- Configuration management
Gareth Rushgrove
Gareth Rushgrove
How secure is your laptop?
- Hand maintained configuration- Updated whenever - No central monitoring - Administrative access- Single factor authentication
Gareth Rushgrove
Can you push new Dockerimages from your laptop?
Gareth Rushgrove
Can you create jobs on your Jenkins instance from your laptop?
Gareth Rushgrove
Can you launch new replication controllers from your laptop?
Gareth Rushgrove
Can you release new functionsto Lambda from your laptop?
Gareth Rushgrove
Real world threat
(without introducing more risk)
As a hacker how do I own your laptop?
The fun stuff
Where can I find hundreds of developer laptops…
Gareth Rushgrove
Developer Conferences are a Target Rich Environment
Gareth Rushgrove
Gareth Rushgrove
More InternetSome InternetMarks iPhoneFREE CONFERENCE WIFIHacked AndroidCONFERENCE VENUEPrivateSoftware CircusCompany next doorCoffee shop downstairsSoftware Circus IIDocker CorpAvengers TowerFONMy BlackberryNokia4everABANK
Gareth Rushgrove
More InternetSome InternetMarks iPhoneFREE CONFERENCE WIFIHacked AndroidCONFERENCE VENUEPrivateSoftware CircusCompany next doorCoffee shop downstairsSoftware Circus IIDocker CorpAvengers TowerFONMy BlackberryNokia4everABANK
This is the official conference wifi right?
Gareth Rushgrove
More InternetSome InternetMarks iPhoneFREE CONFERENCE WIFIHacked AndroidCONFERENCE VENUEPrivateSoftware CircusCompany next doorCoffee shop downstairsSoftware Circus IIDocker CorpAvengers TowerFONMy BlackberryNokia4everABANK
Or is it this one? Whatever, both work
Devices exist to man-in-the-middle wireless networks
Gareth Rushgrove
Who has ever picked up a USB memory stick at a conference?
Gareth Rushgrove
Gareth Rushgrove
USB devices exist which will run a script on connect (normally by impersonating a keyboard)
Gareth Rushgrove
(without introducing more risk)
DELAY 1000COMMAND SPACEDELAY 500STRING TerminalDELAY 500ENTERDELAY 800STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keysENTERDELAY 1000STRING killall TerminalENTER
Add my public key
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29
Local databases
Lots of people here are on Twitter and using the conference hashtag
Gareth Rushgrove
Lots of people here are on GitHub with the same username
Gareth Rushgrove
(without introducing more risk)
$ curl -s https://api.github.com/users/<username>/events/public \ | jq '.[].payload.commits[0].author.email' \ | sort \ | uniq \ | grep -v "null"
Email from GitHub user
an e-mail spoofing fraud attempt that targets a specific organization or individual, seeking unauthorized access to confidential data.
Gareth Rushgrove
SPEAR PHISHING
Hi <your name>
Great to see you at <conference name here> last week.
I thought you’d be interested in the container testing tool I mentioned. http://nothingevilhere.com. Would love to know what you think.
Hopefully see you at DockerCon next year too.
(without introducing more risk)
So you’re saying we’re all doomed?
This is quite depressing now I think about it
Part of threat modeling is coming up with suitable mitigations to the risks identified
Gareth Rushgrove
- 2 factor authentication- Time-limited credentials- Separation of duties- Two person rule- Configuration management
Gareth Rushgrove
having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error.
Gareth Rushgrove
SEPARATION OF DUTIES
a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times.
Gareth Rushgrove
TWO-PERSON RULE
Gareth Rushgrove
a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence and determines if information obtained by adversaries could be interpreted to be useful to them.
OPERATIONAL SECURITY (OPSEC)
Once you understand the threat you can seek out specific guidance
Gareth Rushgrove
- Protect data in transit- Protect data at rest- Authentication- Secure boot- Platform integrity and sandboxing- Application whitelisting
Gareth Rushgrove
- Malicious code detection- Security policy enforcement- External interface protection- Device update policy- Event collection and analysis- Incident response
https://www.cesg.gov.uk/guidance/end-user-devices-security-principles
Education. Education. Education.
Gareth Rushgrove
Gareth Rushgrove
(without introducing more risk)ConclusionsIf all you remember is…
With Cloud Native approachesdevelopers are nearer to production than ever before
Gareth Rushgrove
The efficiency of modern tooling introduces new threats, and magnifies existing ones
Gareth Rushgrove
Existing mitigations and security controls won’t be enough. You need to collaborate with security colleagues on new approaches
Gareth Rushgrove
Threat modeling should be part of your development process
Gareth Rushgrove
Gareth Rushgrove
Elevation of privilege
Gareth Rushgrove
(without introducing more risk)Thanks
And any questions?